US CISA issues ICS cybersecurity advisories for Emerson, Mitsubishi Electric, Johnson Controls equipment

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) published Thursday four ICS (industrial control systems) cybersecurity advisories addressing hardware vulnerabilities in equipment deployed across the critical infrastructure sector. The agency provides timely information about current security issues, vulnerabilities, and exploits surrounding ICS equipment from Emerson, Mitsubishi Electric, and Johnson Controls. CISA encourages users and administrators to review the newly released ICS advisories for technical details and mitigations.

In an advisory, CISA revealed the presence of vulnerabilities in Emerson PACSystem and Fanuc equipment. The vulnerabilities include cleartext transmission of sensitive information, insufficient verification of data authenticity, insufficiently protected credentials, and download of code without integrity check. CISA identified that ‘exploitation of these vulnerabilities could allow remote code execution, loss of sensitive information, or a denial-of-service condition.’

The agency also said that it ‘is aware of a public report, known as ‘OT:ICEFALL,’ detailing vulnerabilities found in multiple operational technology (OT) vendors. CISA is issuing this advisory to provide notice of the reported vulnerabilities and identify baseline mitigations for reducing risks to these and other cybersecurity attacks.’ Daniel dos Santos and Jos Wetzels from Forescout Technologies reported these vulnerabilities to CISA.

Deployed across the energy sector, CISA identified that the affected Emerson products include all versions of PAC Machine Edition, PACSystem RXi, PACSystem RX3i, PACSystem RSTi-EP, PACSystem VersaMax, and Fanuc VersaMax. 

CISA issued another advisory addressing vulnerabilities in Emerson Ovation equipment used globally across the energy sector. The vulnerabilities include missing authentication for critical function and insufficient verification of data authenticity. “Successful exploitation of these vulnerabilities could allow remote code execution, loss of sensitive information, denial-of-service, or allow an attacker to modify the controller configuration,” it added.

Once again, CISA linked these vulnerabilities to the OT:ICEFALL disclosure. Wetzels and dos Santos reported these vulnerabilities to the security agency. 

“The affected product has several protocols that have no authentication, which could allow an attacker to change controller configuration or cause a denial-of-service condition,” CISA noted. “CVE-2022-29966 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.8 has been calculated; a CVSS v4 score has also been calculated for CVE-2022-29966. A base score of 9.3 has been calculated,” it added. 

Furthermore, CISA mentioned that “The affected product was found to have no authentication of firmware signing and relies on an insecure checksum for integrity. This could allow an attacker to push malicious firmware images, cause a denial-of-service condition, or achieve remote code execution. CVE-2022-30267 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.1 has been calculated, and a CVSS v4 score has also been calculated for CVE-2022-30267. A base score of 8.7 has been calculated.” 

Emerson recommends that organizations upgrade to the currently available release of Ovation 3.8.0 Feature Pack 3 for remediation of many of the identified vulnerabilities. They are also advised to consider the use of OCR3000 controllers, which offer an extra layer of protection that is not available to older controller models, and deploy and configure Ovation systems and related components as described in the Cybersecurity for Ovation Systems manual. 

In another advisory, the CISA disclosed the presence of ‘allocation of resources without limits or throttling’ vulnerability in Mitsubishi Electric’s CC-Link IE TSN Industrial Managed Switch equipment. The affected versions of CC-Link IE TSN Industrial Managed Switch include NZ2MHG-TSNT8F2 versions 05 and prior, and NZ2MHG-TSNT4 versions 05 and prior. 

Deployed across the critical manufacturing sector, CISA identified that ‘successful exploitation of this vulnerability could allow an attacker to cause a temporary denial-of-service (DoS) condition in the web service on the product.’

Mitsubishi Electric CC-Link IE TSN Industrial Managed Switch has an OpenSSL vulnerability that allows an attacker to cause a temporary DoS condition on the web service of the product by getting a legitimate administrator user to import a specially crafted certificate that makes the product experience notable to very long delays. 

CISA noted that CVE-2023-2650 has been assigned to this vulnerability. A CVSS v3.1 base score of 2.7 has been calculated. A CVSS v4 score has also been calculated for CVE-2023-2650. A base score of 5.1 has been calculated. 

Mitsubishi Electric recommends that organizations update to the fixed versions of these product lines. To minimize the risk of exploiting this vulnerability, it advised organizations that when internet access is required, use a virtual private network (VPN) or other means to prevent unauthorized access. They must also use the products within a LAN and block access from untrusted networks and hosts; restrict physical access to the product and your computer and network equipment on the same network; and after logging into NZ2MHG-TSNT8F2 or NZ2MHG-TSNT4 through the web interface, change username and password from default setting at [Account Management] displayed on the function menu. Also, set the proper access permissions for the users.

In another advisory, CISA revealed a ‘missing authentication for critical function’ vulnerability in Johnson Controls’ Software House iStar Pro Door Controller and ICU equipment. “Successful exploitation of this vulnerability may allow an attacker to perform a machine-in-the-middle attack to inject commands which change configuration or initiate manual door control commands,” it added. 

Deployed globally across the critical manufacturing sector, CISA noted that the vulnerability affected all versions of Software House iStar Pro Door Controller and version 6.9.2.25888 and prior of the ICU equipment. 

“Under certain circumstances, communication between the ICU tool and an iStar Pro door controller is susceptible to machine-in-the-middle attacks which could impact door control and configuration,” the CISA advisory identified. “CVE-2024-32752 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.1 has been calculated. A CVSS v4 score has also been calculated for CVE-2024-32752. A base score of 8.8 has been calculated,” it added.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.