The US Cybersecurity and Infrastructure Safety Company (CISA) printed seven advisories this week protecting vulnerabilities in industrial management techniques (ICS) and supervisory management and information acquisition (SCADA) software program from a number of distributors. A few of the flaws are rated essential and two of them have already got public exploits.
The impacted merchandise embody:
- Scadaflex II controllers made by Industrial Management Hyperlinks
- Display screen Creator Advance 2 and Kostac PLC programming software program from JTEKT Electronics
- Korenix JetWave industrial wi-fi entry factors and communications gateways
- Hitachi Power’s MicroSCADA System Information Supervisor SDM600
- mySCADA myPRO software program
- Rockwell Automation’s FactoryTalk Diagnostics
ScadaFlex II collection controllers are what’s identified within the business as packaged controllers, stand-alone techniques which are constructed with customized software program, processing energy and I/O capabilities for controlling and monitoring different industrial processes. In line with CISA, a number of variations of the software program working on the SC-1 and SC-2 controllers are impacted by a essential vulnerability — CVE-2022-25359 with CVSS rating 9.1 — that would enable unauthenticated attackers to overwrite, delete, or create recordsdata on the system.
The flaw might be exploited remotely and has a low assault complexity. Furthermore, a public proof-of-concept exploit is on the market for it. No patch is on the market as a result of the seller is within the means of closing their enterprise, so these techniques are successfully end-of-life. Homeowners of those belongings can take defensive measures resembling limiting community entry to them, not exposing them on to the web or enterprise networks, putting them behind firewalls, and utilizing safe VPNs for distant entry if wanted.
The Kostac PLC Programming Software program is the engineering software program that is used to handle Kostac programming logic controllers (PLCs) made by Koyo Electronics, a subsidiary of JTEKT Group. The software program works with Kostac SJ Collection, DL05 and DL06 Collection, DL205 Collection, PZ Collection, DL405 and SU Collection, and the SS Collection.
In line with the CISA advisory, the software program has three reminiscence vulnerabilities with a CVSS severity rating of seven.8 0 — CVE-2023-22419, CVE-2023-22421, and CVE-2023-22424. These flaws, two out-of-bound reminiscence reads and a use-after-free can result in info disclosure and arbitrary code execution when processing PLC applications or particularly crafted undertaking recordsdata and feedback. Variations 1.6.10.0 and later of the software program embody patches for these flaws and extra common mitigations to forestall related points.
JTEKT additionally has a display screen recording program known as Display screen Creator Advance 2 that additionally has 5 out-of-bound learn flaws and a use-after-free rated with 7.8 on the CVSS scale. The seller advises customers to replace to variations 0.1.1.4 Build01A and above.
A number of fashions of Korenix JetWave industrial communications gateways are impacted by three command injection and uncontrolled useful resource consumption vulnerabilities rated with 8.8 on the CVSS scale. Exploitation of the command injection flaws — CVE-2023-23294 and CVE-2023-23295 — may give attackers full entry to the working system working on the gadgets, and exploitation of the useful resource consumption problem — CVE-2023-23296 — may end up in a denial-of-service situation. The seller launched patched firmware variations for the impacted fashions.
The mySCADA myPRO HMI and SCADA software program has 5 vulnerabilities by means of which attackers can execute arbitrary instructions on the working system. The issues influence myPRO variations 8.26.0 and prior and are rated with 9.9 out of 10 on the CVSS scale as they’re straightforward to take advantage of remotely and technical particulars concerning the vulnerabilities are already obtainable on the web. The myPRO system is well-liked in a number of fields together with vitality, meals and agriculture, transportation techniques, and water and wastewater techniques. The seller patched the problems in model 8.29.0.
The Hitachi MicroSCADA System Information Supervisor SDM600 is an industrial administration device for energy-related installations and has a number of vulnerabilities that enable unrestricted uploads of recordsdata with harmful sorts, improper authorization of API utilization, improper useful resource shutdown and improper privilege administration. Exploitation of those vulnerabilities, that are additionally rated 9.9 on the CVSS scale, may enable a distant attacker to take management of the product.
Hitachi advises customers of SDM600 variations previous to v1.2 FP3 HF4 (Construct Nr. 1.2.23000.291) to replace to v1.3.0.1339. The corporate additionally printed extra workarounds and common protection suggestions which are included within the CISA advisory.
Rockwell Automation’s FactoryTalk Diagnostic software program is a subsystem of the FactoryTalk Service Platform, a Home windows software program suite that accompanies Rockwell industrial merchandise utilized in many business sectors: meals and agriculture, transportation techniques, and water and wastewater techniques. The software program has a essential information deserialization vulnerability rated with 9.8 on the CVSS scale that may enable a distant unauthenticated attacker to execute arbitrary code with SYSTEM stage privileges. There isn’t any patch obtainable however Rockwell is engaged on an replace to the software program. Within the meantime, the corporate has beneficial a number of compensating controls and defensive steps.
Copyright © 2023 IDG Communications, Inc.
