CISA discloses hardware vulnerabilities in Delta Electronics, Schneider Electric, Ovarro, Mitsubishi Electric, Medtronic equipment

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) released on Thursday nine Industrial Control Systems (ICS) advisories with timely information about current security issues, vulnerabilities, and exploits. These security notices cover the presence of hardware vulnerabilities in Delta Electronics, Schneider Electric, Ovarro, and Mitsubishi Electric, and an ICS medical advisory covering Medtronic equipment. They also include updates from earlier advisories from Rockwell, Mitsubishi Electric, and Enphase Installer.

Used globally in the healthcare and public health sector, CISA revealed the presence of deserialization of untrusted data vulnerability in Medtronic’s Paceart Optima System versions 1.11 and prior equipment. “Successful exploitation of this vulnerability could result in remote code execution or a denial-of-service condition impacting a healthcare delivery organization’s Paceart Optima system,” it added.

With a CVSS v3 base score of 9.8, CISA said that if a healthcare delivery organization has enabled the optional Paceart Messaging Service in the Paceart Optima system, an unauthorized user could exploit this vulnerability to perform remote code execution and/or denial-of-service (DoS) attacks by sending specially crafted messages to the Paceart Optima system. “Remote code execution could result in the deletion, theft, or modification of Paceart Optima system’s cardiac device data or use of the Paceart Optima system for further network penetration. A DoS attack could cause the Paceart Optima system to slow or be unresponsive,” it added. 

Medtronic said in its advisory that Paceart Optima is a software application running on a healthcare delivery organization’s Windows server. “The application collects, stores, and retrieves cardiac device data from programmers and remote monitoring systems from all major cardiac device manufacturers to aid in standard workflows. The Paceart Optima product consists of multiple components that work together to deliver product functionality. This vulnerability impacts the Application Server component.”

It added that “at this time, Medtronic has not observed any cyberattacks, unauthorized access to or loss of patient data, or harm to patients related to this issue.”

During routine monitoring, Medtronic identified a vulnerability in the optional Paceart Messaging Service within the Paceart Optima system, specifically in the Paceart Messaging Service’s implementation of the Microsoft Message Queuing Protocol. The Paceart Messaging Service enables healthcare delivery organizations to send fax, email, and pager messages within the Paceart Optima system. Medtronic reported this vulnerability to CISA. 

Furthermore, Medtronic recommends updating the Paceart Optima system to v1.12, CISA said. “Medtronic has provided some immediate mitigations that users can apply to mitigate the risk. If running a combined Application and Integration Server, contact Medtronic Paceart Optima System technical support for immediate mitigation actions.”

CISA identified the presence of improper access control and deserialization of untrusted data vulnerabilities in Delta Electronics’ InfraSuite Device Master equipment before version 1.0.7. “Successful exploitation of these vulnerabilities could allow an attacker to escalate privileges or remotely execute arbitrary code.”

An attacker could bypass the latest Delta Electronics InfraSuite Device Master (versions before 1.0.7) patch, which could allow an attacker to retrieve file contents, the advisory added. In addition, Delta Electronics InfraSuite Device Master versions before 1.0.7 contain improper access controls that could allow an attacker to alter privilege management configurations, resulting in privilege escalation. Delta Electronics InfraSuite Device Master versions before 1.0.7 contain classes that cannot be deserialized, which could allow an attacker to remotely execute arbitrary code.

Deployed globally in the energy sector, ​Piotr Bazydlo (@chudypb) of Trend Micro’s Zero Day Initiative reported these vulnerabilities to CISA. Users must download the most recent version 1.0.7 of the Delta Electronics InfraSuite Device Master. 

In another advisory, CISA disclosed the presence of improper control of the generation of code (code injection) vulnerability in Schneider Electric’s EcoStruxure Operator Terminal Expert VXDZ. Exploiting this vulnerability could allow an attacker to execute arbitrary code and gain access to sensitive information on the machine.

With a CVSS v3 base score of 7.8, Schneider Electric EcoStruxure operator Terminal Expert versions 3.3 SP1 and prior are vulnerable to a code injection attack that could allow an attacker to execute arbitrary code and gain access to all information on the machine, CISA said. Daan Keuper & Thijs Alkemade from Computest working with Trend Micro Zero Day Initiative reported this vulnerability to CISA.

Schneider Electric released EcoStruxure Operation Terminal Expert v3.4 for users to download. Users should use appropriate patching methodologies when applying these patches to their systems. “We strongly recommend the use of back-ups and evaluating the impact of these patches in a Test and Development environment or on an offline infrastructure.”

CISA said that Ovarro TBox RTUs (remote terminal units) contained missing authorization, use of broken or risky cryptographic algorithm, inclusion of functionality from untrusted control sphere, insufficient entropy, improper authorization, and plaintext storage of password vulnerabilities. “Successful exploitation of these vulnerabilities could result in sensitive system information being exposed and privilege escalation.”

The advisory identified that the affected TBox RTUs are missing authorization for running some API commands. An attacker running these commands could reveal sensitive information such as software versions and web server file contents. It also stores hashed passwords using MD5 encryption, which is an insecure encryption algorithm. The affected TBox RTUs run OpenVPN with root privileges and can run user-defined configuration scripts. An attacker could set up a local OpenVPN server and push a malicious script onto the TBox host to acquire root privileges.

“The affected TBox RTUs generate software security tokens using insufficient entropy. The random seed used to generate the software tokens is not initialized correctly, and other parts of the token are generated using predictable time-based values. An attacker with this knowledge could successfully brute force the token and authenticate themselves,” according to CISA. 

The affected TBox RTUs allow low-privilege users to access software security tokens of higher privilege, which could allow an attacker with ‘user’ privileges to access files requiring higher privileges by establishing an SSH session and providing the other tokens, CISA disclosed. “All versions of the TWinSoft Configuration Tool store encrypted passwords as plaintext in memory. An attacker with access to system files could open a file to load the document into memory, including sensitive information associated with document, such as password. The attacker could then obtain the plaintext password by using a memory viewer,” the advisory added.

Floris Hendriks and Jeroen Wijenbergh of Radboud University reported these vulnerabilities to CISA. The advisory added that “Ovarro recommends users update the affected products to the latest version by downloading the newest software version from the Ovarro website in the ‘Customer Support’ section.”

In another advisory, CISA disclosed the presence of authentication bypass by a capture-replay vulnerability in Mitsubishi Electric MELSEC-F Series equipment used in the critical manufacturing sector. ​Chun Liu, Xin Che, Ruilong Deng, Peng Cheng, and Jiming Chen from 307LAB, Zhejiang University, reported this vulnerability to Mitsubishi Electric.

The advisory added that exploiting this vulnerability could allow an attacker to log in to the product by sending specially crafted packets. Mitsubishi Electric reports this vulnerability affects the MELSEC-F Series products if used with ethernet communication special adapter FX3U-ENET-ADP or ethernet communication block FX3U-ENET(-L).

With a CVSS v3 base score of 7.5, CISA said that ‘an authentication bypass vulnerability due to authentication bypass by capture-replay exists in the MELSEC-F series main modules.’

​Mitsubishi Electric called upon users to minimize the risk of an attacker exploiting this vulnerability by using a firewall or virtual private network (VPN), etc., to prevent unauthorized access when internet access is required; use within a LAN and block access from untrusted networks and hosts through firewalls; and restrict physical access to affected products and the LAN they connect.

Earlier this month, CISA issued several security advisories addressing vulnerabilities in ICS equipment typically used across critical infrastructure sectors. The agency revealed the presence of hardware vulnerabilities across Advantech and SUBNET Solutions equipment. It also released notices of hardware vulnerabilities across various Siemens product lines, including POWER METER SICAM Q200 family, SIMOTION, SIMATIC products, TIA Portal, SIMATIC WinCC V7, Solid Edge, SINAMICS Medium Voltage products, SICAM A8000 devices, Teamcenter Visualization, and JT2Go.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.