String of ICS vulnerabilities detected in hardware deployed across critical infrastructure sectors

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) announced last week the presence of hardware vulnerabilities in equipment from Industrial Control Links, Jtekt Electronics, Korenix, Hitachi Energy, and mySCADA Technologies. Deployed across the critical infrastructure sector, the security agency has provided organizations with potential mitigation actions and updates to deal with these security loopholes. 

Industrial Control Links’ ScadaFlex II SCADA controllers were found to contain external control of file name or path vulnerability, which could allow an authenticated attacker to overwrite, delete, or create files. Used across the critical manufacturing sector, CISA identified that the affected versions of the Industrial Control Links ScadaFlex II SCADA Controllers included SW: 1.03.07 (build 317), WebLib: 1.24; SW: 1.02.20 (build 286), WebLib: 1.24; SW: 1.02.15 (build 286), WebLib: 1.22; SW: 1.02.01 (build 229), WebLib: 1.16; SW: 1.01.14 (build 172), WebLib: 1.14; and SW: 1.01.01 (build 2149), WebLib: 1.13. 

“On ICL ScadaFlex II SCADA Controller SC-1 and SC-2 devices, unauthenticated remote attackers can overwrite, delete, or create files. This allows an attacker to execute critical file CRUD operations on the device that can potentially allow system access and impact availability,” CISA wrote in its advisory. “CVE-2022-25359 has been assigned to this vulnerability. A CVSS v3 base score of 9.1 has been calculated.”

CISA discovered a public proof-of-concept (PoC) as authored by Gjoko Krstic of Zero Science Lab, the agency added.  

Industrial Control Links has relayed that they are closing their business. This product may be considered end-of-life, and continued support for this product may be unavailable. 

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should minimize network exposure for all control system devices and/or systems, locate control system networks and remote devices behind firewalls and isolate them from business networks. Additionally, when remote access is required, use secure methods, such as virtual private networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. 

The security agency also disclosed low attack complexity in equipment from Jtekt Electronics’ Screen Creator Advance 2. The hardware was found to contain out-of-bounds read, out-of-bounds write and ‘use after free’ vulnerabilities, which could allow an attacker to disclose information or execute arbitrary code. 

The affected versions of JTEKT ELECTRONICS Screen Creator Advance 2, a software program, are Ver0.1.1.4 Build01.

Used across critical manufacturing organizations, Michael Heinzl reported these vulnerabilities to JPCERT/CC, CISA said in its advisory. “JTEKT ELECTRONICS recommends users to download the following updates: Ver.0.1.1.4 Build01A and above,” it added. 

Another CISA advisory disclosed the presence of out-of-bounds read and use after free vulnerabilities in Jtekt Electronics’ Kostac PLC Programming Software versions 1.6.9.0 and earlier. “Successful exploitation of these vulnerabilities could allow an attacker to disclose information or execute arbitrary code,” the notice added. 

The loopholes were also reported by Heinzl to JPCERT/CC. Organizations have been advised to download version 1.6.10.0 and above. “This version not only addresses the vulnerability but also takes measures to prevent crafted project files from being opened. Project files saved with Version 1.6.9.0 or earlier can be re-saved with Version 1.6.10.0 or above to enable this tamper-proof feature. Project files saved with Version 1.6.10.0 or above cannot be opened with Version 1.6.9.0 or earlier,” the advisory added.

Remotely exploitable and low-attack complexity vulnerabilities have been found in Korenix Jetwave hardware. These loopholes include command injection and uncontrolled resource consumption. The CISA advisory added that the “successful exploitation of these vulnerabilities could allow an attacker to gain full access to the underlying operating system of the device or cause a denial-of-service condition.”

The affected versions of Korenix Jetwave include Korenix JetWave4221 HP-E versions V1.3.0 and prior, Korenix JetWave 3220/3420 V3 versions prior to V1.7, Korenix JetWave 2212G version V1.3.T, Korenix JetWave 2212X/2112S version V1.3.0, Korenix JetWave 2211C versions prior to V1.6, Korenix JetWave 2411/2111 versions prior to V1.5, Korenix JetWave 2411L/2111L versions prior to V1.6, Korenix JetWave 2414/2114 versions prior to V1.4, Korenix JetWave 2424 versions prior to V1.3, and Korenix JetWave 2460 versions prior to V1.6. 

CISA revealed that Thomas Weber of CyberDanube reported these vulnerabilities to Korenix. The advisory recommends that users update their JetWave products to the latest available firmware. 

The security agency disclosed that Hitachi Energy’s MicroSCADA System Data Manager SDM600 equipment had various vulnerabilities, including unrestricted upload of file with dangerous types, improper authorization, improper resource shutdown or release, and improper privilege management. 

“Successful exploitation of these vulnerabilities could allow an attacker to take remote control of the product,” the advisory added. “The following versions of Hitachi Energy’s MicroSCADA SDM600, a data management tool, are affected SDM600: versions prior to v1.2 FP3 HF4 (Build Nr. 1.2.23000.291) and SDM600: versions prior to v1.3.0 (Build Nr. 1.3.0.1339).”

CISA also identified the presence of OS Command Injection vulnerability in mySCADA Technologies’ mySCADA myPRO hardware. “Successful exploitation of these vulnerabilities could allow an authenticated user to inject arbitrary operating system commands,” the advisory added.

Deployed across the energy, food and agriculture, transportation systems, water and wastewater systems, organizations must upgrade the mySCADA hardware to version 8.29.0 or higher.

Last month, CISA set up a Ransomware Vulnerability Warning Pilot (RVWP) Program that determines vulnerabilities commonly associated with known ransomware exploitation and warns critical infrastructure entities of those vulnerabilities enabling mitigation before damaging intrusions occur.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.