CISA issues Industrial Control Systems(ICS) advisories for critical flaws
The Cybersecurity and Infrastructure Security Agency (CISA) in the United States has released eight advisories concerning Industrial Control Systems (ICS) vulnerabilities in products from Hitachi Energy, mySCADA Technologies, Industrial Control Links, and Nexx. These advisories highlight the critical flaws in these products that could be exploited by cyber attackers to take remote control of the devices.
The top vulnerability on the list is CVE-2022-3682, which has a CVSS score of 9.9 and affects Hitachi Energy’s MicroSCADA System Data Manager SDM600. It can allow attackers to take remote control of the product through a flaw in file permission validation. The vulnerability could allow adversaries to upload a specially crafted message to the system and execute arbitrary code. Hitachi Energy has addressed this issue with the release of SDM600 18.104.22.1689. However, users with SDM600 versions prior to 1.2 FP3 HF4 (Build Nr. 1.2.23000.291) should apply this patch to mitigate the issue.
CISA has also disclosed five critical vulnerabilities with a CVSS score of 9.9 in mySCADA myPRO versions 8.26.0 and earlier. These vulnerabilities are related to command injection bugs that can allow authenticated users to inject arbitrary operating system commands. CISA has recommended that users update their systems to version 8.29.0 or higher to address these issues.
Industrial Control Links ScadaFlex II SCADA Controllers also have a critical security bug (CVE-2022-25359) that allows authenticated attackers to overwrite, delete, or create files. CISA has noted that Industrial Control Links has closed its business and that continued support for this product may not be available.
Additionally, five unpatched shortcomings have been disclosed, including one critical bug (CVE-2023-1748, CVSS score: 9.3) that affects Nexx’s garage door controllers, smart plugs, and smart alarms. Security researcher Sam Sabetan discovered and reported these issues, which could enable threat actors to crack open home garage doors, take over smart plugs, and gain remote control of smart alarms. The following versions of Nexx smart home devices are affected –
• Nexx Garage Door Controller (NXG-100B, NXG-200) – Version nxg200v-p3-4-1 and prior
• Nexx Smart Plug (NXPG-100W) – Version nxpg100cv4-0-0 and prior
• Nexx Smart Alarm (NXAL-100) – Version nxal100v-p1-9-1 and prior
CISA has urged users to minimize network exposure, isolate control system networks from business networks, and place them behind firewalls to address potential risks. Users of the affected products are recommended to apply the necessary patches and updates as soon as possible to avoid cyber threats.
The sources for this piece include an article in TheHackerNews.