The US Cybersecurity and Infrastructure Security Agency (CISA) has urged critical infrastructure organizations to address vulnerabilities affecting nine industrial control system (ICS) products.
The report, dated January 11, 2024, highlighted a series of high and critical severity vulnerabilities in products widely used in sectors such as energy, manufacturing and transportation.
Users and administrators in these areas are encouraged to review advisories for technical details and mitigation measures.
Rapid Software LLC Rapid SCADA – CVSS 9.6 (Review)
The impact of a Rapid Software product used in the energy and transportation sectors is seven vulnerabilities this could lead bad actors to target organizations in a variety of ways.
These include reading sensitive files from the Rapid Scada server, writing files to the Rapid Scada directory to execute code, and gaining access to sensitive systems via seemingly legitimate phishing attacks.
CISA said Rapid Software did not respond to its attempts to coordinate. Rapid SCADA users are encouraged to contact Rapid Software and keep their systems up to date.
Horner Automation Cscape – CVSS 7.8 (High)
This stack-based buffer overflow vulnerability affects the Cscape 9.90 SP10 Product Releases and earlier, which are used by critical manufacturing companies.
The complexity of the attacks is low and successful exploitation can allow attackers to execute arbitrary code.
Customers are advised to apply version 9.90 SP11 or the latest version of Cscape software to mitigate this vulnerability.
Schneider Electric Easergy Studio – CVSS 7.8 (High)
This deserialization of untrusted data vulnerability affects Easergy Studio versions before version 9.3.5, a power relay protection control software used by energy companies around the world.
Successful exploitation can allow a malicious actor to take full control of a workstation.
The complexity of the attack is low and users should apply version 9.3.6, which contains a fix for the vulnerability.
Read here: Five ICS Security Challenges and How to Overcome Them
Siemens Teamcenter and JT2Go visualization – CVSS 7.8 (top)
These four vulnerabilities affect two Siemens products used in critical manufacturing industry.
They facilitate out-of-bounds reads, NULL pointer deference, and stack-based buffer overflow exploits.
Customers are encouraged to update JT2Go and Teamcenter Visualization products with the latest software to mitigate these risks. Users are also recommended to avoid opening untrusted CGM files in both products.
Siemens Spectrum Power 7 – CVSS 7.8 (high)
Affecting all versions of Spectrum Power 7 prior to V23Q4, this incorrect permission assignment for a critical resource vulnerability could allow an authenticated, local attacker to inject arbitrary code and gain root access. The complexity of the attacks is low.
Critical manufacturing companies using this product are recommended to update to V23Q4 or later to mitigate the risk posed.
Siemens SICAM A8000 – CVSS 6.6 (Medium)
This vulnerability could allow an authenticated, remote attacker to inject commands executed on the device with root privileges during device startup.
He impacts Siemens products Versions CP-8031 MASTER MODULE (6MF2803-1AA00) and CP-8050 MASTER MODULE (6MF2805-0AA00) prior to CPCI85 V05.20.
Siemens has informed its critical industrial customers of several workarounds and mitigation measures that could reduce the risk.
These mitigations include reviewing which users are allowed to change network configuration and enforce strong passwords, as well as updating products to CPCI85 V05.20 or later.
Siemens SIMATIC CN 4100 – CVSS 9.8 (review)
These three vulnerabilities are remotely exploitable and have low attack complexity.
Impacting versions prior to V2.7, they allow permission bypass via user-controlled key, incorrect input validation, and use of default credentials.
Successful exploitation can allow an attacker to log in remotely as root or cause a denial of service of the device.
SIMATIC CN 4100 customers in critical manufacturing should update to version V2.7 or later.
Siemens SIMATIC – CVSS 10 (review)
Successful exploitation of this vulnerabilitywhich affect several SIMATIC products with maxView Storage Manager under Windows, can allow attackers to gain unauthorized remote access.
Critical manufacturing companies using SIMATIC IPC647E, SIMATIC IPC847E and SIMATIC IPC1047E should update maxView Storage Manager to version V4.14.00.26068 or later to mitigate the risk.
Siemens Solid Edge – CVSS 7.8 (top)
All versions prior to V223.0 Update 10 are at risk of heap-based buffer overflow, out-of-bounds write, stack-based buffer overflow, and uninitialized pointer access during parsing of specially crafted PAR files via 11 vulnerabilities.
These vulnerabilities can allow an attacker to execute code in the context of the current process, with low attack complexity.
Siemens urged Critical manufacturing customers should update to V223.0 Update 10 or later and avoid opening untrusted files from unknown sources in Solid Edge.
Essential Cybersecurity Practices for ICS Systems
CISA also provided the following guidance to critical infrastructure organizations using ICS:
- Keep systems up to date with new updates
- Minimize network exposure for all control system devices
- Isolate control system networks from corporate networks
- Use secure methods, such as virtual private networks (VPNs) when remote access is required
CISA added that it will no longer update ICS security advisories for vulnerabilities in Siemens products starting January 10, 2024, beyond the initial advisory.