ICS cybersecurity vulnerabilities found in Hitachi Energy, Honeywell, PTC, Sensormatic, Mitsubishi Electric, Fuji Electric, Omron equipment

The U.S. Cybersecurity and Infrastructure Agency published on Tuesday numerous cybersecurity advisories warning the critical infrastructure sector of hardware vulnerabilities in their equipment. The security loopholes have been identified in four products from Hitachi Energy, three from Honeywell, and one from Fuji Electric, Omron, PTC, Sensormatic, and Mitsubishi Electric, typically deployed across critical infrastructure sectors, including energy and critical manufacturing. 

Primarily used globally in the energy sector, CISA warned organizations of inconsistent interpretation of HTTP requests, use after free, classic buffer overflow, integer underflow, improper certificate validation, and observable discrepancy vulnerabilities in Hitachi Energy’s FACTS Control Platform (FCP). “Successful exploitation of these vulnerabilities may allow an attacker to eavesdrop on the traffic between network source and destination, gain unauthorized access to information, or cause a denial-of-service,” the security agency added in its advisory.

Hitachi Energy reports multiple open-source software related vulnerabilities in various FCP product versions, including FCP 1.1.0 – 1.3.0, FCP 2.1.0 – 2.3.0, and FCP 3.0.0 – 3.12.0. It has made available some updates to remediate these vulnerabilities.

CISA disclosed inconsistent interpretation of HTTP requests, use after free, classic buffer overflow, integer underflow, improper certificate validation, and observable discrepancy vulnerabilities in various versions of Hitachi Energy Gateway Station (GWS), CISA said. “Successful exploitation of this vulnerability could allow unauthorized users to eavesdrop on the traffic between network source and destination, gain unauthorized access to information, or cause a denial-of-service condition,” it adds.

Multiple open-source software related vulnerabilities have been found in GWS 2.0.0.0 and earlier, GWS 2.1.0.0, GWS 2.2.0.0, GWS 2.3.0.0, GWS 2.4.0.0, GWS 3.0.0.0, and GWS 3.1.0.0. Updates were made available for some of the affected lines by the company to remediate these vulnerabilities.

In the case of Hitachi Energy’s MSM Product, CISA warned the global energy sector of the presence of reliance on uncontrolled component vulnerability. The hardware loophole affects MSM version 2.2 and earlier and could disrupt the functionality of the MSM web interface, steal sensitive user credentials, or cause a denial-of-service condition. 

Hitachi Energy advised the energy sector to physically protect process control systems from unauthorized direct access physically and separate process control systems from other networks using a firewall system with only the ports open. It also added that process control systems should not be used for common internet activities, and portable computers and removable storage media should be carefully scanned for malicious software before connecting to a control system.

CISA warned the energy sector of an improper input validation vulnerability in Hitachi Energy’s RTU500 series in which HCI Modbus TCP is configured and enabled by project configuration. The loophole could cause an internal buffer overflow, which could reboot the product. 

“Because the vulnerability affects only the RTU500 series with HCI Modbus TCP configured and enabled, possible mitigation is to disable the HCI Modbus TCP function if not used. The HCI Modbus TCP is disabled by default,” the advisory adds.

CISA disclosed the presence of missing authentication for critical function vulnerability in Honeywell’s ControlEdge and Experion LX equipment deployed across multiple critical infrastructure sectors. The agency also revealed the presence of a cleartext transmission of sensitive information across Honeywell’s Trend Controls IQ Series that utilizes Inter-Controller (IC) protocol.

The agency is aware of a public report known as ‘OT:ICEFALL’ that details vulnerabilities found in multiple operational technology (OT) vendors. Further, CISA is ‘issuing this advisory to provide notice of the reported vulnerabilities and identify baseline mitigations for reducing risks to these and other cybersecurity attacks,” it added.

Breaching the ControlEdge ​​vulnerability could allow full control of the device, including remote code execution, denial-of-service, or configuration manipulation, CISA said. Daniel Dos Santos and Jos Wetzels from Forescout Technologies reported the vulnerability. Honeywell fixed the reported issue, and users are advised to upgrade to version 151.2 or later.

Exploiting the Experion LX vulnerability could allow for configuration manipulation and a denial-of-service condition. To mitigate the risks, Honeywell has released the Experion LX R520.1, which incorporates secure boot functionality and signed firmware images. In addition, the R501.6, R511.5, and R520 releases are updated to include the secure lock functionality, which restricts all firmware downloads to process controllers while the lock is invoked.

Manipulating the Trend Controls IQ Series vulnerability could cause the loss of authentication information in cleartext by sniffing network traffic, CISA said. Several Trend Controls IQ Series building automation controllers utilize an Inter-Controller (IC) protocol that uses a 4-digit authentication PIN transmitted in plaintext, allowing usernames and passwords to be transmitted in plaintext when utilizing unsupported legacy versions of the controller. It added that this might allow an attacker with local OT network access to obtain these credentials.

Honeywell called upon users with affected and unsupported products to procure and utilize currently supported hardware through reputable supply channels and apply product updates as available. Organizations must also follow the guidance in the product security manual to ensure the isolation of network segments upon which building automation controllers reside and ensure adequate security controls are in place between OT and IT network segments. 

Furthermore, they must disable unnecessary accounts and services, restrict system access to authorized personnel only and follow the least privilege approach, apply defense-in-depth strategies, and log and monitor network traffic for suspicious activity. For IQ4 Series controllers, Honeywell asked users to ensure that the latest available firmware version is utilized. 

Out-of-bounds read, and write-what-where vulnerabilities have been detected in Fuji Electric’s D300win equipment, which can lead to loss of sensitive data and manipulation of information. The out-of-bounds read issue could allow an attacker to leak sensitive data from the process memory. In contrast, the write-what-where condition could allow an attacker to overwrite program memory to manipulate the flow of information. 

The D300win is a programming support tool expert, and versions before 3.7.1.17 have been identified as vulnerable. Claroty’s Uri Katz reported these vulnerabilities to CISA. As a result, users from across multiple critical infrastructure sectors have been advised to upgrade to D300win v3.7.1.17 or later.

CISA warned the global critical manufacturing sector of a ‘use after free’ vulnerability in Omron’s CX-Programmer before v9.78, which could allow an attacker to execute arbitrary code. Opening a specially crafted file could cause the affected product to fail to release its memory reference, potentially resulting in arbitrary code execution, the advisory adds.

xina1i, working with Trend Micro’s Zero Day Initiative, reported this vulnerability to CISA. Users have been asked to update to Omron CX-Programmer v9.78. 

Two vulnerabilities – heap-based buffer overflow and stack-based buffer overflow – have been found in PTC’s Kepware KEPServerEX equipment, which could allow an attacker to crash the device or remotely execute arbitrary code. 

CISA said that vulnerabilities have been found in Kepware KEPServerEX versions before 6.12, ThingWorkx Kepware Server versions before 6.12, all versions of ThingWorkx Industrial Connectivity, OPC-Aggregator versions before 6.12, and ThingWorkx Kepware Edge: Versions 1.4 and prior. In addition, some products, including Rockwell Automation KEPServer Enterprise versions before v6.12, GE Digital Industrial Gateway Server versions before v7.612, and Software Toolbox TOP Server versions before v6.12 are also known to be vulnerable.

Vera Mens, Uri Katz, and Sharon Brizinov of Claroty Research, working with Trend Micro’s Zero Day Initiative reported these vulnerabilities to PTC, CISA said. As a result, PTC recommends that Kepware KEPServerEX should upgrade to v6.12 or later, ThingWorx Kepware Server should upgrade to v6.12 or later, ThingWorx Industrial Connectivity should upgrade to ThingWorx Kepware Server v6.12 or later, OPC-Aggregator should upgrade to v6.12 or later, and ThingWorx Kepware Edge should upgrade to v1.5 or later.

CISA disclosed the presence of a command injection vulnerability across all versions of Sensormatic Electronics iSTAR Ultra equipment before 6.8.9. CU01, which is primarily used globally across the critical manufacturing sector. An unauthenticated user could use a malicious request to run arbitrary commands as ‘root user’ and is vulnerable to a command injection that could allow an unauthenticated user root access to the system, the agency added.

Khoa Hoang reported this vulnerability to Sensormatic Electronics, a subsidiary of Johnson Controls, who in turn reported the presence of the loophole to the CISA. As a result, the company released iSTAR Ultra version 6.8.9. CU01 to mitigate the vulnerability. 

In another advisory, CISA reported the presence of infinite loop and OS Command injection vulnerabilities across Mitsubishi Electric’s GOT2000 compatible HMI software, CC-Link IE TSN Industrial Managed Switch, and MELSEC iQ-R Series OPC UA Server Module. 

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.