Bulletins | CERT@VDE

SSA-645530 V1.0: TIFF File Parsing Vulnerability in JT2Go and Teamcenter Visualization before V13.1.0.3

Titel

SSA-645530 V1.0: TIFF File Parsing Vulnerability in JT2Go and Teamcenter Visualization before V13.1.0.3

Veröffentlicht

8. Juni 2021 02:00

URL

https://cert-portal.siemens.com/productcert/pdf/ssa-645530.pdf

Text

Siemens has released version V13.1.0.3 for JT2Go and Teamcenter Visualization to fix a vulnerability that could be triggered when the products read files in TIFF file format. If a user is tricked to opening of a malicious file with the affected products, this could lead to application crash, or potentially ...

SSA-522654 V1.0: Privilege Escalation Vulnerability in Mendix SAML Module

Titel

SSA-522654 V1.0: Privilege Escalation Vulnerability in Mendix SAML Module

Veröffentlicht

8. Juni 2021 02:00

URL

https://cert-portal.siemens.com/productcert/pdf/ssa-522654.pdf

Text

The latest update of Mendix SAML module fixes a privilege escalation vulnerability. Mendix has released an update for the Mendix SAML module and recommends to update to the latest version.

SSA-419820 V1.0: Denial-of-Service Vulnerability in TIM 1531 IRC

Titel

SSA-419820 V1.0: Denial-of-Service Vulnerability in TIM 1531 IRC

Veröffentlicht

8. Juni 2021 02:00

URL

https://cert-portal.siemens.com/productcert/pdf/ssa-419820.pdf

Text

The latest update for TIM 1531 IRC fixes a vulnerability that could allow a remote attacker to cause a denial-of-service under certain circumstances. Siemens has released an update for the TIM 1531 IRC and recommends to update to the latest version.

SSA-542525 V1.3 (Last Update: 2021-06-08): Authentication Vulnerabilities in SIMATIC HMI Products

Titel

SSA-542525 V1.3 (Last Update: 2021-06-08): Authentication Vulnerabilities in SIMATIC HMI Products

Veröffentlicht

8. Juni 2021 02:00

URL

https://cert-portal.siemens.com/productcert/pdf/ssa-542525.pdf

Text

SIMATIC HMI Products are affected by two vulnerabilities that could allow a remote attacker to discover user passwords and obtain access to the Sm@rt Server via a brute-force attack. Siemens has released updates for the affected products and recommends to update to the latest versions. Siemens also suggests following the ...

SSA-534763 V1.5 (Last Update: 2021-06-08): Special Register Buffer Data Sampling (SRBDS) aka Crosstalk in Industrial Products

Titel

SSA-534763 V1.5 (Last Update: 2021-06-08): Special Register Buffer Data Sampling (SRBDS) aka Crosstalk in Industrial Products

Veröffentlicht

8. Juni 2021 02:00

URL

https://cert-portal.siemens.com/productcert/pdf/ssa-534763.pdf

Text

Security researchers published information on a vulnerability known as Crosstalk (INTEL-SA-00320). This vulnerability affects modern Intel processors to a varying degree. Several Siemens Industrial Products contain processors that are affected by the vulnerability. Siemens is preparing updates and recommends specific countermeasures until fixes are available.

SSA-211752 V1.0: Multiple NTP-Client Related Vulnerabilities in SIMATIC NET CP 443-1 OPC UA

Titel

SSA-211752 V1.0: Multiple NTP-Client Related Vulnerabilities in SIMATIC NET CP 443-1 OPC UA

Veröffentlicht

8. Juni 2021 02:00

URL

https://cert-portal.siemens.com/productcert/pdf/ssa-211752.pdf

Text

All versions of the SIMATIC NET CP 443-1 OPC UA contain multiple vulnerabilities in the underlying third party component NTP. Siemens recommends specific countermeasures for products where updates are not, or not yet available.

SSA-473245 V2.0 (Last Update: 2021-06-08): Denial-of-Service Vulnerability in Profinet Devices

Titel

SSA-473245 V2.0 (Last Update: 2021-06-08): Denial-of-Service Vulnerability in Profinet Devices

Veröffentlicht

8. Juni 2021 02:00

URL

https://cert-portal.siemens.com/productcert/pdf/ssa-473245.pdf

Text

A vulnerability in affected devices could allow an attacker to perform a denial-of-service attack if a large amount of specially crafted UDP packets are sent to the device. Siemens has released updates for several affected products, and recommends that customers update to the new version. Siemens is preparing further updates ...

SSA-346262 V3.0 (Last Update: 2021-06-08): Denial-of-Service in Industrial Products

Titel

SSA-346262 V3.0 (Last Update: 2021-06-08): Denial-of-Service in Industrial Products

Veröffentlicht

8. Juni 2021 02:00

URL

https://cert-portal.siemens.com/productcert/pdf/ssa-346262.pdf

Text

Several industrial products are affected by a vulnerability that could allow remote attackers to conduct a Denial-of-Service (DoS) attack by sending specially crafted packets to port 161/udp (SNMP). Siemens has released updates for several affected products, and recommends that customers update to the new version. Siemens is preparing further updates ...

SSA-208356 V1.0: DFT File Parsing Vulnerabilities in Solid Edge

Titel

SSA-208356 V1.0: DFT File Parsing Vulnerabilities in Solid Edge

Veröffentlicht

8. Juni 2021 02:00

URL

https://cert-portal.siemens.com/productcert/pdf/ssa-208356.pdf

Text

Siemens has released a new version for Solid Edge to fix two vulnerabilities that could be triggered when the application read files in DFT file format. If a user is tricked to opening of a malicious file with the affected products, this could lead to application crash, or potentially arbitrary ...

SSA-678983 V1.1 (Last Update: 2021-06-08): Vulnerabilities in Industrial PCs and CNC devices using Intel CPUs (November 2020)

Titel

SSA-678983 V1.1 (Last Update: 2021-06-08): Vulnerabilities in Industrial PCs and CNC devices using Intel CPUs (November 2020)

Veröffentlicht

8. Juni 2021 02:00

URL

https://cert-portal.siemens.com/productcert/pdf/ssa-678983.pdf

Text

Intel has published information on vulnerabilities in Intel products in November 2020. This advisory lists the Siemens IPC related products, that are affected by these vulnerabilities. In this advisory we take a representative CVE from each advisory: “Intel CSME, SPS, TXE, AMT and DAL Advisory” Intel-SA-00391 is represented by CVE-2020-8745 ...

SSA-574442 V1.1 (Last Update: 2021-06-08): Multiple PAR and DFT File Parsing Vulnerabilities in Solid Edge

Titel

SSA-574442 V1.1 (Last Update: 2021-06-08): Multiple PAR and DFT File Parsing Vulnerabilities in Solid Edge

Veröffentlicht

8. Juni 2021 02:00

URL

https://cert-portal.siemens.com/productcert/pdf/ssa-574442.pdf

Text

Siemens has released a new version for Solid Edge to fix multiple vulnerabilities that could be triggered when the application reads files in different file formats (PAR, DFT extensions). If a user is tricked to open a malicious file with the affected application, this could lead to a crash, and ...

Mai 2021

28.05.2021

SSA-434534 V1.0: Memory Protection Bypass Vulnerability in SIMATIC S7-1200 and S7-1500 CPU Families

Titel

SSA-434534 V1.0: Memory Protection Bypass Vulnerability in SIMATIC S7-1200 and S7-1500 CPU Families

Veröffentlicht

28. Mai 2021 02:00

URL

https://cert-portal.siemens.com/productcert/pdf/ssa-434534.pdf

Text

SIMATIC S7-1200 and S7-1500 CPU products contain a memory protection bypass vulnerability that could allow an attacker to write arbitrary data and code to protected memory areas or read sensitive data to launch further attacks. Siemens has released updates for several affected products and strongly recommends to update to the ...

25.05.2021

SSA-119468 V1.0: Luxion KeyShot Vulnerabilities in Solid Edge

Titel

SSA-119468 V1.0: Luxion KeyShot Vulnerabilities in Solid Edge

Veröffentlicht

25. Mai 2021 02:00

URL

https://cert-portal.siemens.com/productcert/pdf/ssa-119468.pdf

Text

The Solid Edge installation package includes a specific version of the third-party product KeyShot from Luxion, which may not contain the latest security fixes provided by Luxion. Siemens recommends to update KeyShot according to the information in the Luxion Security Advisory LSA-394129.

17.05.2021

SSA-663999 V1.1 (Last Update: 2021-05-17): Multiple File Parsing Vulnerabilities in JT2Go and Teamcenter Visualization before V...

Titel

SSA-663999 V1.1 (Last Update: 2021-05-17): Multiple File Parsing Vulnerabilities in JT2Go and Teamcenter Visualization before V13.1.0.1

Veröffentlicht

17. Mai 2021 02:00

URL

https://cert-portal.siemens.com/productcert/pdf/ssa-663999.pdf

Text

Siemens has released version V13.1.0.1 for JT2Go and Teamcenter Visualization to fix multiple vulnerabilities that could be triggered when the products read files in different file formats (BMP, TIFF, CGM, TGA, PCT, HPG, PLT, RAS, PAR, ASM, DXF, DWG). If a user is tricked to opening of a malicious file ...

17.05.2021

SSA-695540 V1.0: ASM and PAR File Parsing Vulnerabilities in JT2Go and Teamcenter Visualization before V13.1.0.2

Titel

SSA-695540 V1.0: ASM and PAR File Parsing Vulnerabilities in JT2Go and Teamcenter Visualization before V13.1.0.2

Veröffentlicht

17. Mai 2021 02:00

URL

https://cert-portal.siemens.com/productcert/pdf/ssa-695540.pdf

Text

Siemens has released version V13.1.0.2 for JT2Go and Teamcenter Visualization to fix multiple vulnerabilities that could be triggered when the products read files in ASM and PAR file formats. If a user is tricked to opening of a malicious file with the affected products, this could lead to application crash, ...

17.05.2021

SSA-622830 V1.2 (Last Update: 2021-05-17): Multiple File Parsing Vulnerabilities in JT2Go and Teamcenter Visualization before V...

Titel

SSA-622830 V1.2 (Last Update: 2021-05-17): Multiple File Parsing Vulnerabilities in JT2Go and Teamcenter Visualization before V13.1.0

Veröffentlicht

17. Mai 2021 02:00

URL

https://cert-portal.siemens.com/productcert/pdf/ssa-622830.pdf

Text

Siemens has released version V13.1.0 for JT2Go and Teamcenter Visualization to fix multiple vulnerabilities that could be triggered when the products read files in different file formats (JT, XML, CG4, CGM, PDF, RGB, SGI, TGA, PAR, PCX). If a user is tricked to opening of a malicious file with the ...

SSA-854248 V1.0: Information Disclosure Vulnerability in Mendix Excel Importer Module

Titel

SSA-854248 V1.0: Information Disclosure Vulnerability in Mendix Excel Importer Module

Veröffentlicht

11. Mai 2021 02:00

URL

https://cert-portal.siemens.com/productcert/pdf/ssa-854248.pdf

Text

The latest update of Mendix Excel Importer module fixes an infomation disclosure vulnerability. Mendix has released an update for the Mendix Excel Importer module and recommends to update to the latest version.

SSA-676775 V1.0: Denial-of-Service Vulnerability in SIMATIC NET CP 343-1 Devices

Titel

SSA-676775 V1.0: Denial-of-Service Vulnerability in SIMATIC NET CP 343-1 Devices

Veröffentlicht

11. Mai 2021 02:00

URL

https://cert-portal.siemens.com/productcert/pdf/ssa-676775.pdf

Text

A vulnerability in SIMATIC CP343-1 devices could allow an attacker to cause a Denial-of-Service condition on TCP port 102 of the affected devices by sending specially crafted packets. Siemens recommends specific countermeasures for products where updates are not, or not yet available.

SSA-594364 V1.0: Denial-of-Service Vulnerability in SNMP Implementation of WinCC Runtime

Titel

SSA-594364 V1.0: Denial-of-Service Vulnerability in SNMP Implementation of WinCC Runtime

Veröffentlicht

11. Mai 2021 02:00

URL

https://cert-portal.siemens.com/productcert/pdf/ssa-594364.pdf

Text

A denial-of-service vulnerability in WinCC Runtime could allow an unauthenticated attacker with network access to cause a denial-of-service condition in the SNMP service by sending crafted SNMP packets to port 161/udp. Siemens has released updates for the affected products and recommends to update to the latest versions.

SSA-538778 V1.0: SmartVNC Vulnerabilities in SIMATIC HMI/WinCC Products

Titel

SSA-538778 V1.0: SmartVNC Vulnerabilities in SIMATIC HMI/WinCC Products

Veröffentlicht

11. Mai 2021 02:00

URL

https://cert-portal.siemens.com/productcert/pdf/ssa-538778.pdf

Text

Multiple SmartVNC vulnerabilities in the affected products listed below could allow remote code execution and Denial-of-Service attacks under certain conditions. Siemens has released updates for the affected products and recommends to update to the latest version.

SSA-501073 V1.0: Vulnerabilities in Controllers CPU 1518 MFP using Intel CPUs (November 2020)

Titel

SSA-501073 V1.0: Vulnerabilities in Controllers CPU 1518 MFP using Intel CPUs (November 2020)

Veröffentlicht

11. Mai 2021 02:00

URL

https://cert-portal.siemens.com/productcert/pdf/ssa-501073.pdf

Text

Intel has published information on vulnerabilities in Intel products in November 2020. This advisory lists the Siemens Controllers that are affected by these vulnerabilities. In this advisory we take a representative CVE from each advisory: “Intel CSME, SPS, TXE, AMT and DAL Advisory” Intel-SA-00391 is represented by CVE-2020-8744 “BIOS Advisory” ...

SSA-324955 V1.0: SAD DNS Attack in Linux Based Products

Titel

SSA-324955 V1.0: SAD DNS Attack in Linux Based Products

Veröffentlicht

11. Mai 2021 02:00

URL

https://cert-portal.siemens.com/productcert/pdf/ssa-324955.pdf

Text

A vulnerability made public under the name SAD DNS affects Domain Name System resolvers due to a vulnerability in the Linux kernel when handling ICMP packets. The Siemens products which are affected are listed below. For more information please see https://www.saddns.net/. Siemens has released updates for several affected products and ...

SSA-286838 V1.0: Multiple Vulnerabilities in SINAMICS Medium Voltage Products

Titel

SSA-286838 V1.0: Multiple Vulnerabilities in SINAMICS Medium Voltage Products

Veröffentlicht

11. Mai 2021 02:00

URL

https://cert-portal.siemens.com/productcert/pdf/ssa-286838.pdf

Text

SINAMICS medium voltage products, with Sm@rtServer enabled on SIMATIC comfort HMI Panels, are affected by multiple vulnerabilities that could allow an attacker, under certain conditions, to gain full remote access to the HMI. Note that by default Sm@rtServer is disabled, but it can be enabled on request by the system ...

SSA-116379 V1.0: Denial-of-Service Vulnerability in OSPF Packet Handling of SCALANCE XM-400 and XR-500 Devices

Titel

SSA-116379 V1.0: Denial-of-Service Vulnerability in OSPF Packet Handling of SCALANCE XM-400 and XR-500 Devices

Veröffentlicht

11. Mai 2021 02:00

URL

https://cert-portal.siemens.com/productcert/pdf/ssa-116379.pdf

Text

SCALANCE XM-400 and XR-500 devices contain a vulnerability in the OSPF protocol implementation that could allow an unauthenticated remote attacker to create a permanent denial-of-service condition. Siemens has released updates for the affected products and recommends to update to the latest versions.