CISA Publishes Industrial Control Systems Advisories for Critical Infrastructure

America’s cyber defense agency Cybersecurity & Infrastructure Security Agency (CISA) published four advisories detailing threats to four Industrial Control Systems (ICS).

Vulnerabilities in Hitachi Energy, Trane, Rockwell Automation, and Mitsubishi Electric were addressed in the CISA advisory.

Details from the Latest CISA ICS Advisories

Hitachi Energy AFF66x advisory by CISA stated that the vulnerabilities affected the equipment AFF66x /665 of firmware 03.0.02 and prior.

“Successful exploitation of these vulnerabilities could allow an attacker to compromise availability, integrity, and confidentiality of the targeted devices,” read the ICS CISA advisory.

The following were among the vulnerabilities found in Hitachi Energy products –

1. ​CVE-2021-43523 – A cross-site scripting vulnerability exploitation of the same could lead to domain hijacking. It was assigned a CVSS score of 9.6.
2. CVE-2020-13817 – The use of insufficiently random values error could be exploited to cause a denial of service attack posing a threat to the website. It was assigned a CVSS score of 7.4.
3. CVE-2020-11868 – An origin validation error that could be exploited by a threat actor to block unauthenticated synchronization using a spoofed IP address. This vulnerability was assigned a CVSS score of 7.5.
4. CVE-2019-11477 – An integer overflow vulnerability in Linux Kernel allowing a denial of service attack to be launched. It was assigned a CVSS score of 7.5.
5. CVE-2018-18066 – A null pointer dereference flaw that could be exploited remotely to cause a crash. It has been assigned a CVSS score of 7.5.

The Hitachi Energy vulnerabilities exposed critical infrastructure worldwide for its usage. These are some of the mitigations offered in the CISA advisory –

1. Update to the upcoming release – AFF660/665 FW 04.6.01
2. Allow only trusted DNS servers
3. Allow only trusted IP addresses by restricting TCP/ IP-based management protocols

Hitachi Energy recommended the following general mitigations to safeguard the critical infrastructure –

1. Protect the process control systems from physically being accessed by unknown individuals.
2. Leaving direct internet connections to the process control systems off.
3. Making sure the process control systems are different from other networks. Using firewall systems with minimally exposed ports for the same.
4. Not using process control systems for regular internet usage, especially instant messaging and receiving emails.
5. Scanning portal computers and other systems for malware before connecting them to the control systems.

CISA Advisories Cover Critical Infrastructure Vulnerabilities

Trane Thermostats vulnerability impacting the critical manufacturing sector

• CVE-2023-4212 vulnerability impacted Trane Technologies XL824 Thermostat, XL850, XL1050, and Pivot thermostats. It was a command injection vulnerability that could be exploited to run arbitrary commands using a specified filename.

However, this vulnerability depended on physical access to the device through a USB. The vulnerability was assigned a CVSS score of 6.8.

• CVE-2023-2915 vulnerability with a CVSS score of 7.5 could be exploited by threat actors to gain system privileges and delete arbitrary files.
• CVE-2023-2917 vulnerability exploitation could allow an attacker to add arbitrary files to directories on the disk- drive using a crafted synchronization protocol message.

Rockwell Automation ThinManager ThinServer vulnerability impacting the critical manufacturing sector

CVE-2023-2914 vulnerability impacted several versions of ThinManager ThinServer software. The exploitation of this improper input validation flaw could allow cybercriminals to read access violations triggered by sending a crafted synchronization protocol message.

Mitsubishi Electric vulnerability affecting the critical manufacturing sector

CVE-2023-1618 vulnerability exposed systems to unathorized and remote logging in to the compromised module. The Telnet function which is left enabled by default could be exploited to cause an authentication bypass by connecting via telnet.

Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.