The Cybersecurity and Infrastructure Security Agency (CISA) warned the critical infrastructure sector this week of the detection of several vulnerabilities in FATEK Automation’s WinProladder and Communication Server. The agency also revealed security loopholes in Emerson WirelessHART Gateway equipment, and additional security flaws in Mitsubishi Electric GOT and Tension Controller hardware.
The vulnerabilities found in FATEK Automation WinProladder included out-of-bounds read and write, unexpected sign extension, stack-based buffer overflow, improper restriction of operations within the bounds of a memory buffer, and use after free, CISA said in its advisory on Thursday. The exploitation of these vulnerabilities may allow arbitrary code execution, remote code execution, heap corruption, and unauthorized information disclosure, it added.
Natnael Samson and xina1i, working with Trend Micro’s Zero Day Initiative, reported these vulnerabilities to CISA. FATEK Automation has not responded to requests to work with CISA to mitigate these vulnerabilities.
A stack-based buffer overflow vulnerability was also reported from the Taiwanese company’s Communication Server equipment. The affected product lacks proper validation of user-supplied data, which could result in a stack-based buffer overflow condition and allow an attacker to remotely execute code, CISA said in its Thursday advisory. The affected versions of the Communication Server include versions 1.13 and prior. The exploitation of this vulnerability may allow remote code execution.
Trend Micro’s Samson reported this vulnerability to CISA. In this case too, FATEK Automation did not respond to requests to work with CISA to mitigate this vulnerability.
CISA advised the equipment users to take defensive measures to minimize the risk of exploitation of this vulnerability and recommended reducing network exposure for all control system devices and/or systems, placing control system networks and remote devices behind firewalls, and isolating them from the business network. When remote access is required, it is recommended to use secure methods, such as virtual private networks (VPNs).
Multiple security vulnerabilities were reported in the Emerson WirelessHART gateway including missing authentication for critical function, improper input validation, improper limitation of a pathname to a restricted directory, write-what-where condition, improper neutralization of special elements used in an OS command, and exposure of sensitive information to an unauthorized hacker. The exploitation of these vulnerabilities by an authenticated user can allow root-level arbitrary write permission, which can lead to remote code execution.
CISA identified that the affected devices were deployed globally across the chemical, critical manufacturing, dams, energy, food and agriculture, healthcare and public health, transportation systems, and water and wastewater systems sectors. The Emerson WirelessHART Gateway network communication devices included all versions of WirelessHART 1410 Gateway before v4.7.94, WirelessHART 1410D Gateway before v4.7.94, and WirelessHART 1420 Gateway before v4.7.94.
“Although these vulnerabilities were reported against Emerson’s version 4 WirelessHART gateway, most of the vulnerabilities also affect Emerson’s version 6 gateway,” Emerson said in its advisory.
The issues have been resolved or mitigated in recently released firmware which can be obtained using the instructions located in this notification. In case the Emerson WirelessHART Gateway is isolated from the internet and running on a well-protected network consistent with industry best practices, the potential risk is significantly lowered. Each user should consider their particular system configuration and circumstances, and determine the effect of this potential issue as it relates to their application and take appropriate actions, the company added.
Another CISA advisory warned of two more vulnerabilities in Mitsubishi Electric GOT and Tension Controller hardware. These vulnerabilities include improper handling of exceptional conditions and improper input validation. The exploitation of these flaws could allow an attacker to cause a denial-of-service condition by sending specially crafted packets. The Mitsubishi GOT and Tension Controller products are used globally in the critical manufacturing sector.
Mitsubishi Electric plans to release updated, fixed versions of these products in the future. It has in the meanwhile advised users to minimize the risk of exploitation of these vulnerabilities by using a firewall or VPN to prevent unauthorized access when Internet access is required. It also recommended using within a LAN and blocking access from untrusted networks and hosts through firewalls, and using the IP filter function to restrict the accessible IP addresses.
Last month, Mitsubishi Electric had revealed that multiple denial of service vulnerabilities exist in the TCP/IP protocol stack of its GOT (Graphic Operation Terminal) and Tension Controller because of improper handling of exceptional conditions and improper input validation. These security loopholes may be used by a remote attacker to cause a DoS condition of GOT and Tension Controller by sending specially crafted packets.