Attacks and Vulnerabilities
CISA
Control device security
Critical infrastructure
ICS Security Framework
Industrial Cyber Attacks
Malware, Phishing & Ransomware
News
Threat Landscape
Vulnerabilities

ICS hardware vulnerabilities disclosed in Delta Electronics, Yokogawa, PTC, Mitsubishi Electric equipment

December 01, 2023
CISA discloses presence of ICS vulnerabilities in Siemens SIMATIC PCS, Omron equipment

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) published Thursday four industrial control systems (ICS) advisories, providing asset owners and operators with timely information about current security issues, vulnerabilities, and exploits surrounding ICS. The agency has found security loopholes in Delta Electronics DOPSoft, Yokogawa STARDOM, PTC KEPServerEx, and Mitsubishi Electric FA engineering software products deployed across the critical infrastructure sector.  

CISA calls upon users and administrators to review the newly released ICS advisories for technical details and mitigations.

In its guidance, CISA announced the presence of a stack-based buffer overflow vulnerability across all versions of the Delta Electronics DOPSoft equipment, leading to an exploitable remotely/low attack complexity. “The affected product is vulnerable to a stack-based buffer overflow, which may allow for arbitrary code execution if an attacker can lead a legitimate user to execute a specially crafted file. CVE-2023-5944 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated,” the advisory added. 

Deployed across the energy sector, the vulnerabilities in the Delta Electronics DOPSoft equipment were identified by Natnael Samson working with Trend Micro Zero Day Initiative and reported this vulnerability to CISA.

Delta Electronics has declared DOPSoft as end-of-life and recommends users to use DIAScreen instead. This vulnerability does not exist on the newest version of DIAScreen. Users may download the DIAScreen v1.3.1 (or newer) on the DIAStudio download center.

CISA disclosed the presence of an uncontrolled resource consumption vulnerability in Yokogawa STARDOM FCN/FCJ, versions R1.01 through R4.31, a network control system, are affected. The equipment is used across multiple critical infrastructure sectors. 

“This vulnerability may allow to a remote attacker to cause a denial-of-service condition to the FCN/FCJ controller by sending a crafted packet,” the CISA advisory identified. “While sending the packet, the maintenance homepage of the controller could not be accessed. Therefore, functions of the maintenance homepage, changing configuration, viewing logs, etc. are not available. But the controller’s operation is not stopped by the condition. CVE-2023-5915 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.3 has been calculated.”

Roman Ezhov of Kaspersky reported this vulnerability to Yokogawa.

Mitigations implemented by Yokogawa for users to implement include using the packet filter function of the FCN/FCJ controller, only allowing connection from trusted hosts, and taking measures against the network so that an attacker cannot send a malicious packet.

Yokogawa strongly recommends all users establish and maintain a full security program, not only for the vulnerability identified in this YSAR, CISA said. “Security program components are patch updates, anti-virus, backup and recovery, zoning, hardening, whitelisting, firewall, etc. Yokogawa can assist in setting up and running the security program continuously. For considering the most effective risk mitigation plan, as a starting point, Yokogawa can perform a security risk assessment.”

In another security notice, CISA disclosed that PTC KEPServerEX, ThingWorx, and OPC-Aggregator equipment contain heap-based buffer overflow and improper validation of certificates with host mismatch vulnerabilities. Deployed across multiple critical infrastructure sectors, CISA detailed that “exploitation of these vulnerabilities could allow an attacker gain Windows SYSTEM-level code execution on the service host and may cause the product to crash, leak sensitive information, or connect to the product without proper authentication.”

The affected PTC Kepware products, are KEPServerEX: v6.14.263.0 and prior; ThingWorx Kepware Server: v6.14.263.0 and prior; ThingWorx Industrial Connectivity: all versions; OPC-Aggregator: v6.14 and prior; ThingWorx Kepware Edge: v1.7 and prior; Rockwell Automation KEPServer Enterprise: versions v6.14.263.0 and prior; GE Digital Industrial Gateway Server: versions v7.614 and prior; and Software Toolbox TOP Server: versions v6.14.263.0 and prior. 

“KEPServerEX is vulnerable to a buffer overflow which may allow an attacker to crash the product being accessed or leak information. CVE-2023-5908 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.1 has been calculated,” CISA pointed out. “KEPServerEX does not properly validate certificates from clients which may allow unauthenticated users to connect. CVE-2023-5909 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated.”

The advisory added that Shawn Hoffman reported these vulnerabilities to PTC.

PTC has released and recommends users update to the KEPServerEX should upgrade to v6.15 or later; ThingWorx Kepware Server should upgrade to v6.15 or later; ThingWorx Industrial Connectivity should upgrade to ThingWorx Kepware Server v6.15 or later; OPC-Aggregator should upgrade to v6.15 or later; and ThingWorx Kepware Edge: Upgrade to v1.8 or later. 

In another advisory, CISA identified that Mitsubishi ElectricFA Engineering Software Products equipment contains an external control of file name or path vulnerability, which has a low attack complexity. “Exploitation of this vulnerability could allow a malicious attacker to execute malicious code by tricking legitimate users to open a specially crafted project file, which could result in information disclosure, tampering and deletion, or a denial-of-service condition,” it added.

Mitsubishi Electric reports vulnerabilities in FA Engineering Software Products, including all versions of GX Works3, MELSOFT iQ AppPortal, MELSOFT Navigator, and Motion Control Setting (Software packaged with GX Works3).

“Malicious code execution vulnerability due to external control of file name or path exists in multiple FA engineering software products,” CISA said. “This vulnerability could allow an attacker to execute a malicious code by having legitimate users open a specially crafted project file, which could result in information disclosure, tampering and deletion, or a denial-of-service condition. CVE-2023-5247 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.8 has been calculated.”

01dGu0 of Zhejiang Qian Information & Technology Co. reported this vulnerability to Mitsubishi Electric, the advisory disclosed.

Mitsubishi Electric recommends that users install antivirus software in computers using the affected product; use computers with the affected product within the LAN and block remote login from untrusted networks, hosts, and users. When connecting computers with the affected product to the Internet, use a firewall, virtual private network (VPN), etc., to prevent unauthorized access, and allow only trusted users to remotely log in. They must also not open untrusted files or click untrusted links.

Earlier this week, CISA announced that it is responding to active exploitation of Unitronics programmable logic controllers (PLCs) used in the water and wastewater systems (WWS) sector. The cyber threat actors likely accessed the affected device—a Unitronics Vision Series PLC with a Human Machine Interface (HMI)—by exploiting cybersecurity weaknesses, including poor password security and exposure to the internet.

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
MITRE's CREF Navigator aligns with DoD's CMMC to boost cyber resilience in defense industrial base
MITRE’s CREF Navigator aligns with DoD’s CMMC to boost cyber resilience in defense industrial base
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
ASIS Foundation reports on impact of autonomous vehicles on security and technology
ASIS Foundation reports on impact of autonomous vehicles on security and technology
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
RMC
Risk Mitigation Consulting acquires Securicon, boosting cybersecurity and mission assurance offerings
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation