Siemens Patch Authentication Bypass Flaw in Sinamics ICS Software

Siemens has patched a serious remotely exploitable vulnerability in its SINAMICS S/G ICS software that could enable an attacker to take arbitrary actions on a vulnerable installation without having to authenticate.

The vulnerability affects all versions of the Siemens SINAMICS S/G products with firmware versions earlier than 4.6.11. ICS-CERT, a pat of the Department of Homeland Security, said in an advisory that it is not aware of any public exploit attempts against this flaw, but that’s no reason to delay patching. An authentication bypass vulnerability for a product such as SINAMICS S/G, which is used to control the operations of drives in industrial facilities, could be a very useful tool for an attacker.