Summary
Siemens has released security updates to fix multiple vulnerabilities in its products, including 29 with a “high” severity and 4 with a “critical” severity.
Risk
Estimate of impact of the vulnerability on the reference community: High (67.91)
Type
- Privilege Escalation
- Remote Code Execution
- Denial of Service
Affected products and/or versions
- SIMATIC S7-1200 CPU family V4 (incl. SIPLUS variants)
- Opcenter Intelligence
- SIMATIC PCS neo
- TIA Administrator
- Totally Integrated Automation Portal (TIA Portal)
- SIMATIC IPC DiagBase
- SIMATIC IPC DiagMonitor
- APOGEE PXC Series (BACnet)
- APOGEE PXC Series (P2 Ethernet)
- TALON TC Series (BACnet)
- SCALANCE W-700 IEEE 802.11ax family
- SIPROTEC 5 – CP050 Devices
- SIPROTEC 5 – CP150 Devices
- SIPROTEC 5 – CP300 Devices
- SIPROTEC 5 Communication Modules
- Teamcenter
Mitigation Actions
It is recommended that mitigations be implemented following the instructions provided by the vendor for each affected product and reported in the security bulletins in the References section.
The following are the CVEs for the “high” and “critical” severity vulnerabilities only:
References
https://cert-portal.siemens.com/productcert/html/ssa-769027.html
https://cert-portal.siemens.com/productcert/html/ssa-767615.html
https://cert-portal.siemens.com/productcert/html/ssa-656895.html
https://cert-portal.siemens.com/productcert/html/ssa-615116.html
https://cert-portal.siemens.com/productcert/html/ssa-369369.html
https://cert-portal.siemens.com/productcert/html/ssa-342348.html
https://cert-portal.siemens.com/productcert/html/ssa-246355.html
https://cert-portal.siemens.com/productcert/html/ssa-224824.html
1This estimate is made taking into account several parameters, including: CVSS, availability of patches/workarounds and PoC, diffusion of the affected software/devices in the reference community.
