You are here

Home » Cybersecurity

Cybersecurity

Siemens SIMATIC RTLS Locating Manager (ICSA-20-252-01)

CISA has published an advisory on incorrect default permissions and unquoted search path or element vulnerabilities in Siemens SIMATIC RTLC Locating Manager. All versions prior to v2.10.2 are affected. Successful exploitation of this vulnerability could allow a privileged local user to escalate privileges. Siemens recommends that users apply the update of the SIMATIC RTLS Locating Manager. Additionally, it has identified specific workarounds and mitigations users can apply to reduce the risk. CISA also recommends a series of measures to mitigate the vulnerabilities.

Siemens Polarion Subversion Webclient (ICSA-20-252-08) – Product Used in the Energy Sector

CISA has published an advisory on improper neutralization of script-related HTML tags in a web page (basic XSS) and cross-site request forgery (CRSF) vulnerabilities in Siemens Polarion Subversion Webclient. All versions of this product are affected. Successful exploitation of these vulnerabilities where an attacker injects client-side script to induce the victim to issue an HTTP request could lead to a state-changing operation. Siemens has stated that the tool is considered shareware, distributed “as is,” and will be no fix as it is no longer supported.

Siemens SIMATIC HMI Products (ICSA-20-252-06) – Products Used in the Energy Sector

CISA has published an advisory on improper restriction of excessive authentication attempts and authentication bypass by primary weakness vulnerabilities in Siemens SIMATIC HMI. Multiple products and versions of these products are affected. Successful exploitation of these vulnerabilities could allow a remote attacker to discover user passwords and obtain access to the Sm@rt Server via a brute-force attack. Siemens is preparing updates and recommends specific countermeasures for products where updates are not yet available.

Siemens Spectrum Power (ICSA-20-252-04) – Products Used in the Energy Sector

CISA has published an advisory on cleartext storage of sensitive information and exposure of information through directory listing vulnerabilities in Siemens Spectrum Power. All versions prior to  v4.70 SP8 are affected. Successful exploitation of these vulnerabilities could allow an unauthorized attacker to retrieve a list of software users, or in certain cases to list the contents of a directory. Siemens has released updates and configuration recommendations for Spectrum Power 4 to mitigate the issues. CISA also recommends a series of measures to mitigate the vulnerabilities.

Siemens SIMATIC, SINAMICS, SINEC, SINEMA, SINUMERIK (Update C) (ICSA-20-161-04) – Products Used in the Water and Wastewater and Energy Sectors

September 8, 2020

CISA has updated this advisory with additional information on affected products and mitigation measures. Read the advisory at CISA.

August 11, 2020

CISA has updated this advisory with additional information on affected products and mitigation measures. Read the advisory at CISA.

Siemens IE/PB-Link, RUGGEDCOM, SCALANCE, SIMATIC, SINEMA (Update B) (ICSA-20-105-05) – Products Used in the Water and Wastewater and Energy Sectors

September 8, 2020

CISA has updated this advisory with additional information on affected products and mitigation measures.  Read the advisory at CISA.

May 12, 2020

CISA has updated this advisory with additional information on the affected products. Read the advisory at CISA.

Siemens SIMATIC PCS 7, SIMATIC WinCC, and SIMATIC NET PC (Update E) (ICSA-20-042-06) – Products Used in the Water and Wastewater and Energy Sectors

September 8, 2020

CISA has updated this advisory with additional information on affected products and mitigation measures. Read the advisory at CISA.

July 14, 2020

CISA has updated this advisory with additional details on mitigation measures. Read the advisory at CISA.

May 12, 2020

Pages

Subscribe to Cybersecurity