Skip to content

ICS Patch Tuesday: Siemens, Schneider Electric Address Dozens of Vulnerabilities “The Benefits of Using a Password Manager” “Unlocking the Advantages of Password Managers”

The Patch Tuesday advisories for April 2023 from Siemens and Schneider Electric cover a combined 38 vulnerabilities that have been identified in their products.

Industrial giants Siemens and Schneider Electric have each released Patch Tuesday advisories for April 2023 addressing a total of 38 vulnerabilities in their products. This is significantly smaller than the amount of security issues addressed in February and March, which was roughly 100. Siemens has published 14 new advisories covering 26 vulnerabilities, while Schneider Electric has released six new advisories covering a dozen vulnerabilities.

The most serious seems to be CVE-2023-28489, a critical vulnerability affecting Siemens’ Sicam A8000 remote terminal units (RTUs). It can allow an unauthenticated attacker to execute arbitrary commands on the targeted device, provided it is configured to allow remote operation, which is disabled by default. Siemens has released patches for this security hole. The company has also informed customers about three high-severity DoS vulnerabilities affecting the web server present in multiple Simatic industrial products.

Schneider Electric’s most important advisory covers two critical and one-high severity vulnerabilities affecting APC and Schneider-branded Easy UPS online monitoring software. Exploitation can lead to remote code execution or a DoS condition. The company has made available patches for most of the flaws and has shared mitigations for the issues it has yet to fix with updates.

Siemens and Schneider Electric have also informed customers about several third-party component vulnerabilities, including critical and/or high-severity bugs in the Wind River VxWorks real-time operating system, the Linux kernel, OPC Foundation Local Discovery Server (LDS), Luxion’s KeyShot, and various libraries. Medium-severity vulnerabilities related to weak encryption and other information-exposure issues have also been addressed by the companies.

Key Points:

  • Siemens and Schneider Electric’s Patch Tuesday advisories for April 2023 address a total of 38 vulnerabilities found in their products.
  • Siemens has published 14 advisories covering 26 vulnerabilities, while Schneider Electric has released six advisories covering a dozen vulnerabilities.
  • The most serious flaw appears to be CVE-2023-28489, a critical vulnerability affecting Sicam A8000 series RTUs.
  • Schneider Electric’s most important advisory covers two critical and one-high severity vulnerabilities affecting APC and Schneider-branded Easy UPS online monitoring software.
  • The companies have also informed customers about several third-party component vulnerabilities, including critical and/or high-severity bugs.
  • Medium-severity vulnerabilities related to weak encryption and other information-exposure issues have also been addressed.

Leave a Reply

Your email address will not be published. Required fields are marked *