In a recent development, the Cybersecurity and Infrastructure Security Agency (CISA) of the USA has addressed three advisories concerning vulnerabilities in Industrial Control Systems (ICS). These advisories provide crucial information about the existing security issues in ICS and their potential exploits. The vulnerabilities identified in these advisories pose significant risks to the security and functionality of industrial control systems.
One of the vulnerabilities highlighted in the advisories is related to PiiGAB M-Bus, a company specializing in process information. The company has reported multiple vulnerabilities in their M-Bus SoftwarePack 900S. These vulnerabilities include code injection, improper restriction of authentication attempts, unprotected transport of credentials, use of hard-coded credentials, plaintext storage of passwords, cross-site scripting, weak password requirements, use of weak password hash, and cross-site request forgery. Exploiting these vulnerabilities could allow an attacker to inject arbitrary commands, steal passwords, or trick valid users into executing malicious commands. Weak password policies and the storage of passwords in plaintext make this advisory particularly important for PiiGAB M-Bus users.
Another vulnerability identified by the CISA is related to ABUS TVIP, a vendor of security camera systems. The vulnerability, known as command injection, allows remote attackers to execute arbitrary code by exploiting shell metacharacters in a specific field of the camera’s configuration. This type of attack involves executing arbitrary commands on a host operating system by exploiting application vulnerabilities. The severity of this vulnerability is rated as moderate, with public exploits available. The exploitation of this vulnerability can lead to arbitrary file reads or remote code execution.
Mitsubishi Electric Corporation has also released an update regarding a previously identified vulnerability in their MELSEC Series CPU modules. This vulnerability, classified as a classic buffer overflow, exists due to inadequate input size checks in the affected modules. Exploiting this vulnerability can result in a denial-of-service condition or the execution of malicious code. Mitsubishi Electric has released firmware updates to address this issue.
In response to these vulnerabilities, the affected vendors have provided specific mitigations and recommended actions to minimize the risk of exploitation. PiiGAB advises users to install the latest software update for the M-Bus SoftwarePack 900S. ABUS has conducted a replacement campaign for affected devices and encourages users to replace them with newer models. Mitsubishi Electric recommends updating firmware versions for their MELSEC Series CPU modules.
CISA also offers general defensive measures and best practices to mitigate the risks associated with these vulnerabilities. These measures include following the least-privilege user principle, setting unique and secure passwords, minimizing network exposure, using secure remote access methods such as VPNs, and performing proper impact analysis and risk assessments before implementing defensive measures. Additionally, CISA provides control system security recommended practices, technical information papers, and other resources on its ICS webpage to assist organizations in enhancing their cybersecurity posture.
It is crucial for organizations using Industrial Control Systems to stay updated on the latest vulnerabilities and advisories issued by cybersecurity agencies like CISA. By implementing the recommended mitigations and best practices, organizations can minimize the risk of exploitation and ensure the security and functionality of their industrial control systems.