Monday, November 25, 2024

CISA issues four ICS advisories highlighting hardware vulnerabilities in critical infrastructure equipment

Must read

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) released four ICS (industrial control systems) advisories providing timely information about current security issues, vulnerabilities, and exploits surrounding these environments. The agency disclosed hardware vulnerabilities in equipment from VIMESA, iniNet Solutions, Deep Sea Electronics, and OMNTEC used across the critical infrastructure sector. CISA encourages users and administrators to review newly released ICS advisories for technical details and mitigations.

In an advisory released Thursday, the CISA disclosed an ‘improper access control’ vulnerability in VIMESA’s VHF/FM Transmitter Blue Plus equipment, deployed across the global communications sector. “Successful exploitation of this vulnerability could allow an attacker to perform a Denial-of-Service,” it added.

VIMESA VHF/FM Transmitter Blue Plus is suffering from a Denial-of-Service (DoS) vulnerability. An unauthenticated attacker can issue an unauthorized HTTP GET request to the unprotected endpoint ‘doreboot’ and restart the transmitter operations.

CVE-2024-9692 has been designated for this vulnerability. It has a CVSS v3.1 base score of 5.3, while the CVSS v4 base score is 6.9. CISA discovered this report authored by Gjoko Krstic.

VIMESA has not responded to requests to work with CISA to mitigate these vulnerabilities. 

The cybersecurity agency identified in another advisory that iniNet Solutions’ software management platform SpiderControl SCADA PC HMI Editor hardware contained a ‘Path Traversal’ vulnerability. “Successful exploitation of this vulnerability could allow an attacker to gain remote control of the device.” 

iniNet Solutions SpiderControl SCADA PC HMI Editor has a path traversal vulnerability. When the software loads a malicious ‘ems’ project template file constructed by an attacker, it can write files to arbitrary directories. This can lead to overwriting system files, causing system paralysis, or writing to startup items, resulting in remote control.

CVE-2024-10313 has been designated for this vulnerability. It has a CVSS v3.1 base score of 8.0 and a CVSS v4 base score of 8.6.

Deployed across Europe’s critical manufacturing sector, the advisory said that elcazator from Elex Feigong Research Institute of Elex CyberSecurity reported this vulnerability to CISA. iniNet Solutions recommends that users update SpiderControl SCADA PC HMI Editor to version 8.24.00.00 to mitigate this vulnerability.

In another advisory, the CISA disclosed that Deep Sea Electronics’ DSE855 ethernet communications device contained a ‘missing authentication for critical function’ vulnerability. “Successful exploitation of this vulnerability could allow an attacker to access stored credentials.”

Used globally across the energy sector, Deep Sea Electronics DSE855 is vulnerable to a configuration disclosure when a direct object reference is made to the Backup[dot]bin file using an HTTP GET request.

CVE-2024-5947 has been assigned to this vulnerability. It has a CVSS v3.1 base score of 6.5 and a CVSS v4 base score of 7.1. CISA discovered this vulnerability authored by Gjoko Krstic.

Deep Sea Electronics recommends that users update DSE855 to version 1.2.0.

CISA also revealed that OMNTEC’s Proteus Tank Monitoring hardware contained a ‘missing authentication for critical function’ vulnerability. “Successful exploitation of this vulnerability allow an attacker to perform administrative actions without proper authentication.”

Deployed across the global critical manufacturing sector, CISA disclosed that the affected product may allow an attacker to perform administrative actions without proper authentication.

CVE-2024-6981 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.8 has been determined, and a CVSS v4 base score of 9.3 has also been calculated. Pedro Umbelino of Bitsight reported this vulnerability to CISA.

OMNTEC reports the vulnerability affects a legacy OMNTEC product, Generation 3.0 of OEL8000III K/X ATGs. Generations 3.5 and 4.0 of the OMNTEC Proteus OEL8000III K/X ATGs are not subject to the reported vulnerability.

OMNTEC has identified specific workarounds and mitigations users can apply to reduce risk, which is to update Generation 3.0 to Generation 3.5 or higher. Users should contact OMNTEC or an authorized service provider if they are interested in upgrading their Generation 3.0 systems.

CISA recommends that asset owners and operators take defensive measures to minimize the risk of exploitation of this vulnerability, such as minimizing network exposure for control system devices and/or systems, ensuring they are not accessible from the internet; and locating control system networks and remote devices behind firewalls and isolating them from business networks. Also, when remote access is required, use more secure methods, such as virtual private networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

It also reminds organizations to perform proper impact analysis and risk assessment before deploying defensive measures.

Latest article