CISA discloses presence of ICS vulnerabilities in Siemens SIMATIC PCS, Omron equipment

The U.S. CISA (Cybersecurity and Infrastructure Security Agency) published Tuesday four ICS (industrial control systems) advisories, warning the critical infrastructure sector of the presence of hardware vulnerabilities in Siemens SIMATIC PCS neo Administration Console, Omron Engineering Software Zip-Slip, Omron Engineering Software, and Omron CJ/CS/CP Series. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS, and the agency urges users and administrators to review the newly released ICS advisories for technical details and mitigations.

In a CISA advisory, the agency warned asset owners and operators across multiple critical infrastructure sectors of the presence of an ‘insertion of sensitive information into an externally-accessible file or directory’ vulnerability in Siemens’ SIMATIC PCS neo Administration Console equipment. “Successful exploitation of this vulnerability could get the credentials, and impersonate the admin user, thereby gaining admin access to other Windows systems,” it added. 

Siemens reports that the SIMATIC PCS neo (Administration Console) V4.0 and V4.0 Update 1 are affected. “The affected application leaks Windows admin credentials. An attacker with local access to the Administration Console could get the credentials, and impersonate the admin user, thereby gaining admin access to other Windows systems. CVE-2023-38558 has been assigned to this vulnerability. A CVSS v3 base score of 5.5 has been calculated,” according to the advisory. 

CISA added that Siemens has released Security Patch 01 for the affected products and recommends users install the patch. The company has also identified specific workarounds and mitigations that customers can apply to reduce the risk and urged for changing the password of the Windows accounts used for the remote deployment of AC Agent and avoiding remotely deploying AC Agents.

In another advisory, CISA warned of a low attack complexity vulnerability in Omron engineering software Sysmac Studio and NX-IO Configurator. The agency identified that Sysmac Studio version 1.54 and prior, and NX-IO Configurator version 1.22 and prior were affected. Successful exploitation of the path traversal vulnerability could allow an attacker to overwrite files on a system. 

Deployed across the critical manufacturing sector, CISA said that “DotNetZip.Semvered before 1.11.0 is vulnerable to directory traversal, which could allow attackers to write to arbitrary files via a ../ (dot dot slash) in a Zip archive entry mishandled during extraction. This vulnerability is also known as ‘Zip-Slip.’ CVE-2018-1002205 has been assigned to this vulnerability. A CVSS v3 base score of 5.5 has been calculated,” it added. 

Reid Wightman of Dragos reported this vulnerability to CISA. Michael Heinzl reported the Zip-Slip vulnerability to JPCERT/CC, CISA disclosed.

In another advisory, CISA disclosed that Omron’s Sysmac Studio equipment contains an improper authorization vulnerability. The affected versions of Sysmac Studio are versions 1.54 and prior. “Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code,” it added.

Deployed across the critical manufacturing sector, CISA said that “Omron engineering applications install executables with low privileged user ‘write permissions. This could allow an attacker to alter the files to execute arbitrary code. CVE-2022-45793 has been assigned to this vulnerability. A CVSS v3 base score of 5.5 has been calculated,” it added.

Dragos’ Wightman reported this vulnerability to CISA.

To minimize the risk of vulnerability exploitation, OMRON recommends anti-virus protection of any PC with access to the control system against malware and ensures installation and maintenance of up-to-date commercial-grade anti-virus software protections. 

Security measures to prevent unauthorized access include minimizing the connection of control systems and equipment to open networks so untrusted devices will be unable to access them; and implementing firewalls by shutting down unused communications ports, limiting communications hosts, etc., and isolating them from the IT network. It also suggests using a virtual private network (VPN) for remote access to control systems and equipment, and strong passwords and changing them frequently.

OMRON also recommends installing physical controls so only authorized personnel can access control systems and equipment; scanning for viruses to ensure the safety of any USB drives or similar devices before connecting them to systems and devices, and enforcing multi-factor authentication whenever possible of all devices with remote access to control systems and equipment. 

It also suggests data input and output protection by performing process validation, such as backup validation or range checks, to cope with unintentional modification of input/output data to control systems and devices, and data recovery using periodical data backup and maintenance to prevent data loss.

CISA also revealed the presence of ‘improper control of interaction frequency’ vulnerability in Omron’s Sysmac CJ/CS/CP PLC (programmable logic controllers) Series, typically deployed across the critical manufacturing sector. “Successful exploitation of this vulnerability could allow an attacker to obtain sensitive information in memory,” it added.

The affected ​​Omron CJ/CS/CP series PLCs are Smart Security Manager is impacted by versions 1.4 and those before 1.31, as well as versions 1.5 and earlier; CJ2H-CPU (-EIP) is affected by version 1.4 and versions before it; CJ2M-CPU is impacted by version 2.0 and earlier iterations; CS1H/G-CPU H and CJ1G-CPU P are susceptible in versions up to 4.0; CS1D-CPU H and -CPU P may be affected by versions up to 1.3; CS1D-CPU S can be impacted by versions up to 2.0; and CP1E-E and -N are at risk in versions up to 1.2.

“Omron CJ/CS/CP series programmable logic controllers use the FINS protocol, which is vulnerable to brute-force attacks,” according to CISA. “The controllers do not enforce any rate limit on password guesses to password-protected memory regions. CVE-2022-45790 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated.”

Omron recommends that users update their products as soon as possible. Updated versions can be obtained by contacting Omron’s Customer Care Team. In case of the CJ2H-CPU(-EIP), update to version 1.5; CJ2M-CPU, update to version 2.1; CS1H/G-CPU H and CJ1G-CPU P, update to version 4.1; CS1D-CPU H/-CPU P, update to version 1.4; CS1D-CPU S, update to version 2.1, and CP1E-E / -N, update to version 1.3. 

The security agency called upon asset owners and operators to take defensive measures to minimize the risk of exploitation of this vulnerability, by minimizing network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet. It also recommends placing control system networks and remote devices behind firewalls and isolating them from business networks. When remote access is required, use more secure methods, such as VPNs (virtual private networks), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

Earlier this month, the CISA rolled out four ICS advisories covering the presence of hardware vulnerabilities in equipment from Dover Fueling, Phoenix Contact, and Socomec, deployed across the critical infrastructure sector. The agency updated an advisory addressing Delta Electronics’ CNCSoft-B DOPSoft equipment.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.