Siemens and Schneider Electric have issued new advisories as part of their September 2023 patch Tuesday updates. Siemens has released seven advisories addressing a total of 45 vulnerabilities in its industrial products.
One of these advisories pertains to CVE-2023-3935, a critical flaw in the CodeMeter software licensing and protection technology developed by Wibu Systems. This software is incorporated into several Siemens products such as PSS, SIMATIC, SIMIT, SINEC, and SINEMA. If the CodeMeter Runtime is set up as a server, a remote unauthenticated attacker can exploit this vulnerability to execute arbitrary code. Conversely, if CodeMeter Runtime is configured as a client, an authenticated local attacker can escalate their privileges to root level.
Ten medium to high-severity vulnerabilities have been identified in QMS Automotive, including potential for session hijacking, malicious file uploads, information exposure, Denial of Service (DoS) attacks, and arbitrary code execution. The RUGGEDCOM APE1808 product family is affected by nearly two dozen medium to high-severity vulnerabilities related to the BIOS provided by Insyde.
Products such as Parasolid, Teamcenter Visualization, and JT2Go have remote code execution vulnerabilities that can be exploited using specially crafted files. Several SIMATIC and SIPLUS products are vulnerable to an ANSI C OPC UA SDK flaw that could enable an unauthenticated, remote attacker to cause a DoS condition using a specially crafted certificate. Siemens has also alerted customers about the potential impact of the Intel CPU vulnerability named 'Downfall'. The company is in the process of developing fixes for affected SIMATIC industrial PCs.
Schneider Electric, on the other hand, has released only one new advisory. This advisory informs customers about a high-severity vulnerability in its Interactive Graphical SCADA System (IGSS) product. The company describes this flaw as a missing authentication issue, which could 'allow a local attacker to change update source, potentially leading to remote code execution when the attacker forces an update containing malicious content'.