Siemens SPPA-T3000 (ICSA-19-351-02) – Product Used in the Energy Sector

CISA has published an advisory on improper authentication, cleartext transmission of sensitive information, unrestricted upload of file with dangerous type, heap-based buffer overflow, integer overflow or wraparound, out-of-bounds read, improper access control, stack-based buffer overflow, SFP secondary cluster: missing authentication, deserialization of untrusted data, information exposure, and cleartext transmission of sensitive information vulnerabilities in Siemens SPPA-T3000. All versions of the Application Server and the MS3000 Migration Server are affected. Successful exploitation of these vulnerabilities could allow an attacker to execute arbitrary code on the server, cause a denial-of-service condition, view and modify passwords, gain root privileges, access sensitive information, and read and write arbitrary files on the local system. Siemens recommends users upgrade SPPA-T3000 Application Server to SPPAT3000 Service Pack R8.2 SP1 to resolve CVE-2019-18331, CVE-2019-18333, and CVE-2019-18334. CISA also recommends a series of measures to mitigate the vulnerability. Read the advisory at CISA.