ICS vulnerabilities found in Siemens, Sewio, InHand Networks, SAUTER Controls, Hitachi Energy, Johnson Controls hardware

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) published last week security advisories highlighting crucial hardware vulnerabilities identified across ICS (industrial control systems) devices used across multiple critical infrastructure sectors. These products come from various vendors, including Siemens, Sewio, InHand Networks, SAUTER Controls, Hitachi Energy, and Johnson Controls. 

The CISA identified the presence of a missing immutable root of trust in hardware across Siemens’ S7-1500 CPU product family. Taking advantage of this vulnerability could enable an intruder with physical access to the device to substitute the device’s boot image and launch unchecked code.

Deployed across multiple critical infrastructure sectors, the CISA said in its advisory that “the affected devices do not contain an immutable root of trust in hardware. Due to this, the integrity of the code executed on the device cannot be validated during load-time. An attacker with physical access to the device could use this to replace the boot image of the device and execute arbitrary code.”

Yuanzhe Wu and Ang Cui from Red Balloon Security reported this vulnerability to Siemens. The German company called for restricting physical access to affected devices to trusted personnel to avoid hardware tampering, such as placing devices in locked control cabinets and upgrading hardware. Siemens is working on new hardware versions for additional PLC types to address this vulnerability further. 

In another CISA advisory, the agency revealed a remotely exploitable and low-attack complexity security loophole across Siemens Mendix SAML equipment. Adopted globally across critical infrastructure sectors, the improper neutralization of input during web page generation vulnerability could allow the hacker to gain sensitive information by tricking users into accessing a malicious link. Users have been advised to upgrade their equipment. 

CISA also revealed the presence of external control of filename or path and path traversal vulnerability across Siemens’ Automation License Manager (ALM) equipment. Breaching these vulnerabilities could allow an attacker to modify and rename license files, extract licenses, and overwrite arbitrary files on the target system, potentially leading to privilege escalation and remote code execution. 

Eran Jacob from OTORIO reported these vulnerabilities to Siemens. The advisory recommended that users of Automation License Manager V6 update to V6.0 SP9 Upd4 or later version, and limit remote access to port 4410/TCP to trusted systems only. 

Across the Sewio RTLS Studio equipment, vulnerabilities that can be exploited remotely using low attack complexity have been identified. These vulnerabilities include the use of hard-coded passwords, OS command injection, out-of-bounds write, cross-site request forgery, improper input validation, and cross-site scripting. The loopholes affect Sewio RTLS Studio version 2.0.0 up to and including version 2.6.2.

Sewio is a fully scalable solution that allows customizing existing tags, adding more trackable objects, and increasing the coverage as needs grow. With Sewio RTLS for precise indoor tracking, organizations can transform their businesses into highly efficient, powerful, and streamlined operations. Using technology based on ultrawideband TDoA, Sewio RTLS operates on dedicated, unoccupied, and interference-free UWB technology that is fully industry certified to guarantee reliable and scalable performance in even the harshest environments.

The CISA advisory said that “exploitation of these vulnerabilities could allow an attacker to obtain unauthorized access to the server, alter information, create a denial-of-service condition, gain escalated privileges, and execute arbitrary code.”

Andrea Palanca of Nozomi Networks reported these vulnerabilities to CISA. Sewio called upon users to update to version 3.0.0 or later. To reduce the risk of exploitation, the advisory recommends that organizations minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the internet; locate control system networks and remote devices behind firewalls, and isolate them from business networks.

According to CISA, InHand Networks’ InRouter302 versions before IR302 v3.5.56 and InRouter615 versions before InRouter6XX-S-V2.3.0.r5542 contains various security vulnerabilities that could be exploited. These security loopholes include cleartext transmission of sensitive information, OS command injection, use of a one-way hash with a predictable salt, improper access control, and use of insufficiently random values. 

Used across the energy, critical manufacturing, transportation, and healthcare sectors, the CISA advisory disclosed that the breach of these “vulnerabilities could allow a message queuing telemetry transport (MQTT) command injection, unauthorized disclosure of sensitive device information, and remote code execution. If properly chained, these vulnerabilities could result in an unauthorized remote user fully compromising every cloud-managed InHand Networks device reachable by the cloud.”

OTORIO’s Roni Gavrilov reported these vulnerabilities to CISA. InHand recommends that InRouter302 users should update the firmware to IR302 V3.5.56 or later, while InRouter615 users update the firmware to InRouter6XX-S-V2.3.0.r5542 or later. 

Another CISA ICS advisory disclosed that SAUTER Controls’ Nova 200–220 Series (PLC 6) contains two vulnerabilities – missing authentication for critical function and  cleartext transmission of sensitive information. Breach of these vulnerabilities could allow unauthorized visibility of sensitive information and remote code execution.

Deployed across the critical manufacturing and energy sectors, CISA said that SAUTER Controls Nova 200–220 Series with firmware version 3.3-006 and prior and BACnetstac version 4.2.1 and prior allows the execution of commands without credentials. “As Telnet and file transfer protocol (FTP) are the only protocols available for device management, an unauthorized user could access the system and modify the device configuration, which could result in the unauthorized user executing unrestricted malicious commands,” the advisory added. 

In the case of SAUTER Controls Nova 200–220 Series with firmware version 3.3-006 and prior and BACnetstac version 4.2.1 and prior have only FTP and Telnet available for device management. The advisory added that “any sensitive information communicated through these protocols, such as credentials, is sent in cleartext. An attacker could obtain sensitive information such as user credentials to gain access to the system.”

SAUTER Controls said that this product line is no longer supported, and was discontinued in 2016. The company has advised organizations to take all necessary measures to protect the integrity of building automation network access, using all appropriate means and policies to minimize risks. It recommends that organizations evaluate and upgrade legacy systems to current solutions where necessary. 

An improper access control vulnerability has been detected in Hitachi Energy’s Lumada APM, which can be exploited remotely and requires a low attack complexity. Breach of this vulnerability could allow an attacker to gain unauthorized access to any Power BI reports installed or manipulate asset issue comments on assets. 

“Hitachi Energy Lumada APM has a flaw in the access control mechanism implementation on the ‘Limited Engineer’ role, granting access to the embedded Power BI reports feature,” CISA said in its advisory. “This could allow an unauthorized user to access information by gaining unauthorized access to any installed Power BI reports, then manipulating asset issue comments on assets that should not be available to that user.”

Hitachi Energy advises users that the vulnerability is remediated in Lumada APM v6.4.0.1. Lumada APM v6.5.0.0 and later are not affected. The company said that the ‘On Premise’ edition of Lumada APM does not support the Power BI integration feature. However, users can connect a subscription-based Power BI to Lumada APM.

If the Power BI integration feature is enabled, Hitachi Energy recommends disabling the unsupported Power BI integration feature if there are users with ‘Limited Engineer’ role. It also suggests removing any users with ‘Limited Engineer’ role and assigning users to another role prior to using the unsupported Power BI integration feature.

Deployed across the critical manufacturing sector, CISA revealed the presence of an insufficiently protected credentials vulnerability in Johnson Controls’ Metasys ADS/ADX/OAS servers. The loophole affects Metasys ADS/ADX/OAS version 10.X, across all versions before 10.1.6, and Metasys ADS/ADX/OAS version 11.X, all versions before 11.0.3. The security loophole can be exploited using low attack complexity resulting in exposed credentials in plain text to unauthenticated users.

“Under certain circumstances, the affected versions of Johnson Controls Metasys ADS/ADX/OAS Servers could expose plaintext credentials through application programmable interface (API) calls,” the CISA advisory said.

The advisory recommends that users of Metasys ADS/ADX/OAS version 10.X update to patch 10.1.6, and Metasys ADS/ADX/OAS version 11.X update to patch 11.0.3.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.