The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued four advisories concerning industrial control systems (ICS), including one specifically for medical devices and two updates. These advisories aim to provide timely information on current security issues, vulnerabilities, and exploits affecting ICS. Deployed across the critical infrastructure sector, the cybersecurity agency called upon users and administrators to review these newly released ICS advisories for technical details and mitigations.
The agency highlighted hardware vulnerabilities in Hughes Network Systems’ WL3000 Fusion Software equipment and provided updates on vulnerabilities in Mitsubishi Electric’s MELSEC iQ-R, Q, and L Series, as well as the MELSEC iQ-R, iQ-L Series, and MELIPC Series. Additionally, CISA identified vulnerabilities in the Baxter Connex Health Portal hardware.
In an advisory, CISA warned of the presence of insufficiently protected credentials and missing encryption of sensitive data vulnerabilities in Hughes’ WL3000 Fusion Software deployed across the critical infrastructure sector. “Successful exploitation of these vulnerabilities could allow an attacker to obtain read-only access to network configuration information and terminal configuration data,” it added.
Credentials to access device configuration information are stored unencrypted in flash memory. These credentials would allow read-only access to network configuration information and terminal configuration data. A CVE-2024-39278 has been assigned to this vulnerability. A CVSS v3.1 base score of 4.2 has been determined, and a CVSS v4 base score of 5.1 has been calculated.
CISA also revealed that credentials to access device configuration were transmitted using an unencrypted protocol. These credentials would allow read-only access to network configuration information and terminal configuration data. A CVE-2024-42495 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.5 has been determined, and a CVSS v4 base score of 7.1 has also been calculated.
The advisory noted that Hughes Networks has patched the vulnerabilities, which requires no action by the user.
In another advisory, the CISA warned of the presence of SQL injection and improper access control in Baxter’s Connex Health Portal used across the U.S. healthcare and public health (HPH) sector. “Successful exploitation of these vulnerabilities could lead to malicious code injection, shutdown of database service, or the ability to access, modify, or delete sensitive data from the database,” it added.
Baxter reported these vulnerabilities to CISA.
Due to improper sanitation of values of certain parameters, a remote, unauthenticated attacker could potentially run arbitrary SQL queries, access, modify, and delete sensitive data and/or administrative operations including shutting down the database. The CVE-2024-6795 has been assigned to this vulnerability and a CVSS v3.1 base score of 10.0 has been calculated.
Also, CISA disclosed an improper access control vulnerability in the application that could allow an unauthorized user to access sensitive patient and clinician information, as well as modify or delete clinic details. This vulnerability has been designated as CVE-2024-6796 and has received a CVSS v3.1 base score of 8.2.
The advisory revealed that Baxter is unaware of any exploitation of these vulnerabilities and/or the compromise of personal or health data. No user action is required.
Baxter recommends solutions to reduce risk. These vulnerabilities were patched promptly after discovery and no additional user action is required.
Additionally, CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as minimizing network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet; and locating control system networks and remote devices behind firewalls and isolating them from business networks.
Also, when remote access is required, organizations must use more secure methods, such as virtual private networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.