The U.S. Cybersecurity and Infrastructure Security Agency (CISA) published this week five ICS (industrial control systems) advisories and updated a medical advisory providing the critical infrastructure sector timely information about current security issues, vulnerabilities, and exploits surrounding ICS. The advisories highlight hardware vulnerabilities in equipment from Schneider Electric, Hitachi Energy, and Philips Vue. Users and administrators are urged to examine the latest ICS advisories for detailed technical information and recommended mitigations.

In an advisory, the cybersecurity agency warned that Schneider Electric’s PowerLogic PM5500 and PowerLogic PM8ECC hardware contained ‘weak password recovery mechanism for forgotten password’ and improper authentication. “Successful exploitation of these vulnerabilities could result in an attacker gaining escalated privileges and obtaining control of the device,” it added. 

The affected PowerLogic PM55xx power metering devices and PowerLogic PM8ECC ethernet communication module are the PM5560 versions before v2.7.8; PM5561 versions before v10.7.3; PM5562 v2.5.4 and prior; PM5563 versions before v2.7.8; and all versions of PM8ECC. 

Deployed across the energy sector, the CISA warned that the affected product is vulnerable due to weak password recovery mechanisms, which may allow an attacker to gain unauthorized access and potentially deny service to legitimate system users. This vulnerability has been designated as CVE-2021-22763. It has been evaluated with a CVSS v3.1 base score of 8.1, and a CVSS v4 base score of 9.5.

The affected product is vulnerable due to improper authentication, which may provide an attacker with sensitive information or allow an attacker to remotely execute arbitrary code. CVE-2021-22764 has been designated for this vulnerability. It has a CVSS v3.1 base score of 5.3 and a CVSS v4 base score of 6.9.

Jacob Baines of Dragos reported these vulnerabilities to CISA.

Schneider suggested that users should consider blocking HTTP access to the device at the firewall level or disabling the HTTP web service to reduce the risk of exposure. Version 2.8.3 of the PowerLogic PM5560, 5563, and 5580 firmware includes fixes for these vulnerabilities; Version 10.7.3 of the PowerLogic PM5561 firmware includes fixes for these vulnerabilities; and Version 4.3.5 of the PowerLogic PM5562 firmware includes fixes for these vulnerabilities. PowerLogic PM8ECC has reached the end of service and is no longer supported.

In another advisory, CISA warned that Schneider Electric PowerLogic P5 equipment contained ‘use of a broken or risky cryptographic algorithm’ vulnerability, affecting versions 01.500.104 and prior. “If an attacker has physical access to the device, it is possible to reboot the device, cause a denial of service condition, or gain full control of the relay by abusing a specially crafted reset token,” it added.

Used across the critical manufacturing sector, CISA noted that a vulnerability exists, which could cause a denial of service, a device reboot, or an attacker to gain full control of the relay. When a specially crafted reset token is entered into the front panel of the device, an exploit exists due to the device’s utilization of a risky cryptographic algorithm. CVE-2024-5559 has been assigned to this vulnerability. A CVSS v3 base score of 6.1 has been assigned. 

Schneider Electric CPCERT reported this vulnerability to CISA. The French company identified specific workarounds and mitigations users can apply to reduce risk. These include Schneider Electric PowerLogic P5 v01.500.104 and prior, with PowerLogic P5 Wave 4.2.3 P5L30 firmware includes a fix for this vulnerability. 

Schneider Electric advises implementing robust cybersecurity measures for industrial systems. Key recommendations include placing control and safety system networks, along with remote devices, behind firewalls and isolating them from business networks. Physical security measures should be in place to prevent unauthorized access to industrial control systems, components, and networks. Controllers should be secured in locked cabinets and never left in ‘Program’ mode. 

It also advises that programming software should only be connected to its designated network. All mobile data exchange methods, such as CDs and USB drives, should be scanned before use on isolated networks. Mobile devices that have connected to other networks must be sanitized before accessing safety or control networks. Schneider Electric also emphasizes minimizing network exposure for control systems, ensuring they are not accessible from the Internet. For necessary remote access, secure methods like VPNs should be used, with the understanding that VPNs must be kept up-to-date and are only as secure as the devices they connect to.

CISA also disclosed the presence of improper enforcement of message integrity during transmission in a communication channel, use of hard-coded credentials, and insufficiently protected credentials in Schneider Electric’s EcoStruxure Control Expert, EcoStruxure Process Expert, and Modicon M340, M580, and M580 Safety PLCs. “Successful exploitation of these vulnerabilities could allow a denial of service, a loss of confidentiality, and threaten the integrity of controllers.”

An improper enforcement of message integrity during transmission in a communication channel vulnerability exists that could cause a denial of service, a loss of confidentiality, and threaten the integrity of controllers through a man-in-the-middle attack. CVE-2023-6408 has been assigned to this vulnerability. A CVSS v3 base score of 8.1 has been calculated.

The agency also revealed that using hard-coded credentials vulnerability exists that could cause unauthorized access to a project file protected with an application password when opening the file with EcoStruxure Control Expert. CVE-2023-6409 has been assigned to this vulnerability. A CVSS v3 base score of 7.7 has been calculated.

Furthermore, an insufficiently protected credentials vulnerability exists that could cause unauthorized access to the project file in EcoStruxure Control Expert when a local user tampers with the memory of the engineering workstation. CVE-2023-27975 has been assigned to this vulnerability. A CVSS v3 base score of 7.1 has been calculated.

Gao Jian, Jianshuang Ding, and Kaikai Yang reported these vulnerabilities to Schneider Electric. The company has identified appropriate remediations and mitigations users can apply to reduce risk.

In another advisory, CISA revealed that Hitachi Energy’s MicroSCADA Pro/X SYS600 equipment contains improper neutralization of special elements in data query logic, improper limitation of a pathname to a restricted directory (Path Traversal), authentication bypass by capture-replay, missing authentication for critical function, and URL redirection to untrusted site (Open Redirect) vulnerabilities. “Successful exploitation of these vulnerabilities could allow an attacker to inject code towards persistent data, manipulate the file system, hijack a session, or engage in phishing attempts against users.”

Deployed across the critical manufacturing sector, Hitachi Energy PSIRT reported these vulnerabilities to CISA. Hitachi Energy has identified specific workarounds and mitigations users can apply to reduce risk. These include Hitachi Energy MicroSCADA X SYS600 – Update to Version 10.6; and (CVE-2024-4872, CVE-2024-3980) Hitachi Energy MicroSCADA Pro SYS600, users can apply Patch 9.4 FP2 HF6 (Installation of previous FP2 hotfixes are required before the installation of HF6). 

For the vulnerabilities CVE-2024-4872 and CVE-2024-3980, Hitachi Energy MicroSCADA X SYS600 and Hitachi Energy MicroSCADA Pro SYS600 have implemented general mitigation strategies. Additionally, for CVE-2024-3982, CVE-2024-7940, and CVE-2024-7941, Hitachi Energy MicroSCADA X SYS600 users should adhere to the general mitigation strategies.

Hitachi Energy recommends security practices and firewall configurations to help protect process control networks from attacks that originate from outside the network. These include ensuring that process control systems are physically protected from direct access by unauthorized personnel, have no direct connections to the Internet, and are separated from other networks by means of a firewall system that has a minimal number of ports exposed. 

Also, process control systems should not be used for Internet surfing, instant messaging, or receiving emails; portable computers and removable storage media should be carefully scanned for viruses before they are connected to a control system; and proper password policies and processes should be followed.

The CISA warned of the presence of improper certificate validation vulnerability in Hitachi Energy’s RTU500 Scripting Interface equipment, Used in the global energy and water and wastewater systems sector, the agency added “Successful exploitation of this vulnerability could allow attackers to spoof the identity of the service.”

Hitachi Energy is aware of a reported vulnerability in the RTU500 Scripting interface. When a client connects to a server using TLS, the server presents a certificate. This certificate links a public key to the identity of the service and is signed by a certification authority (CA), allowing the client to validate that the remote service can be trusted and is not malicious. If the client does not validate the parameters of the certificate, then attackers could be able to spoof the identity of the service.

CVE-2023-1514 has been assigned to this vulnerability and a CVSS v3 base score of 7.4 has been assigned. 

Hitachi Energy has identified specific workarounds and mitigations users can apply to reduce risk. For the RTU500 Scripting interface Version 1.0.1.30, RTU500 Scripting interface Version 1.0.2, RTU500 Scripting interface Version 1.1.1, users can update to RTU500 Scripting interface Version 1.2.1. For all versions of the RTU500 Scripting interface, Hitachi Energy recommends that users follow the ‘Remote Terminal Units Security Deployment Guideline,’ as well as apply appropriate mitigations.

In another advisory, CISA revealed the presence of allocation of resources without limits or throttling and the use of default credentials vulnerabilities in Philips’ Vue PACS equipment. “Successful exploitation of these vulnerabilities could allow an attacker to gain access to the database, which could impact system availability and data integrity or cause a denial-of-service condition.”

Deployed across the healthcare and public health sectors, the agency noted that attackers can exploit this vulnerability by making numerous requests or sending large amounts of data to the application, leading to resource exhaustion (e.g., memory, CPU), which can cause the application to crash or become unresponsive. This vulnerability does not expose patient data or allow for its modification. It allows an attacker, with access to the hospital’s private network, which is protected by security controls (e.g., firewalls, VPNs), to send messages to the server, leading to potential CPU overload and a denial-of-service (DoS) condition. No response is sent back to the attacker, and patient information remains secure.

The vulnerability has been designated as CVE-2021-28165. It has a CVSS v3.1 base score of 6.5, and a CVSS v4 base score of 6.0 has also been determined for this vulnerability.

CISA also mentioned that the product does not require unique and complex passwords to be created during installation. Using Philips’s default password could jeopardize the PACS system if the password was hacked or leaked. An attacker could gain access to the database impacting system availability and data integrity. The vulnerability has been designated as CVE-2023-40704. It has a CVSS v3.1 base score of 6.8 and a CVSS v4 base score of 5.7.

TAS Health NZ and Camiel van Es reported these vulnerabilities to Philips.

For CVE-2021-28165, Philips recommends configuring the Vue PACS environment per D000763414 – Vue_PACS_12_Ports_Protocols_Services_Guide available on Incenter. The Vue PACS version 12.2.8.410 released last October prevents this vulnerability. For CVE-2023-40704, Philips recommends no action is needed due to the low risk of exploitability, but customers can request that Philips update database password(s).

Post
Filter
Apply Filters