CISA warns of essential flaws in ICS and SCADA software program from a number of distributors

The US Cybersecurity and Infrastructure Safety Company (CISA) printed seven advisories this week overlaying vulnerabilities in industrial management techniques (ICS) and supervisory management and information acquisition (SCADA) software program from a number of distributors. A number of the flaws are rated essential and two of them have already got public exploits.

The impacted merchandise embody:

  • Scadaflex II controllers made by Industrial Management Hyperlinks
  • Display Creator Advance 2 and Kostac PLC programming software program from JTEKT Electronics
  • Korenix JetWave industrial wi-fi entry factors and communications gateways
  • Hitachi Vitality’s MicroSCADA System Knowledge Supervisor SDM600
  • mySCADA myPRO software program
  • Rockwell Automation’s FactoryTalk Diagnostics

ScadaFlex II sequence controllers are what’s recognized within the trade as packaged controllers, stand-alone techniques which are constructed with customized software program, processing energy and I/O capabilities for controlling and monitoring different industrial processes. According to CISA, a number of variations of the software program operating on the SC-1 and SC-2 controllers are impacted by a essential vulnerability — CVE-2022-25359 with CVSS rating 9.1 — that would enable unauthenticated attackers to overwrite, delete, or create information on the system.

The flaw could be exploited remotely and has a low assault complexity. Furthermore, a public proof-of-concept exploit is obtainable for it. No patch is obtainable as a result of the seller is within the strategy of closing their enterprise, so these techniques are successfully end-of-life. Homeowners of those property can take defensive measures equivalent to proscribing community entry to them, not exposing them on to the web or enterprise networks, putting them behind firewalls, and utilizing safe VPNs for distant entry if wanted.

The Kostac PLC Programming Software program is the engineering software program that is used to handle Kostac programming logic controllers (PLCs) made by Koyo Electronics, a subsidiary of JTEKT Group. The software program works with Kostac SJ Collection, DL05 and DL06 Collection, DL205 Collection, PZ Collection, DL405 and SU Collection, and the SS Collection.

In response to the CISA advisory, the software program has three reminiscence vulnerabilities with a CVSS severity rating of seven.8 0 — CVE-2023-22419, CVE-2023-22421, and CVE-2023-22424. These flaws, two out-of-bound reminiscence reads and a use-after-free can result in info disclosure and arbitrary code execution when processing PLC applications or particularly crafted challenge information and feedback. Variations and later of the software program embody patches for these flaws and extra basic mitigations to stop comparable points.

JTEKT additionally has a display recording program known as Display Creator Advance 2 that also has five out-of-bound read flaws and a use-after-free rated with 7.8 on the CVSS scale. The seller advises customers to replace to variations Build01A and above.

A number of fashions of Korenix JetWave industrial communications gateways are impacted by three command injection and uncontrolled useful resource consumption vulnerabilities rated with 8.8 on the CVSS scale. Exploitation of the command injection flaws — CVE-2023-23294 and CVE-2023-23295 — may give attackers full entry to the working system operating on the units, and exploitation of the useful resource consumption subject — CVE-2023-23296 — may end up in a denial-of-service situation. The seller launched patched firmware variations for the impacted fashions.

The mySCADA myPRO HMI and SCADA software program has five vulnerabilities via which attackers can execute arbitrary instructions on the working system. The issues influence myPRO variations 8.26.0 and prior and are rated with 9.9 out of 10 on the CVSS scale as they’re simple to take advantage of remotely and technical particulars concerning the vulnerabilities are already out there on the web. The myPRO system is in style in a number of fields together with power, meals and agriculture, transportation techniques, and water and wastewater techniques. The seller patched the problems in  model 8.29.0.

The Hitachi MicroSCADA System Knowledge Supervisor SDM600 is an industrial administration device for energy-related installations and has multiple vulnerabilities that enable unrestricted uploads of information with harmful varieties, improper authorization of API utilization, improper useful resource shutdown and improper privilege administration. Exploitation of those vulnerabilities, that are additionally rated 9.9 on the CVSS scale, may enable a distant attacker to take management of the product.

Hitachi advises customers of SDM600 variations previous to v1.2 FP3 HF4 (Construct Nr. 1.2.23000.291) to replace to v1.3.0.1339. The corporate additionally printed extra workarounds and basic protection suggestions which are included within the CISA advisory.

Rockwell Automation’s FactoryTalk Diagnostic software program is a subsystem of the FactoryTalk Service Platform, a Home windows software program suite that accompanies Rockwell industrial merchandise utilized in many trade sectors: meals and agriculture, transportation techniques, and water and wastewater techniques. The software program has a critical data deserialization vulnerability rated with 9.8 on the CVSS scale that may enable a distant unauthenticated attacker to execute arbitrary code with SYSTEM degree privileges. There is no patch out there however Rockwell is engaged on an replace to the software program. Within the meantime, the corporate has beneficial a number of compensating controls and defensive steps.

Copyright © 2023 IDG Communications, Inc.