Security patches for products from four major companies were released this week, with calls for the updates to be installed as soon as possible.
- SAP said patches are needed to fix three critical memory corruption vulnerabilities that have affected the Internet Communication Manager (ICM);
- Siemens said its SIMATIC firmware contains three vulnerabilities that could allow an unauthenticated attacker to perform a denial-of-service attack under certain conditions;
- Schneider Electric published six advisories describing 20 vulnerabilities.
- WordFence said the PHP Everywhere plugin for WordPress has to be updated after it found several remote code execution vulnerabilities in the app.
SAP said it collaborated with Onapsis’Research Labs to discover and patch three critical memory corruption vulnerabilities that have affected the Internet Communication Manager (ICM). ICM is a core component of SAP business applications that enables HTTP(S) communications in SAP systems.
The company said it released three patches for all impacted systems of a possible security attack while Onapsis helped provide a free open-source vulnerability scanner tool to assist all SAP customers affected to immediately address these issues.
SAP admins should prioritize applying Security Note 3123396 [CVE-2022-22536] to the affected applications immediately. If an organization’s program was exploited, these vulnerabilities, also known as “ICMAD,” will enable attackers to execute serious malicious activity on SAP users, business information and processes.
According to a Siemens security advisory, certain products in its SIMATIC family using programmable logic controllers (PLCs) are affected by the three vulnerabilities. In a blog, security researcher Gao Jian said the three vulnerabilities have been given the name S7+:Crash. Currently they are ranked HIGH with a CVSS3.1 score 7.5. “These vulnerabilities may cause serious consequences, such as remote denial of service for SIMATIC controllers,” he wrote.
He had identified more than the three vulnerabilities; the others are under investigation.
“The three vulnerabilities disclosed this time are critical with wide impact, low exploitation difficulty and high protection difficulty,” he wrote. “Users and companies should be alerted and take necessary measures to avoid industrial production being affected.”
Security researchers at Tenable found the bugs announced by Schneider Electric, including multiple vulnerabilities in its IGSS data server (IGSSdataServer.exe) v15.0.0.21286. Administrators should update to IGSS Data Server version 15.0.0.22021 or higher.
In affected versions, an integer overflow condition exists when IGSSdataServer.exe appends an incoming request to a heap-based buffer that already contains a request, said Tenable. The issue results from the lack of proper validation of user-supplied data before performing memory allocation. An unauthenticated remote attacker can exploit this, via multiple specially crafted messages, to cause heap-based buffer overflow, leading to denial of service and potentially remote code execution, Tenable said.
A second problem is a heap-based buffer over-read memory leak that could result in a denial of service.
Wordfence said one of these vulnerabilities it found in PHP Everywhere allowed any authenticated user of any level, even subscribers and customers, to execute code on a site with the plugin installed. A largely rebuilt version of the plugin has been available since January 10th.
According to the PHP Everywhere site, the plugin has been downloaded 30,000 times.
“If you’re using the PHP Everywhere plugin, it is imperative that you upgrade to the newest version, which is 3.0.0 at the time of this writing (February 8), in order to prevent your site from being exploited,” Wordfence researchers said. “Unfortunately version 3.0.0 only supports PHP snippets via the Block editor, so if you are using the Classic Editor you will need to uninstall the plugin and find another solution. You should not continue to run older versions of PHP Everywhere under any circumstances.”