Siemens Patch Tuesday updates for April 2019 address several serious vulnerabilities, including some DoS flaws in many industrial products.
Siemens has released Patch Tuesday updates that address several serious flaws including some DoS vulnerabilities. Siemens published six new advisories that cover a total of 11 vulnerabilities.
One of the issues addressed by Siemens is a high-severity DoS vulnerability (CVE-2019-6575) that affects some the SIMATIC, SINEC-NMS, SINEMA, SINUMERIK and TeleControl products.
The CVE-2019-6575 vulnerability can be exploited by a remote, unauthenticated attacker to cause a DoS condition in OPC communications component or crash a device by sending it specially crafted network packets on TCP port 4840.
“A vulnerability has been identified in the OPC UA server of several industrial products. The vulnerability could cause a Denial-of-Service condition on the service or the device.” reads the security advisory published by Siemens.
Siemens also fixed another DoS flaw tracked as CVE-2019-6568 that resides in the web server component used by many CP, SIMATIC, SINAMICS, SITOP and TIM industrial products. An unauthenticated attacker could trigger the vulnerability once obtained the network access.
The company also addressed a high-severity DoS vulnerability (CVE-2017-12741) in SIMOCODE pro V EIP that can be exploited remotely by sending specially crafted packets to the targeted application on UDP port 161.
“SIMOCODE pro V EIP is affected by a vulnerability that could allow remote attackers to conduct a Denial-of-Service (DoS) attack by sending specially crafted packets to port 161/udp (SNMP).” reads the advisory published by the company.
Siemens also published security advisories for flaws in RUGGEDCOM ROX II routers, the SINEMA Remote Connect client and server, and Spectrum Power product.
The industrial giant confirmed that it is not aware of any malicious exploits targeting these flaws.
Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer.
Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US.
Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines.
Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.