Siemens has published 14 new bulletins and 17 updated bulletins for their Monthly Patches. The highest CVSSv3 score of the new bulletins is 10.
More info.
Siemens has released hotfixes for Siveillance Video Open Network Bridge (ONVIF) which fix a security vulnerability related to unsecure storage of ONVIF user credentials. The vulnerability could allow an authenticated remote attacker to retrieve and decrypt all user credentials stored on the ONVIF server. CVSSv3 score of 9.9
More info.
Due to SmartClient Installation technology (ClickOnce) a customer/integrator needs to create a customer specific Smartclient installer. The mentioned products delivered a trusted but yet expired codesigning certificate. An attacker could have exploited the vulnerability by spoofing the code-signing certificate and signing a malicious executable resulting in having a trusted digital signature from a trusted provider. The certificate was revoked immediately. CVSSv3 score of 10
More info.
Siemens products include in Control Center Server (CCS) from PKE. Multiple vulnerabilities exist in CCS, including authentication bypass, path traversal, information disclosure, privilege escalation, SQL injection, XSS, and insufficient logging. Highest CVSSv3 score of 9.9
More info. And here.
Several Siemens products contain identified in DNS implementations, also known as "NAME:WRECK" vulnerabilities. The DNS client of affected products contains multiple vulnerabilities related to the handling of DNS responses and requests. The most severe could allow an attacker to manipulate the DNS responses and cause a DoS or remote code execution. Highest CVSSv3 score of 8.1
More info. And here. And here.
Several SCALANCE X-200 switches contain buffer overflow vulnerabilities in the web server. In the most severe case an attacker could potentially remotely execute code. CVSSv3 score of 9.8 No patches yet.
More info.
The IPv6 stack of several Siemens products contains two vulnerabilities when processing IPv6 headers which could allow an attacker to cause a DoS. CVSSv3 score of 7.5
More info.
The latest update for SINEMA Remote Connect Server fixes two DoS vulnerabilities in the underlying third-party XML parser. CVSSv3 score of 7.5
More info.
There are multiple vulnerabilities in the underlying NTP component of Siemens TIM 4R-IE, which is included in SIPLUS NET products. Highest CVSSv3 score of 9.8. No patches, only workarounds.
More info.
SIMOTICS CONNECT 400 is affected by DNS Client vulnerabilities as initially reported in Siemens Security Advisory SSA-705111 for the Mentor DNS Module. CVSSv3 score of 6.5. No patches yet.
More info.