CISA issues ICS advisories on hardware vulnerabilities from Rockwell, SUBNET, Johnson Controls, Mitsubishi Electric
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) released four Industrial Control Systems (ICS) advisories on Tuesday, offering up-to-date information on security issues, vulnerabilities, and exploits affecting these critical environments. The agency identified hardware vulnerabilities in equipment deployed across the critical infrastructure sector from Rockwell Automation, SUBNET, Johnson Controls, and Mitsubishi Electric.
In its advisory, CISA revealed a low attack complexity vulnerability in Rockwell Automation’s FactoryTalk Remote Access. Used globally across critical infrastructure sectors, including the chemical, commercial facilities, critical manufacturing, energy, government facilities, and water and wastewater systems, an ‘unquoted search path or element’ vulnerability in FactoryTalk Remote Access v13.5.0.174 and prior.
“Successful exploitation of this vulnerability could allow an attacker to enter a malicious executable and run it as a system user, resulting in remote code execution,” the advisory added.
It added that an unquoted executable path exists in the affected products, possibly resulting in remote code execution if exploited. “While running the FTRA installer package, the executable path is not properly quoted, which could allow a threat actor to enter a malicious executable and run it as a system user. A threat actor needs admin privileges to exploit this vulnerability.”
CVE-2024-3640 has been identified as the associated vulnerability. It has a calculated CVSS v3.1 base score of 6.5 and a corresponding CVSS v4 score of 7.0. Rockwell Automation reported this vulnerability to CISA and has called upon organizations to upgrade to v13.6.
In another advisory, CISA disclosed that Subnet Solutions’ PowerSYSTEM Center contains a ‘reliance on insufficiently trustworthy component’ vulnerability. “Successful exploitation of the vulnerabilities in components used by PowerSYSTEM Center could allow privilege escalation, denial-of-service, or arbitrary code execution,” it added.
Deployed globally across the critical manufacturing and energy sectors, SUBNET Solutions has reported that the following products, including PowerSYSTEM Center Update 19 and earlier versions, utilize components with vulnerabilities. “SUBNET Solutions Inc. has identified vulnerabilities in third-party components used in PowerSYSTEM Center,” it added.
CVE-2024-28042 has been linked to this vulnerability, with a calculated CVSS v3.1 base score of 8.4. Additionally, a CVSS v4 score has been determined for CVE-2024-28042, resulting in a base score of 8.6.
Having reported these vulnerabilities to CISA, Subnet Solutions has fixed these issues by identifying and replacing out-of-date libraries used in previous versions of PowerSYSTEM Center. Users are advised to update to version 5.20.x.x or newer. To obtain this software, contact Subnet Solutions Customer Service.
CISA announced the presence of a low attack complexity vulnerability in Johnson Controls’ security management system Software House C●CURE 9000 affecting v3.00.2. The identified vulnerability is the insertion of sensitive information into a log file. “Successful exploitation of this vulnerability may allow an attacker to access credentials used for access to the application,” it added.
The advisory added that under certain circumstances the Microsoft Internet Information Server (IIS) used to host the C●CURE 9000 Web Server will log Microsoft Windows credential details within logs. There is no impact on non-web service interfaces C●CURE 9000 or prior versions.
CVE-2024-0912 has been linked to this vulnerability, with a calculated CVSS v3.1 base score of 7.7. Furthermore, a CVSS v4 score has been determined for CVE-2024-0912, resulting in a base score of 8.5. Johnson Controls reported this vulnerability to CISA.
Johnson Controls recommends updating Software House C●CURE 9000 to version 3.00.2 CU02 or 3.00.3; changing the password for the impacted Windows accounts; and deleting the api.log log file (or removing instances of passwords from the log file with a text editor).
In a separate advisory, CISA disclosed the existence of hardware vulnerabilities in the equipment utilized within the critical manufacturing sector, specifically in various Mitsubishi Electric FA Engineering Software Products. These vulnerabilities encompass issues such as Improper Privilege Management, Uncontrolled Resource Consumption, Out-of-bounds Write, and additional instances of Improper Privilege Management.
“Successful exploitation of these vulnerabilities may allow a local attacker to cause a Windows blue screen error that results in a denial-of-service condition and/or to gain Windows system privileges and execute arbitrary commands,” the advisory added.
The affected FA Engineering Software Products include all versions of CPU Module Logging Configuration Tool; CSGL (GX Works2 connection configuration); CW Configurator; Data Transfer; Data Transfer Classic; EZSocket (communication middleware product for Mitsubishi Electric partner companies); FR Configurator SW3; FR Configurator2; and GENESIS64.
It also affects all versions of GT Designer3 Version1 (GOT1000); GT Designer3 Version1 (GOT2000); GT SoftGOT1000 Version3; GT SoftGOT2000 Version1; GX Developer; GX LogViewer; GX Works2; GX Works3; iQ Works (MELSOFT Navigator); MI Configurator; Mitsubishi Electric Numerical Control Device Communication Software (FCSB1224); MR Configurator (SETUP221); MR Configurator2; MRZJW3-MC2-UTL; MX Component; MX OPC Server DA/UA (Software packaged with MC Works64); and PX Developer/Monitor Tool.
The vulnerabilities also affect all versions of RT ToolBox3; RT VisualBox; Setting/monitoring tools for the C Controller module (SW4PVC-CCPU); SW0DNC-MNETH-B; SW1DNC-CCBD2-B; SW1DNC-CCIEF-J; SW1DNC-CCIEF-B; SW1DNC-MNETG-B; SW1DNC-QSCCF-B; and SW1DND-EMSDK-B.
Jongseong Kim, Byunghyun Kang, Sangjun Park, Yunjin Park, Kwon Yul, and Seungchan Kim reported these vulnerabilities to Mitsubishi Electric.
The company recommends that users restrict physical access to the computer using the product; install antivirus software on their computer using the affected product; and not open untrusted files or click untrusted links to minimize the risk of exploiting these vulnerabilities.
Last week, researchers from Kaspersky ICS CERT discovered critical vulnerabilities in Cinterion cellular modems, presenting a significant threat to industrial devices. These flaws allow remote unauthorized attackers to execute arbitrary code. The modems are crucial for global connectivity infrastructure and are widely deployed in millions of devices across various sectors.
Related
