Security Advisory

Siemens Product Family January 2024 Routine Security Update Advisory

  • Jan 09 2024

Overview

 

Siemens(https://www.siemens.com) has released a security update that fixes vulnerabilities in products. Users of affected products are advised to update to the latest version.

 

Affected Products

 

JT2Go below V14.3.0.6

SIMATIC CN 4100 Versions below V2.7

SIMATIC IPC1047E All versions with maxView Storage Manager < V4.14.00.26068 on Windows

SIMATIC IPC647E All versions with maxView Storage Manager < V4.14.00.26068 on Windows

SIMATIC IPC847E All versions with maxView Storage Manager < V4.14.00.26068 on Windows

Solid Edge SE2023 below V223.0 Update 10

Spectrum Power 7 below V23Q4

Teamcenter Visualization below V13.3 V13.3.0.13

Teamcenter Visualization below V14.1 V14.1.0.12

Teamcenter Visualization below V14.2 V14.2.0.9

Teamcenter Visualization below V14.3 V14.3.0.6
 

 

Resolved Vulnerabilities

 

Vulnerability in the default installation of maxview Storage Manager with redfish® server configured for remote system administration due to insufficient validation of input values in maxview Storage Manager, which could provide unauthorized access (CVE-2023-51438, CVSS 10.0) [4]

A possible denial of service vulnerability in SIMATIC CN 4100 before V2.7 due to lack of validation of input values (CVE-2023-49252, CVSS 7.5) [3]

Accessible root account vulnerability due to authentication bypass via user-controlled key in SIMATIC CN 4100 before V2.7 (CVE-2023-49251, CVSS 8.8) [3]

Full control of the affected device with the credentials due to the use of default credentials in SIMATIC CN 4100 before V2.7 (CVE-2023-49621, CVSS 9.8) [3]

Buffer overflow attackable vulnerability due to a heap memory-based buffer overflow in Solid Edge (CVE-2023-49121 and 2 others, CVSS 7.8) [5]

Code Execution Vulnerability Due to Out-of-Bounds Reads in Solid Edge (CVE-2023-49124 and 2 others, CVSS 7.8) [5]

Code Execution Vulnerability in Solid Edge Due to Out-of-Bounds Writes (CVE-2023-49128, CVSS 7.8) [5]

Code execution vulnerability due to a stack-based buffer overflow in Solid Edge (CVE-2023-49129, CVSS 7.8) [5] [5

Code execution vulnerability due to access to an uninitialized pointer during PAR file parsing in Solid Edge (CVE-2023-49130 and 2 others, CVSS 7.8) [5] [5

Accessible vulnerability in Spectrum Power 7 due to incorrect authorization of key resources by the root account (CVE-2023-44120, CVSS 7.8) [2] [2

Code execution vulnerability due to out-of-bounds reads in Teamcenter Visualization and JT2Go (CVE-2023-51439, CVSS 7.8) [1] [1

Code Execution Vulnerability in Teamcenter Visualization and JT2Go due to a stack-based buffer overflow (CVE-2023-51745 and 1 other, CVSS 7.8) [1]

 

Vulnerability Patches

 

The following vulnerability patches or mitigations were provided in the 01/09/2024 update. For more information on vulnerability patches, please check the reference documentation.

JT2Go

V14.3.0.6 and later versions

Teamcenter Visualization V13.3

V13.3.0.13 and later versions

Teamcenter Visualization V14.1

V14.1.0.12 and later versions

Teamcenter Visualization V14.2

V14.2.0.9 and later

Teamcenter Visualization V14.3

V14.3.0.6 and later versions

Spectrum Power 7

V23Q4 and later

SIMATIC CN 4100

V2.7 and later

https://support.industry.siemens.com/cs/ww/en/view/109814144/

SIMATIC IPC647E

MaxView Storage Manager to V4.14.00.26068 and later

https://storage.microsemi.com/en-us/support/raid/sas_raid/asr-3151- 4i/

SIMATIC IPC847E

MaxView Storage Manager to V4.14.00.26068 and later

https://storage.microsemi.com/en-us/support/raid/sas_raid/asr-3151- 4i/

SIMATIC IPC1047E

MaxView Storage Manager to V4.14.00.26068 and later

https://storage.microsemi.com/en-us/support/raid/sas_raid/asr-3151- 4i/

Solid Edge SE2023

V223.0 Update 10 and later

 

Referenced Sites

 

[1] SSA-794653 V1.0: Multiple File Parsing Vulnerabilities in Teamcenter Visualization and JT2Go

https://cert-portal.siemens.com/productcert/html/ssa-794653.html

[2] SSA-786191 V1.0: Local Privilege Escalation Vulnerability in Spectrum Power 7

https://cert-portal.siemens.com/productcert/html/ssa-786191.html

[3] SSA-777015 V1.0: Multiple Vulnerabilities in SIMATIC CN 4100 before V2.7

https://cert-portal.siemens.com/productcert/html/ssa-777015.html

[4] SSA-702935 V1.0: Redfish Server Vulnerability in maxView Storage Manager

https://cert-portal.siemens.com/productcert/html/ssa-702935.html

[5] SSA-589891 V1.0: Multiple PAR File Parsing Vulnerabilities in Solid Edge

https://cert-portal.siemens.com/productcert/html/ssa-589891.html

Tags:

Previous Post

Next Post