ClickCease CISA issues industrial control systems advisories for critical flaws

Table of Contents

Join Our Popular Newsletter

Join 4,500+ Linux & Open Source Professionals!

2x a month. No spam.

CISA issues Industrial Control Systems(ICS) advisories for critical flaws

by

April 19, 2023 - TuxCare PR Team

The Cybersecurity and Infrastructure Security Agency (CISA) in the United States has released eight advisories concerning Industrial Control Systems (ICS) vulnerabilities in products from Hitachi Energy, mySCADA Technologies, Industrial Control Links, and Nexx. These advisories highlight the critical flaws in these products that could be exploited by cyber attackers to take remote control of the devices.

The top vulnerability on the list is CVE-2022-3682, which has a CVSS score of 9.9 and affects Hitachi Energy’s MicroSCADA System Data Manager SDM600. It can allow attackers to take remote control of the product through a flaw in file permission validation. The vulnerability could allow adversaries to upload a specially crafted message to the system and execute arbitrary code. Hitachi Energy has addressed this issue with the release of SDM600 1.3.0.1339. However, users with SDM600 versions prior to 1.2 FP3 HF4 (Build Nr. 1.2.23000.291) should apply this patch to mitigate the issue.

CISA has also disclosed five critical vulnerabilities with a CVSS score of 9.9 in mySCADA myPRO versions 8.26.0 and earlier. These vulnerabilities are related to command injection bugs that can allow authenticated users to inject arbitrary operating system commands. CISA has recommended that users update their systems to version 8.29.0 or higher to address these issues.

Industrial Control Links ScadaFlex II SCADA Controllers also have a critical security bug (CVE-2022-25359) that allows authenticated attackers to overwrite, delete, or create files. CISA has noted that Industrial Control Links has closed its business and that continued support for this product may not be available.

Additionally, five unpatched shortcomings have been disclosed, including one critical bug (CVE-2023-1748, CVSS score: 9.3) that affects Nexx’s garage door controllers, smart plugs, and smart alarms. Security researcher Sam Sabetan discovered and reported these issues, which could enable threat actors to crack open home garage doors, take over smart plugs, and gain remote control of smart alarms. The following versions of Nexx smart home devices are affected –

• Nexx Garage Door Controller (NXG-100B, NXG-200) – Version nxg200v-p3-4-1 and prior
• Nexx Smart Plug (NXPG-100W) – Version nxpg100cv4-0-0 and prior
• Nexx Smart Alarm (NXAL-100) – Version nxal100v-p1-9-1 and prior

CISA has urged users to minimize network exposure, isolate control system networks from business networks, and place them behind firewalls to address potential risks. Users of the affected products are recommended to apply the necessary patches and updates as soon as possible to avoid cyber threats.

The sources for this piece include an article in TheHackerNews.

Summary
CISA issues industrial control systems advisories for critical flaws
Article Name
CISA issues industrial control systems advisories for critical flaws
Description
The CISA in the United States has released eight advisories concerning Industrial Control Systems (ICS) vulnerabilities.
Author
Publisher Name
TuxCare
Publisher Logo

Looking to automate vulnerability patching without kernel reboots, system downtime, or scheduled maintenance windows?

Become a TuxCare Guest Writer