CISA warns of security flaws in Axis, Rockwell, Emerson, Johnson Controls equipment, provides mitigations
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) published Tuesday four Industrial Control Systems (ICS) advisories warning of hardware vulnerabilities in equipment from Axis Communications, Rockwell Automation, Johnson Controls, and Emerson. These notices provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS.
The security agency disclosed that Axis Communications’ AXIS A1001 network door controller contains a heap-based buffer overflow loophole, which is exploitable from adjacent networks. The vulnerability has been found to affect AXIS A1001: 1.65.4 and prior. “Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code,” it added.
With a CVSS v3 base score of 7.1, CISA identified when communicating over the Open Supervised Device Protocol (OSDP), the ‘pacsiod’ process that handles the OSDP communication allows for writing outside of the allocated buffer. “By appending invalid data to an OSDP message, it is possible to write data beyond the heap allocated buffer. The data written outside the buffer could allow an attacker to execute arbitrary code,” it added.
Ariel Harush and Roy Hodir of OTORIO reported this vulnerability to Axis Communications.
Axis has released a patched version for affected devices that fixes the vulnerability, and it recommends users update the device software.
CISA also revealed the presence of ‘relative path traversal’ vulnerability in Rockwell’s ThinManager ThinServer equipment, typically deployed across the critical manufacturing sector. The affected lines of the thin client and remote desktop protocol (RDP) server management software are versions 13.0.0—13.0.2 and 13.1.0. “Successful exploitation of this vulnerability could allow a remote actor to leverage the privileges of the server’s file system and read arbitrary files stored in it,” it added.
“An executable used in the affected products can be configured to enable an API feature in the HTTPS server settings,” according to CISA. “This feature is disabled by default. When the API is enabled and handling requests, a path traversal vulnerability exists that could allow a remote actor to leverage the server’s file system privileges and read arbitrary files stored in it. A malicious user could exploit this vulnerability by executing a path that contains manipulating variables.”
Rockwell Automation has called upon users of the affected software to apply risk mitigations, if possible, and encourages customers to implement their suggested security best practices to minimize the potential risk of vulnerability. These include updating to the corrected software versions: 13.0.3 and 13.1.1 or later, apart from disabling the API feature and using a service account with appropriate access for the application.
In another advisory, CISA warned the ICS sector of the presence of an authentication bypass vulnerability in Emerson ROC800-Series RTU (remote terminal unit), including ROC800, ROC800L, and DL8000 Preset Controllers. The affected products include ROC809 and ROC827 – all firmware versions, all hardware series; ROC809L and ROC827L – all firmware versions; and DL8000 – all firmware versions, all hardware series. The Series 1 ROC800 and DL8000 became obsolete in 2008 when the Series 2 was introduced.
Deployed across multiple critical infrastructure sectors, the CISA advisory said that a CVSS v3 base score of 9.4 has been calculated for this vulnerability. “ROC800-Series RTU devices are vulnerable to an authentication bypass, which could allow an attacker to gain unauthorized access to data or control of the device and cause a denial-of-service condition,” it added.
Addressing mitigations, the CISA advisory identified that Emerson ROC800-Series RTU firmware updates can be applied to patch the authentication vulnerability. ROC800 Series 2—3.91 firmware or later at SupportNet Portal (login required); ROC800 Series 1—Update hardware to Series 2 with 3.91 firmware or later; ROC800L Series 2—1.71 firmware or later at SupportNet Portal (login required); DL8000 Series 2—2.60 firmware or later at SupportNet Portal (login required); and DL8000 Series 1—Update hardware to Series 2 with 2.60 firmware or later.
“Before installing firmware into the RTU, validate the MD5/SHA256 Hashes published by Emerson on SupportNet match the firmware image confirming it is genuine and unmodified,” CISA added. “Emerson recommends users follow guidance in the ROC800-Series Remote Operations Controller Instruction Manual under section 1.11 Secure Gateway D301766X012.”
Another CISA ICS advisory disclosed that Johnson Controls’ IQ Wifi 6 equipment contains an ‘improper restriction of excessive authentication attempts’ vulnerability. The agency revealed that the affected versions cover IQ Wifi 6 prior to 2.0.2. “Successful exploitation of this vulnerability could allow an unauthorized user to gain account access by conducting a brute force authentication attack,” it added.
CISA added that in firmware versions prior to v2.0.2 of Johnson Controls IQ Wifi 6, an unauthorized user could gain account access by conducting a brute-force authentication attack. Johnson Controls reported the vulnerability to CISA.
To reduce risk, Johnson Controls recommends upgrading IQ Wifi 6 firmware to version 2.0.2. Also, firmware updates will be pushed to all available devices in the field; and the firmware update can also be manually loaded by applying the patch tag ‘iqwifi2.0.2’ on the device after navigating to its firmware update page.
Earlier this month, CISA rolled out advisories addressing hardware vulnerabilities across Siemens and Rockwell Automation equipment. The agency revealed security flaws in various Siemens product lines, including SIMATIC MV500, SIMATIC CN 4100, RUGGEDCOM ROX, and SiPass Integrated.
A complimentary guide to the who`s who in industrial cybersecurity tech & solutions
Free DownloadRelated
