Siemens patched two vulnerabilities in products commonly found in industrial control system setups this week. If exploited the flaws could allow an attacker to perform administrative actions or gain read access to sensitive data on affected systems.
Siemens patched one issue (.PDF) on Tuesday and the other on Thursday (.PDF) this week. ICS-CERT, the Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team, warned of the flaws on Friday.
The more concerning of the two vulnerabilities garnered a CVSS v3 rating of 9.8 – usually considered critical – and affected versions of the company’s SIMATIC CP equipment. Simatic CPs, or Communication Processors, connect process controllers like Siemens’ SIMATIC S7-400 CPUs to the industrial ethernet. The equipment is usually found in processing plants, environments with packing machines, textile machines, and general manufacturing facilities.
The Berlin-based company is warning an unauthenticated remote attacker could carry out administrative actions due to an improper authentication bug in the CP. The company didn’t get too deep into details around the bug but said it existed in the CP’s Redundant Network Access, or RNA series modules. “If Port 102/TCP is available and the configuration file for the CP is stored on the RNA’s CPU,” according to warning.
All CP 44x-1 RNA versions prior to 1.4.1 – the firmware update Siemens pushed on Tuesday to resolve the flaw – are vulnerable, Siemens cautions.
Siemens also addressed an improper access control vulnerability in XHQ this week. Companies use XHQ, Siemens Operations Intelligence software, to aggregate operational and business data.
Until the vulnerability is fixed by users, a remote user can gain read access to data in XHQ, something that would exceed prescribed permission levels, Siemens says.
Siemens pushed two updates, XHQ V184.108.40.206  and XHQ V220.127.116.11  to fix the issue on Thursday. Any users running versions earlier than V18.104.22.168 and V22.214.171.124 are affected, the company’s security advisory reads.