Siemens reports two dozen vulnerabilities affecting its products in several security advisories published on Tuesday. Half of the new vulnerabilities are related to third-party components.
The company issued advisories to inform customers about the importance of immediately updating their devices once Siemens rolls out patches and updates.
A bulk of these advisories focus on the two AMNESIA:33 vulnerabilities, denial-of-service (DoS) flaws on SENTRON 3VA and PAC Meter products, which are part of a set of vulnerabilities recently discovered in open-source TCP/IP stacks.
Two other advisories describe the impact of NUMBER:JACK, a set of vulnerabilities in TCP/IP stacks. These vulnerabilities can allow session hijacking on the SIMATIC MV400 optical readers and PLUSCONTROL products used by Siemens clients in the energy industry.
In addition, Siemens’ SIMATIC NET CM 1542-1 and SCALANCE SC600 devices can also be affected by a DoS vulnerability that exists in a multiprotocol file transfer library called libcurl.
Five more vulnerabilities affecting Luxion’s 3D rendering and animation software KeyShot are a subject of another advisory. The security holes can be exploited to allow the attacker arbitrary code execution.
According to another advisory, the Mendix Forgot Password Appstore module is susceptible to an account takeover.
In the remaining advisories Siemens addresses a high-severity DoS vulnerability in RUGGEDCOM and SCALANCE devices, high-severity unauthorized access bugs in SINEMA Remote Connect Server, DoS flaws in SIMATIC S7-PLCSIM, and a DoS vulnerability in LOGO! 8 BM.
For some of these vulnerabilities, Siemens has already released updates. For other vulnerabilities, it plans to do so in the near future. In some other cases, the company has advised customers to take workaround measures to protect their systems or devices to mitigate the risk of potential attacks.