Critical Level Bugs Reported for Control Systems
I don’t want to worry you, but … we have a problem.
Like it or not, a major outage power systems could cause large scale economic and social problems. And so this week it was announced that the Siemens SPPA-T300 Application Server has 54 CVE-listed flaws [here]:
At present Siemens does not have a patch for most of these, but, fortunately, the server itself tends to be strong protected behind a firewall. The main risk is thus that malware gets behind the firewall and gain direct access to the Application Server.
The highest level threat is from exploits that do not even need any form of authentication (CVE-2019–18283 and CVE-2019–18284) and are achieved with just a simple crafting of objects:
These have a CVSS score of 9.8 and are critical vulnerabilities. Others related at 9.8 includes many related to Denial of Service attack:
