Security Updates

Critical updates from Microsoft, Siemens and other companies will be posted here when they become available. Check back often, as this page will update periodically.

Siemens ProductCERT Updated: 12/08/20

The following new advisories/bulletins have just been published on the Siemens ProductCERT web site [1]:
SSA-415783: Insecure SSL configuration in SICAM A8000 CP-8000, CP-8021 and CP-8022 [2]
SSA-478893: TightVNC Vulnerabilities in Industrial Products [3]
SSA-480824: Multiple Vulnerabilities in LOGO! 8 BM [4]
SSA-541017: Embedded TCP/IP Stack Vulnerabilities (AMNESIA:33) in SIRIUS 3RW5 Modbus TCP and SENTRON PAC Devices [5]
SSA-700697: Denial-of-Service Vulnerability in Web Server of SIMATIC Controllers [6]
SSA-712690: Vulnerabilities in XHQ Operations Intelligence [7]
Additionally, the following advisories / bulletins have just been updated on the Siemens ProductCERT web site [1]:
SSA-087240: Vulnerabilities in SIEMENS LOGO! [8]  Add solution for CVE-2017-12735.
SSA-102144: Code Execution Vulnerability in LOGO! Soft Comfort [9] Added solution
SSA-102233: SegmentSmack in VxWorks-based Industrial Devices [10] 
Updated information regarding successor products for SIMATIC RF180C and RF182C
SSA-181018: Heap Overflow Vulnerability in SCALANCE X switches, RUGGEDCOM Win, RFID 181EIP, and SIMATIC RF182C [11] Informed about successor products for SIMATIC RF182C and RFID 181EIP
SSA-312271: Unquoted Search Path Vulnerabilities in Windows-based Industrial Software Applications [12]  Added solution for SIMATIC S7-1500 Software Controller and SINAMICS STARTER
SSA-381684: Improper Password Protection during Authentication in SIMATIC S7-300 and S7-400 CPUs and Derived Products [13]  Upated the section ACKNOWLEDGMENTS
SSB-439005: Vulnerabilities in the additional GNU/Linux subsystem of the SIMATIC S7-1500 CPU 1518(F)-4 PN/DP MFP [14]  Added an initial set of vulnerabilities for V2.8.4, and the following for V2.6.1 and earlier: CVE-2020-25284, CVE-2020-25668, CVE-2020-25705, CVE-2020-27618, CVE-2020-27777
SSA-462066: Vulnerability known as TCP SACK PANIC in Industrial Products [15]
Added solution for SIMATIC S7-1500 CPU 1518(F)-4 PN/DP MFP
SSA-480230: Denial-of-Service in Webserver of Industrial Products [16]
Updated information regarding successor products for SIMATIC RF182C and RFID 181EIP
SSA-534763: Special Register Buffer Data Sampling (SRBDS) aka Crosstalk in Industrial Products [17] Added solution for SIMATIC IPC427E, SIMATIC IPC477E, and SIMATIC IPC477E PRO
SSA-542525: Authentication Vulnerabilities in SIMATIC HMI Products [18]           
Added patch links for SIMATIC HMI Basic (2nd generation), Comfort (including SIPLUS variants) and Mobile Panels
SSA-542701: Vulnerabilities in SIEMENS LOGO! [19]  Add solution for LOGO! 8 BM
SSA-616472: ZombieLoad and Microarchitectural Data Sampling Vulnerabilities in Industrial Products [20] 
Remove wrong MLFB from SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP and Updates for SIMATIC S7-1500 CPU 1518(F)-4 PN/DP MFP
SSA-689942: Denial-of-Service and DLL Hijacking Vulnerabilities in Multiple SIMATIC Software Products [21] Corrected affected version and patch link for SINAMICS STARTER
SSA-712518: Information Disclosure Vulnerability (Kr00k) in Industrial Wi-Fi Products [22] Added solution for SIMOTICS CONNECT 400
SSA-780073: Denial-of-Service Vulnerability in PROFINET Devices via DCE-RPC Packets [23] Added SIMOTION products; Updated information regarding successor products for SIMATIC RF180C and RF182C
SSA-817401: Missing Authentication Vulnerability in SIEMENS LOGO! [24]  Added additional mitigation for LOGO! V8.3
SSA-841348: Multiple Vulnerabilities in the UMC Stack [25]