CISA finds security flaws in Advantech, HID Global hardware; updates earlier notices for Delta Electronics, Mitsubishi Electric, Hitachi Energy

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) published Thursday five ICS (industrial control systems) advisories warning industrial stakeholders of hardware vulnerabilities in equipment from Advantech and HID Global. The agency also updated previous advisories concerning security loopholes in hardware from Delta Electronics, Mitsubishi Electric, and Hitachi Energy. These notices provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS appliances.

CISA disclosed that Advantech’s WebAccess Node equipment contains vulnerabilities that could be exploitable remotely using low attack complexity. The vulnerabilities include improper control of generation of code (code injection), and ‘unrestricted upload of file with dangerous type.’ 

“Successful exploitation of these vulnerabilities could allow an attacker to arbitrarily overwrite files resulting in remote code execution,” the CISA advisory said.

CISA added that in Advantech WebAccess/SCADA v9.1.3 and prior, there is an arbitrary file overwrite vulnerability, which could allow an attacker to overwrite any file in the operating system (including system files), inject code into an XLS file, and modify the file extension, which could lead to arbitrary code execution. 

“In Advantech WebAccess/SCADA v9.1.3 and prior, there is an arbitrary file upload vulnerability that could allow an attacker to upload an ASP script file to a webserver when logged in as ‘manager’ user, which can lead to arbitrary code execution,” the agency disclosed. “In Advantech WebAccess/SCADA v9.1.3 and prior, there is an arbitrary file upload vulnerability that could allow an attacker to modify the file extension of a certificate file to ASP when uploading it, which can lead to remote code execution.” A CVSS v3 base score of 7.2 has been calculated for all three vulnerabilities.

Used across the critical manufacturing, energy, water and wastewater systems, Advantech recommends WebAccess/SCADA users upgrade to v9.1.4. YangLiu from Elex Feigong Research Institute reported these vulnerabilities to CISA.

CISA revealed in another advisory the presence of ‘modification of assumed-immutable data’ vulnerability in HID Global’s SAFE equipment. “Successful exploitation of this vulnerability could result in exposure of personal data or create a denial-of-service condition,” it added.

“The External Visitor Manager portal of HID’s SAFE versions 5.8.0 through 5.11.3 are vulnerable to manipulation within web fields in the application programmable interface (API),” CISA revealed. “An attacker could log in using account credentials available through a request generated by an internal user and then manipulate the visitor-id within the web API to access the personal data of other users. There is no limit on the number of requests that can be made to the HID SAFE Web Server, so an attacker could also exploit this vulnerability to create a denial-of-service condition.”

Deployed globally across government facilities, transportation, commercial facilities, and healthcare sectors, CISA internal research reported this vulnerability to HID.

The External Visitor Management feature is licensed and deployed separately from the HID SAFE core software. Users not using this feature are not affected. According to HID Global, the number of affected systems is limited and all affected systems have been patched.

In a follow-up to its September 2022 advisory, CISA updated that Delta Electronics’ DIAEnergie hardware contained the use of hard-coded credentials vulnerability. Successful exploitation of the vulnerability could lead to remote code execution. With a CVSS v3 base score of 9.8 calculated, the advisory added that “executable files could be uploaded to certain directories using hard-coded bearer authorization, allowing remote code execution.”

Delta Electronics reports that the vulnerability affects DIAEnergie industrial energy management system versions before 1.9.03.009.

Deployed worldwide in the critical manufacturing sector, Y4er working with Trend Micro Zero Day Initiative reported this vulnerability to CISA. “Delta Electronics fixed the reported vulnerability in version 1.9.03.009 and recommends all users update affected systems. Users can contact the front end sales or FAEs to get this version,” it added. 

CISA also updated a December 2022 advisory covering vulnerabilities in Mitsubishi Electric’s GX Works3, MX OPC UA Module Configurator-R, GX Works2, GX Developer, GT Designer3 Version1 (GOT2000), and Motion Control Setting. The deficiencies identified include cleartext storage of sensitive information, use of hard-coded password, insufficiently protected credentials, use of hard-coded cryptographic key, and cleartext storage of sensitive information in memory. 

“Successful exploitation of these vulnerabilities could allow unauthorized users to gain access to the MELSEC iQ-R/F/L series CPU modules and the MELSEC iQ-R series OPC UA server module or to view and execute programs or view project files without permissions,” the advisory added. 

The cybersecurity agency also published an advisory concerning vulnerabilities in Hitachi Energy Relion 670, 650, and SAM600-IO equipment. With the ‘improper input validation’ vulnerability, CISA outlined that “successful exploitation of this vulnerability could reboot the device regularly, resulting in a denial-of-service condition. The primary functionality of the device is not available during the reboot phase.”

A CVSS v3 base score of 7.5 has been calculated. “An attacker with access to the IEC 61850 network and knowledge of how to reproduce the attack—as well as the IP addresses of the different IEC 61850 access points (of IEDs/products)—can force the device to reboot, which renders the device inoperable for approximately 60 seconds.  This vulnerability affects only products with IEC 61850 interfaces,” the advisory added.

Deployed globally across the energy sector, Markus Mahrla, GAI NetConsult GmbH and Lars Lengersdorf, Amprion GmbH reported this vulnerability to Hitachi Energy, the CISA advisory disclosed. Hitachi Energy recommends users apply relevant updates at their earliest convenience. Users should contact Hitachi Energy to acquire firmware for a specific product version.

Last month, CISA announced the presence of cybersecurity vulnerabilities in hardware from Carlo Gavazzi, Mitsubishi Electric, Hitachi Energy, and Johnson Controls. 

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.