The U.S. Cybersecurity and Infrastructure Security Agency (CISA) published Thursday seven ICS (industrial control systems) advisories that provide timely information about current security issues, vulnerabilities, and exploits surrounding these critical systems. The security agency reported that hardware used across critical infrastructure sectors from companies like TELSAT, SDG Technologies, Yokogawa and Johnson Controls contain vulnerabilities.
In an advisory, CISA highlighted vulnerabilities in TELSAT MarKoni’s Markoni-D (Compact) and Markoni-DH (Exciter+Amplifiers) FM Transmitters, noting that these vulnerabilities can be exploited remotely with low attack complexity and public exploits are available. The identified vulnerabilities include command injection, use of hard-coded credentials, use of client-side authentication, and improper access control.
“Successful exploitation of these vulnerabilities could allow an attacker to tamper with the product to bypass authentication or perform remote code execution,” the agency added.
Deployed in the global communications sector, the TELSAT MarKoni FM Transmitters impacted include all versions of the Markoni-D (Compact) and Markoni-DH (Exciter+Amplifiers) models prior to version 2.0.1. CISA discovered a public Proof of Concept (PoC) as authored by Gjoko Krstic and reported it to marKoni.
Markoni has released TELSAT marKoni FM Transmitter: Version 2.0.1 to remediate these vulnerabilities.
In another advisory, CISA revealed the presence of a missing authorization vulnerability in SDG Technologies’ PnPSCADA equipment. “Successful exploitation of this vulnerability could allow an attacker to attach various entities without requiring system authentication. This breach could potentially lead to unauthorized control, data manipulation, and access to sensitive information within the SCADA system.”
Versions of SDG Technologies’ PnPSCADA, a web-based SCADA HMI, prior to version 4 are affected. SDG Technologies PnPSCADA allows a remote attacker to attach various entities without requiring system authentication. This breach could potentially lead to unauthorized control, data manipulation, and access to sensitive information within the SCADA system. CVE-2024-2882 has been assigned to this vulnerability, with a CVSS v3 base score calculated at 9.1 and a CVSS v4 base score of 9.3.
Used across the energy, water and wastewater systems, and critical manufacturing sectors, Momen Eldawakhly of Samurai Digital Security Ltd reported this vulnerability to CISA. SDG Technologies recommends that users use the updated PnPSCADA 4.
CISA disclosed in another advisory the presence of cross-site scripting and empty password in configuration file vulnerabilities in Yokogawa FAST/TOOLS and CI Server equipment deployed globally across the critical manufacturing, energy, and food and agriculture sectors. “Successful exploitation of these vulnerabilities could allow an attacker to launch a malicious script and take control of affected products,” it added.
Affected versions of Yokogawa’s FAST/TOOLS and CI Server, SCADA software environments, include FAST/TOOLS RVSVRN Package, UNSVRN Package, HMIWEB Package, FTEES Package, and HMIMOB Package, spanning Versions R9.01 to R10.04; along with CI Server Versions ranging from R1.01.00 to R1.03.00.
The advisory said that the affected product’s WEB HMI server’s function to process HTTP requests has a security flaw (reflected XSS) that allows the execution of malicious scripts. Therefore, if a client PC with inadequate security measures accesses a product URL containing a malicious request, the malicious script may be executed on the client PC.
CVE-2024-4105 has been designated for this vulnerability, with a CVSS v3.1 base score of 5.8. Additionally, a CVSS v4 base score of 6.9 has been calculated for the same vulnerability.
It added that the affected products have built-in accounts with no passwords set. Therefore, if the product is operated without a password set by default, an attacker can break into the affected product. CVE-2024-4106 has been assigned to this vulnerability, with a CVSS v3.1 base score and a CVSS v4 base score both calculated at 5.3.
Yokogawa recommends customers using FAST/TOOLS update to R10.04 and first apply patch software R10.04 SP3 and afterward apply patch software I12560. The company recommends customers who use Collaborative Information Server (CI Server) update to R1.03.00 and apply patch software R10.04 SP3.
For both platforms, if the password for the default account has not been changed, please change that password according to the documentation included with the patch software.
Yokogawa recommends that users establish and maintain a full security program, not only for the vulnerability identified in this YSAR. Security program components are patch updates, anti-virus, backup and recovery, zoning, hardening, whitelisting, firewall, etc. Yokogawa can assist in setting up and running the security program continuously. For considering the most effective risk mitigation plan, as a starting point, Yokogawa can perform a security risk assessment.
CISA reported in another advisory the presence of an improper input validation vulnerability in Johnson Controls’ Illustra Essentials Gen 4 hardware used across critical infrastructure sectors, including the critical manufacturing, commercial facilities, government facilities, transportation systems, and energy sectors. “Successful exploitation of this vulnerability could allow an attacker to inject commands,” it added.
Johnson Controls reports that all versions up to Illustra.Ess4.01.02.10.5982 of the Illustra Essentials Gen 4 IP camera are affected. Under certain conditions, the web interface erroneously accepts characters that deviate from the expected input. CVE-2024-32755 has been assigned to this vulnerability, with a CVSS v3.1 base score of 9.1. Sam Hanson of Dragos reported this vulnerability to Johnson Controls.
Johnson Controls recommends that users upgrade cameras to Illustra.Ess4.01.02.13.6953.
In another advisory, CISA covered the presence of “Storing Passwords in a Recoverable Format’ vulnerability in Johnson Controls’ Illustra Essentials Gen 4 hardware. “Successful exploitation of this vulnerability could allow an authenticated user to recover credentials for other Linux users,” it added.
Under specific conditions, an authenticated user may be able to recover Linux user credentials. CVE-2024-32756 has been assigned to this vulnerability, carrying a CVSS v3.1 base score of 6.8. Once again, Hanson reported this vulnerability to Johnson Controls, which recommends that users upgrade the camera to Illustra.Ess4.01.02.13.6953.
In yet another disclosure, CISA revealed the presence of an ‘Insertion of Sensitive Information into Log File’ vulnerability in Johnson Controls Illustra Essentials Gen 4 equipment. It added that exploitation of this vulnerability may allow an attacker to gain access to Linux user credentials.
Under specific conditions, system logs may disclose unnecessary user details. CVE-2024-32757 has been assigned to this vulnerability, with a CVSS v3.1 base score of 6.8. The vendor recommends users upgrade cameras to Illustra.Ess4.01.02.13.6953.
In another advisory, CISA reported that Johnson Controls’ Illustra Essentials Gen 4, used across critical infrastructure sectors, has a vulnerability involving the storage of passwords in a recoverable format. “Successful exploitation of this vulnerability may allow web interface user’s credentials to be recovered by an authenticated user,” it added.
Under certain circumstances, the web interface user’s credentials may be recovered by an authenticated user. CVE-2024-32932 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.8 has been calculated.
Dragos’ Hanson identified a vulnerability in Johnson Controls’ systems. Johnson Controls advises users to upgrade their cameras to Illustra.Ess4.01.02.13.6953 to address the issue.
This post was originally published on the 3rd party site mentioned in the title of this this site