CISA Warns on Vulnerabilities ICS and SCADA Softwares
The US CISA has published seven advisories last week covering vulnerabilities in ICS and SCADA software from multiple vendors. Some of the flaws are rated critical and two of them already have public exploits.
The impacted products are as below
Scadaflex II controllers made by Industrial Control Links
ScadaFlex II series controllers are the packaged controllers, stand-alone systems that are built with custom software, processing power and I/O capabilities for controlling and monitoring other industrial processes. Multiple versions of the software running on the SC-1 and SC-2 controllers are impacted by a critical vulnerability CVE-2022-25359 with CVSS score 9.1 that could allow unauthenticated attackers to overwrite, delete, or create files on the system.
The flaw can be exploited remotely and has a low attack complexity. A public PoC exploit is available for it. No patch is available because these systems are effectively end-of-life. Owners of these assets can take defensive measures such as restricting network access to them, not exposing them directly to the internet or business networks, placing them behind firewalls, and using secure VPNs for remote access if needed.
Screen Creator Advance 2 and Kostac PLC programming software from JTEKT Electronics
The Kostac PLC Programming Software is the engineering software that’s used to manage Kostac programming logic controllers (PLCs) made by Koyo Electronics, a subsidiary of JTEKT Group. The software works with Kostac SJ Series, DL05 and DL06 Series, DL205 Series, PZ Series, DL405 and SU Series, and the SS Series.
The software has three memory vulnerabilities tracked as CVE-2023-22419, CVE-2023-22421, and CVE-2023-22424 with a CVSS severity score of 7.8 0. These flaws, two out-of-bound memory reads and a use-after-free can lead to information disclosure and arbitrary code execution when processing PLC programs or specifically crafted project files and comments. Versions 18.104.22.168 and later of the software include patches for these flaws and more general mitigations to prevent similar issues.
JTEKT also has a screen recording program called Screen Creator Advance 2 that also has five out-of-bound read flaws and a use-after-free rated with 7.8 on the CVSS scale. The vendor advises users to update to versions 0.1.1.4 Build01A and above.
Korenix JetWave industrial wireless access points and communications gateways
Multiple models of Korenix JetWave industrial communications gateways are impacted by three command injection and uncontrolled resource consumption vulnerabilities Exploitation of the command injection flaws CVE-2023-23294 and CVE-2023-23295 can give attackers full access to the operating system running on the devices, and exploitation of the resource consumption issue CVE-2023-23296 can result in a denial-of-service condition. The vendor released patched firmware versions for the impacted models. All 3 flaws as a CVSS score of 8.8
Hitachi Energy’s MicroSCADA System Data Manager SDM600
The Hitachi MicroSCADA System Data Manager SDM600 is an industrial management tool for energy-related installations and has multiple vulnerabilities that allow unrestricted uploads of files with dangerous types, improper authorization of API usage, improper resource shutdown and improper privilege management. Exploitation of these vulnerabilities, could allow a remote attacker to take control of the product. Hitachi advises users of SDM600 versions prior to v1.2 FP3 HF4 (Build Nr. 1.2.23000.291) to update to v22.214.171.1249.
mySCADA myPRO software
The mySCADA myPRO HMI and SCADA software has five vulnerabilities through which attackers can execute arbitrary commands on the operating system. The flaws impact myPRO versions 8.26.0 and prior and they are easy to exploit remotely and technical details about the vulnerabilities are already available on the internet. The myPRO system is popular in several fields including energy, food and agriculture, transportation systems, and water and wastewater systems. The vendor patched the issues in version 8.29.0.
Rockwell Automation’s FactoryTalk Diagnostics
Rockwell Automation’s FactoryTalk Diagnostic software is a subsystem of the FactoryTalk Service Platform, a Windows software suite that accompanies Rockwell industrial products used in many industry sectors: food and agriculture, transportation systems, and water and wastewater systems. The software has a critical data deserialization vulnerability that can allow a remote unauthenticated attacker to execute arbitrary code with SYSTEM level privileges. There’s no patch available but Rockwell is working on an update to the software.