The U.S. cyber defense agency recently issued two advisories regarding vulnerabilities affecting Industrial Control Systems (ICS).
CVE-2023-38433 was identified in a Fujitsu Limited product, while CVE-2023-39227 and CVE-2023-39227 were found in Softneta. Fortunately, these ICS vulnerabilities reported by CISA in their advisories were not exploited by threat actors.
Products Impacted by the Vulnerabilities in ICS
The advisories by CISA elaborated on the three vulnerabilities found in the following vendor products –
- Real-time video transmission gear of the IP series of Fujitsu Limited.
- MedDream PACS 2.8.810 and prior sold by Softneta.
The vulnerability in Fujitsu Limited products impacted Real-time Video Transmission Gear “IP series” of IP-HE950E: firmware versions V01L001 to V01L053, IP-HE950D of firmware versions V01L001 to V01L053, IP-HE900E of firmware versions V01L001 to V01L010, and IP-HE900D of firmware versions V01L001 to V01L004 among others.
Vulnerabilities in ICS – Fujitsu Limited
CVE-2023-38433 in Fujitsu Limited equipment was assigned a base score of 7.5 by NIST, which maintains the National Vulnerability Database. The vulnerability could allow hackers the Use of Hard-Coded Credentials, noted the ICS advisory by CISA.
“Successful exploitation of this vulnerability could result in an attacker logging into the web interface using the obtained credentials,” CISA mentioned in the advisory.
Such vulnerabilities in ICS can be remotely exploited to reboot the products and terminate the video transmission.
Since these products that are manufactured in Japan, are used by customers worldwide in government and commercial facilities, the reason to update to the latest version is higher.
Fujitsu posted the links to mitigate the risks in the IP Series here – https://www.fujitsu.com/global/products/computing/peripheral/video/download/.
Vulnerabilities in ICS – Softneta MedDream PACS
The vulnerability CVE-2023-40150 in Softneta MedDream PACS is remotely exploitable.
It was assigned a CVSS v3 base score of 9.8 according to the ICS vulnerability advisory by CISA. The Softneta product MedDream PACS is used in the healthcare and public health sector, worldwide.
To avoid falling prey to a cyber attack, Softneta provided updates to v7.2.9.820 were made available for users. They can patch their systems using – Fix-v230712.
The bug in Softneta products could allow hackers to skip authentication process to perform malicious tasks impacting the industrial control systems in the healthcare sector.
Another vulnerability in Softneta – CVE-2023-39227 could give access to login credentials. Addressing this safety hazard, the CISA advisory on ICS vulnerabilities wrote, “The affected product stores usernames and passwords in plaintext.”
“The plaintext storage could be abused by attackers to leak legitimate user’s credentials,” the CISA cybersecurity advisory concluded.
Gaining access to one’s login credentials especially from the healthcare organizations and their clients can lead to catastrophic circumstances.
Hackers can leak patient data, and other critical information, make duplicate health records to get free treatments, insurance claims, create fraudulent ID cards etc.
Mitigation Techniques to Fortify the ICS Cybersecurity Infrastructure
Cyber attacks on Industrial Control Systems can pose a severe threat to data security and the life of personnel handling machinery that must not be remotely manipulated by threat actors.
CISA placed useful steps to be followed to prevent risk by any user or client of the aforementioned products.
- Control the exposure of the network so the control systems are not exposed to all Internet users and are accessed by credible and specific employees only.
- Install firewalls for control systems and keep them detached from business networks.
- While remotely accessing the industrial control systems, choose Virtual Private Networks (VPNs) that are updated.
Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.