Bulletins

SIEMENS CERT
05/12/2020

SSA-530931 (Last Update: 2020-05-12): Denial-of-Service in Webserver of Industrial Products

A vulnerability in the affected products could allow an unauthorized attacker with network access to the webserver of an affected device to perform a denial-of-service attack. Siemens has released updates for several affected products, and recommends that customers update to the new version. Siemens is preparing further updates and recommends …
SIEMENS CERT
05/12/2020

SSB-439005 (Last Update: 2020-05-12): Vulnerabilities in the additional GNU/Linux subsystem of the SIMATIC S7-1500 CPU 1518(F)-4 PN/DP MFP

SIEMENS CERT
05/12/2020

SSA-377115 (Last Update: 2020-05-12): SegmentSmack in Linux IP-Stack based Industrial Devices

The latest updates for the affected products fix a vulnerability that could allow remote attackers to affect the availability of the devices under certain conditions. The underlying TCP stack can be forced to make very computation expensive calls for every incoming packet which can lead to a Denial-of-Service. Siemens has …
SIEMENS CERT
05/12/2020

SSA-352504 (Last Update: 2020-05-12): Urgent/11 TCP/IP Stack Vulnerabilities in Siemens Power Meters

Siemens low & high voltage power meters are affected by multiple security vulnerabilities due to the underlying Wind River VxWorks network stack. This stack is affected by eleven vulnerabilities known as the "URGENT/11". The vulnerability could allow an attacker to execute a variety of exploits for the purpose of Denial-of-Service …
SIEMENS CERT
04/14/2020

SSA-377115 (Last Update: 2020-04-14): SegmentSmack in Linux IP-Stack based Industrial Devices

The latest updates for the affected products fix a vulnerability that could allow remote attackers to affect the availability of the devices under certain conditions. The underlying TCP stack can be forced to make very computation expensive calls for every incoming packet which can lead to a Denial-of-Service. Siemens has …
SIEMENS CERT
04/14/2020

SSA-593272 (Last Update: 2020-04-14): SegmentSmack in Interniche IP-Stack based Industrial Devices

A vulnerability exists in affected products that could allow remote attackers to affect the availability of the devices under certain conditions. The underlying TCP stack can be forced to make very computation expensive calls for every incoming packet which can lead to a Denial-of-Service.
SIEMENS CERT
04/14/2020

SSA-886514 (Last Update: 2020-04-14): Persistent XSS Vulnerabilities in the Web Interface of Climatix POL908 and POL909 Modules

The Climatix BACnet/IP (POL908) and AWM (POL909) modules contain two persistent cross-site scripting (XSS) vulnerabilities in the web interface that could allow a remote attacker to execute arbitrary JavaScript code in the context of other users' web sessions. Siemens recommends to update Climatix POL908 and POL909 to the latest version …
SIEMENS CERT
04/14/2020

SSA-270778 (Last Update: 2020-04-14): Denial-of-Service Vulnerability in SIMATIC PCS 7, SIMATIC WinCC and SIMATIC NET PC Software

A Denial-of-Service vulnerability was found in SIMATIC PCS 7, SIMATIC WinCC and SIMATIC NET PC software when encrypted communication is enabled. The vulnerability could allow an attacker with network access to cause a Denial-of-Service condition under certain circumstances (versions prior to SIMATIC WinCC V7.3 or SIMATIC PCS 7 V8.1 are …