Bulletins

SIEMENS CERT
10/11/2022

SSB-898115 V1.0: Remarks Regarding SSA-568427 (Weak Key Protection Vulnerability in SIMATIC S7-1200 and S7-1500 CPU Families)

SIEMENS CERT
10/11/2022

SSA-552702 V1.0: Privilege Escalation Vulnerability in the Web Interface of SCALANCE and RUGGEDCOM Products

The products listed below do not properly authorize the change password function of the web interface. This could allow low privileged users to escalate their privileges. Siemens has released updates for several affected products and recommends to update to the latest versions. Siemens is preparing further updates and recommends specific …
SIEMENS CERT
10/11/2022

SSA-501891 V1.0: Cross-Site Scripting Vulnerability in SCALANCE X-200 and X-200IRT Families

There is a cross-site scripting vulnerability that affects the SCALANCE switches. This vulnerability if used by a threat actor could result in the stealing of session cookies and session hijacking. Siemens has released updates for the affected products and recommends to update to the latest versions.
SIEMENS CERT
10/11/2022

SSA-244969 V1.8 (Last Update: 2022-10-11): OpenSSL Vulnerability in Industrial Products

OpenSSL has published a security advisory [0] about a vulnerability in OpenSSL versions 1.1.1 < 1.1.1l and 1.0.2 < 1.0.2za that allows an attacker to cause a denial of service (DoS) or to disclose private memory content. Siemens has released updates for several affected products and recommends to update to …
SIEMENS CERT
10/11/2022

SSA-254054 V1.3 (Last Update: 2022-10-11): Spring Framework Vulnerability (Spring4Shell or SpringShell, CVE-2022-22965) - Impact to Siemens Products

A vulnerability in Spring Framework was disclosed, that could allow remote unauthenticated attackers to execute code on vulnerable systems. The vulnerability is tracked as CVE-2022-22965 and is also known as “Spring4Shell” or “SpringShell”. Siemens has released updates for the affected products and recommends to update to the latest versions.
SIEMENS CERT
10/11/2022

SSA-313313 V1.0: Denial of Service Vulnerability in the FTP Server of Nucleus RTOS

The FTP server of the networking component (Nucleus NET) in Nucleus Real-Time Operating System (RTOS) does not properly release memory resources that were reserved for incomplete connection attempts by FTP clients. This could allow a remote attacker to generate a denial of service condition on devices that incorporate a vulnerable …
SIEMENS CERT
10/11/2022

SSA-360783 V1.0: Multiple Webserver Vulnerabilities in Desigo PXM Devices

Desigo PXM devices contain multiple vulnerabilities in the webserver application that could allow an attacker to potentially access sensitive information, execute arbitrary commands, cause a denial of service condition, or perform remote code execution. Siemens has released updates for the affected products and recommends to update to the latest versions.
SIEMENS CERT
10/11/2022

SSA-836027 V1.0: Client-side Authentication in Desigo CC and Cerberus DMS

Desigo CC and Cerberus DMS are based on SIMATIC WinCC OA and implement client-side only authentication for specific parts of their client-server communication. In this configuration, attackers could impersonate other users or exploit the client-server protocol without being authenticated, as documented for SIMATIC WinCC OA in SSA-111512 [1]. Siemens recommends …