CISA reveals ICS vulnerabilities in Carlo Gavazzi, Mitsubishi Electric, Hitachi Energy, Johnson Controls equipment

CISA reveals ICS vulnerabilities in Carlo Gavazzi, Mitsubishi Electric, Hitachi Energy, Johnson Controls equipment

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) announced Thursday the presence of cybersecurity vulnerabilities in hardware from Carlo Gavazzi, Mitsubishi Electric, Hitachi Energy, and Johnson Controls. The agency called upon users and administrators to review the newly released ICS (industrial control systems) advisories for technical details and necessary mitigation action. 

In an advisory, CISA said that Carlo Gavazzi’s Powersoft energy management software contains path traversal vulnerability and a CVSS v3 base score of 7.5 has been calculated. Deployed globally in the critical manufacturing sector, versions 2.1.1.1 and prior of Powersoft are said to contain the cybersecurity vulnerability. 

“Carlo Gavazzi Powersoft versions 2.1.1.1 and prior have a directory traversal vulnerability that can allow an attacker to access and retrieve any file through specially crafted GET requests to the server,” CISA said in the advisory. The agency discovered a public proof-of-concept as authored by James Fitts.

Carlo Gavazzi will not issue a fix as this product is end-of-life, and CISA called upon users to contact the vendor for more information. 

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet. They must also locate control system networks and remote devices behind firewalls and isolate them from business networks. When remote access is required, use secure methods, such as virtual private networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. 

CISA also reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

The agency also disclosed the presence of active debug code vulnerability in Mitsubishi Electric’s ethernet interface module WS0-GETH00200, deployed globally across the critical manufacturing sector. “Successful exploitation of this vulnerability could allow an attacker to bypass authentication and log in by connecting to the module via telnet to reset the module or, if certain conditions are met, either disclose or tamper with the module’s configuration or rewrite the firmware.”

In the affected products, CISA identified that “the hidden telnet function is enabled by default when shipped from the factory. An authentication bypass vulnerability could allow a remote unauthenticated attacker to log into the affected module by connecting to it via telnet.”

A CVSS v3 base score of 7.5 has been calculated for this vulnerability. Mitsubishi Electric reported this vulnerability to CISA.

Some of the workarounds laid out by Mitsubishi include setting passwords for telnet sessions that are difficult for third parties to guess. The password can be up to 15 characters long. Organizations must confirm the password is set. Alternatively, Mitsubishi Electric recommends that users adopt a firewall, VPN, etc., to prevent unauthorized access when Internet access is required, use the product within a local area network (LAN) and use firewalls to block access from untrusted networks and hosts. They also suggest restricting physical access to prevent untrusted devices from connecting to the LAN to minimize the risk of exploiting this vulnerability. 

Last month, CISA revealed the presence of Signal Handler Race Condition vulnerability in Mitsubishi Electric India’s GC-ENET-COM equipment, used across the critical manufacturing sector. “Successful exploitation of this vulnerability could lead to a communication error and may result in a denial-of-service condition,” it added.

In another advisory, CISA revealed that Hitachi Energy’s MicroSCADA Pro/X SYS600 products contain ‘Permissions, Privileges, and Access Controls’ vulnerability, which could allow an attacker to execute arbitrary code on the affected product.

Used globally across the energy sector, CISA identified that the following versions of Hitachi Energy’s MicroSCADA Pro/X SYS600 products are affected, SYS600: 9.4 FP2 Hotfix 5 and earlier; and SYS600: 10.1.1 and earlier. “The ActiveBar ActiveX control distributed in ActBar[dot]ocx 1.0.3.8 in SYS600 product does not properly restrict the SetLayoutData method, which could allow attackers to execute arbitrary code via a crafted data argument,” it added.

A CVSS v3 base score of 6.7 has been calculated, the advisory added.

For the SYS600 9.x, Hitachi Energy called upon organizations to upgrade to at least SYS600 version 10.2 or apply general mitigation factors. In the case of the SYS600 10.x, vendors must update to at least SYS600 version 10.2 or apply general mitigation factors.

Hitachi Energy also recommends security practices and firewall configurations that can help protect a process control network from attacks originating from outside the network. It also suggests keeping process control systems physically protected from direct access by unauthorized personnel; ensuring process control systems have no direct connections to the internet; and avoiding the use of process control systems for internet surfing, instant messaging, or receiving emails. It also proposed scanning portable computers and removable storage media for malware before connection to a control system, and ensuring proper password policies and processes are followed.

CISA also announced the presence of two vulnerabilities in Johnson Controls’ OpenBlue Enterprise Manager Data Collector equipment. These vulnerabilities include improper authentication and exposure of sensitive information to an unauthorized hacker. “Successful exploitation of these vulnerabilities could allow an attacker, under certain circumstances, to make application programming interface (API) calls to the OpenBlue Enterprise Manager Data Collector, which do not require authentication and may expose sensitive information to an unauthorized user,” the advisory added.

The agency said that the improper authentication vulnerability ‘under certain circumstances, API calls to the OpenBlue Enterprise Manager Data Collector do not require authentication.’ A CVSS v3 base score of 10.0 has been calculated. 

When it comes to the second vulnerability, CISA said that ‘under certain circumstances, API calls to the OpenBlue Enterprise Manager Data Collector may expose sensitive information to an unauthorized user.’ A CVSS v3 base score of 5.0 has been calculated.

Rushank Shetty, a security researcher at Northwestern Mutual, reported this vulnerability to Johnson Controls, who in turn reported this vulnerability to CISA. The advisory added that Johnson Controls recommends updating OpenBlue Enterprise Manager Data Collector firmware to version 3.2.5.75, and users must contact Johnson Controls to obtain the update.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related