The Cybersecurity and Infrastructure Security Agency (CISA), USA, has released three advisories concerning Industrial Control Systems (ICS) vulnerabilities, including an update on an earlier alert.
These advisories aim to provide crucial information about existing security issues, Industrial Control Systems vulnerabilities, and their potential exploits.
The Industrial Control Systems vulnerabilities identified in these advisories pose significant risks to the security and functionality of industrial control systems.
Industrial Control Systems vulnerabilities: PiiGAB M-Bus
PiiGAB, a company specializing in process information, has reported multiple vulnerabilities in their M-Bus SoftwarePack 900S.
These vulnerabilities include:
Code injection (CVE-2023-36859)
Improper restriction of authentication attempts (CVE-2023-33868)
Unprotected transport of credentials (CVE-2023-31277)
Use of hard-coded credentials (CVE-2023-35987)
Plaintext storage of passwords (CVE-2023-35765)
Cross-site scripting (CVE-2023-32652)
Weak password requirements (CVE-2023-34995)
Use of weak password hash (CVE-2023-34433)
Cross-site request forgery (CVE-2023-35120)
“Successful exploitation of these vulnerabilities could crash allow an attacker to inject arbitrary commands, steal passwords, or trick valid users into executing malicious commands, said the CISA alert.
Notably, weak password policies and an appalling plaintext storage of passwords, combined with chances of cross-site request forgery, make the alert a crucial one for PiiGAB M-Bus users.
“Security gaps are created when IT and OT personnel differ in their approach to securing industrial controls,” noted a Checkpoint advisory on ICS cybersecurity vulnerabilities.
“Different sides should work together to create a unified security policy that protects both IT and OT technology.”
Industrial Control Systems vulnerabilities: ABUS TVIP
ABUS, a vendor of security camera systems, has identified a vulnerability in their ABUS TVIP indoor security camera.
This vulnerability, known as command injection, allows remote attackers to execute arbitrary code by exploiting shell metacharacters in a specific field of the camera’s configuration.
“Command injection is a cyber attack that involves executing arbitrary commands on a host operating system (OS),” said an explainer by Imperva.
“Typically, the threat actor injects the commands by exploiting an application vulnerability, such as insufficient input validation.”
“CVE-2023-26609 has been assigned to this vulnerability. A CVSS v3 base score of 7.2 has been calculated,” said the CISA alert.
The exploitation of this vulnerability can lead to arbitrary file reads or remote code execution. The severity of this vulnerability is rated as moderate, with public exploits available, noted the alert.
ICS vulnerabilities: Mitsubishi Electric MELSEC Series CPU Module
Mitsubishi Electric Corporation has released an update regarding a previously identified vulnerability in their MELSEC Series CPU modules (CVE-2023-1424).
The vulnerability, classified as a classic buffer overflow, was in the cybersecurity news in May when CISA issued an alert about it.
It exists due to inadequate input size checks in the affected modules. Exploitation of this vulnerability can result in a denial-of-service condition or the execution of malicious code.
“Successful exploitation of this vulnerability could allow a remote attacker to cause a denial-of-service condition or execute malicious code on a target product by sending specially crafted packets,” said the CISA alert.
“The attacker needs to understand the internal structure of products to execute malicious code. Therefore, it is difficult to execute malicious code.”
Mitsubishi Electric reported that this vulnerability affects the seven MELSEC Series CPU module components. Mitsubishi Electric has released firmware updates to address this issue.
ICS vulnerabilities: Mitigations and recommendations
In response to these vulnerabilities, the affected vendors have provided specific mitigations and recommended actions to minimize the risk of exploitation.
PiiGAB advised users to install the latest software update for the M-Bus SoftwarePack 900S. ABUS conducted a replacement campaign for affected devices, encouraging users to replace them with newer models.
Mitsubishi Electric recommended updating firmware versions for their MELSEC Series CPU modules.
CISA also offers general defensive measures and best practices to mitigate the risks associated with these vulnerabilities.
These measures include following the least-privilege user principle, setting unique and secure passwords, minimizing network exposure, using secure remote access methods such as VPNs, and performing proper impact analysis and risk assessments before implementing defensive measures.
Additionally, CISA provides control system security recommended practices, technical information papers, and other resources on its ICS webpage to assist organizations in enhancing their cybersecurity posture.