Latest News
As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, see Siemens' ProductCERT Security Advisories (CERT Services | Services | Siemens Global). View CSAF 1. EXECUTIVE SUMMARY CVSS v4 7.3 ATTENTION: Low attack complexity Vendor: Siemens Equipment: Solid Edge SE2024 Vulnerabilities: Heap-based Buffer Overflow, Integer Underflow (Wrap or Wraparound) 2. RISK EVALUATION Successful exploitation of these vulnerabilities could allow an attacker to execute code in the context of the current process. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following versions of Siemens Solid Edge SE2024 are affected: Solid Edge SE2024: All versions prior to V224.0 3.2 Vulnerability Overview 3.2.1 HEAP-BASED BUFFER OVERFLOW CWE-122 The affected application is vulnerable to heap-based buffer overflow while parsing specially crafted ASM files. Thi...
As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, see Siemens' ProductCERT Security Advisories (CERT Services | Services | Siemens Global). View CSAF 1. EXECUTIVE SUMMARY CVSS v4 7.3 ATTENTION: Low Attack Complexity Vendor: Siemens Equipment: Simcenter Femap Vulnerabilities: Heap-based Buffer Overflow, Improper Restriction of Operations within the Bounds of a Memory Buffer 2. RISK EVALUATION Successful exploitation of these vulnerabilities could allow an attacker to execute code in the context of the current process. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS Siemens reports that the following products are affected: Simcenter Femap V2306: All versions Simcenter Femap V2401: All versions Simcenter Femap V2406: All versions 3.2 Vulnerability Overview 3.2.1 HEAP-BASED BUFFER OVERFLOW CWE-122 The affected application is vuln...
As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, see Siemens' ProductCERT Security Advisories (CERT Services | Services | Siemens Global). View CSAF 1. EXECUTIVE SUMMARY CVSS v4 8.4 ATTENTION: Low Attack Complexity Vendor: Siemens Equipment: Siemens Engineering Platforms Vulnerability: Deserialization of Untrusted Data 2. RISK EVALUATION Successful exploitation of this vulnerability could allow an attacker to cause a type confusion and execute arbitrary code within the affected application. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS Siemens reports that the following engineering platforms are affected: SIMATIC STEP 7 Safety V17: All versions SIMATIC STEP 7 Safety V18: All versions SIMATIC S7-PLCSIM V17: All versions SIMATIC WinCC V19: All versions SIMATIC WinCC Unified V16: All versions SIMOTION SCOUT TIA V5.4 SP3: All ...
As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, see Siemens' ProductCERT Security Advisories (CERT Services | Services | Siemens Global). View CSAF 1. EXECUTIVE SUMMARY CVSS v4 8.6 ATTENTION: Exploitable remotely/low attack complexity Vendor: Siemens Equipment: RUGGEDCOM ROX II Vulnerability: Cross-Site Request Forgery 2. RISK EVALUATION Successful exploitation of this vulnerability could allow an attacker to perform administrative actions if an authenticated user is tricked into accessing a malicious link. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS Siemens that the following products are affected: Siemens RUGGEDCOM ROX RX1500: All versions prior to V2.16.0 Siemens RUGGEDCOM ROX RX1512: All versions prior to V2.16.0 Siemens RUGGEDCOM ROX RX1501: All versions prior to V2.16.0 Siemens RUGGEDCOM ROX MX5000RE: All versions...
As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, see Siemens' ProductCERT Security Advisories (CERT Services | Services | Siemens Global). View CSAF 1. EXECUTIVE SUMMARY CVSS v4 7.0 ATTENTION: Low attack complexity Vendor: Siemens Equipment: Siemens Engineering Platforms Vulnerability: Improper Input Validation 2. RISK EVALUATION Successful exploitation of this vulnerability could allow an attacker to execute arbitrary commands. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS Siemens reports that the following products are affected: Siemens SIMATIC STEP 7 Safety V18: All versions Siemens SIMATIC STEP 7 Safety V19: All versions Siemens SIMATIC S7-PLCSIM V18: All versions Siemens SIMOCODE ES V18: All versions Siemens SIMATIC WinCC Unified V17: All versions Siemens SINAMICS Startdrive V18: All versions Siemens SIMATIC STEP 7 V1...
As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, see Siemens' ProductCERT Security Advisories (CERT Services | Services | Siemens Global). View CSAF 1. EXECUTIVE SUMMARY CVSS v4 5.1 ATTENTION: Low attack complexity Vendor: Siemens Equipment: CPCI85 Central Processing/Communication Vulnerability: Insufficiently Protected Credentials 2. RISK EVALUATION Successful exploitation of this vulnerability could allow an attacker with physical access to the device to decrypt the firmware. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS Siemens reports that the following products are affected: Siemens CPCI85 Central Processing/Communication: All versions prior to V05.30 3.2 Vulnerability Overview 3.2.1 INSUFFICIENTLY PROTECTED CREDENTIALS CWE-522 The affected devices contain a secure element which is connected via an unencrypted SPI bus...
As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, see Siemens' ProductCERT Security Advisories (CERT Services | Services | Siemens Global). View CSAF 1. EXECUTIVE SUMMARY CVSS v4 7.3 ATTENTION: Low attack complexity Vendor: Siemens Equipment: Parasolid Vulnerability: Out-of-bounds Write 2. RISK EVALUATION Successful exploitation of this vulnerability could allow an attacker to execute code in the context of the current process. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS Siemens reports that the following products are affected: Parasolid V36.1: Versions prior to V36.1.225 Parasolid V37.0: Versions prior to V37.0.173 Parasolid V37.1: Versions prior to V37.1.109 3.2 Vulnerability Overview 3.2.1 OUT-OF-BOUNDS WRITE CWE-787 The affected applications contain an out-of-bounds write vulnerability when parsing specially crafted P...
SaaS services are one of the biggest drivers of OpEx (operating expenses) for modern businesses. With Gartner projecting $247.2 billion in global SaaS spending this year, it’s no wonder SaaS budgets are a big deal in the world of finance and IT. Efficient SaaS utilization can significantly affect both the bottom line and employee productivity. In this article, we’ll break down this topic
Proxy and anonymization networks have been dominating the headlines, this piece discusses its origins and evolution on the threat landscape with specific focus on state sponsored abuse.
# Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-r4pg-vg54-wxx4. This link is maintained to preserve external references. # Original Description A flaw was found in the cert-manager package. This flaw allows an attacker who can modify PEM data that the cert-manager reads, for example, in a Secret resource, to use large amounts of CPU in the cert-manager controller pod to effectively create a denial-of-service (DoS) vector for the cert-manager in the cluster.