The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has several Industrial Control Systems (ICS) advisors alerting them to critical security flaws affecting products from Sewio, InHand Networks, Sauter Controls, and Siemens Released Li.
The most serious flaws relate to Sewio’s RTLS Studio, which allows attackers to “gain unauthorized access to servers, tamper with information, create denial-of-service conditions, obtain escalated privileges, and execute arbitrary code. ” can be misused. According to CISA.
This includes CVE-2022-45444 (CVSS score: 10.0). This is a case of hard-coded passwords for selected users in the application’s database that could potentially grant unrestricted access to a remote adversary.
Also of note are two command injection flaws (CVE-2022-47911 and CVE-2022-43483, CVSS score: 9.1) and an out-of-bounds write vulnerability (CVE-2022-41989, CVSS score: 9.1). To do. Denial of service or code execution.
This vulnerability affects RTLS Studio version 2.0.0 through version 2.6.2. We recommend updating to version 3.0.0 or later.
In its second alert, CISA highlighted a set of five security flaws in InHand Networks InRouter 302 and InRouter 615, including CVE-2023-22600 (CVSS score: 10.0). These can lead to command injection, information disclosure, and code execution.
“If properly chained, these vulnerabilities could result in an unprivileged remote user fully compromising any cloud-managed InHand Networks device reachable by the cloud,” the agency said. I’m here.
All firmware versions of the InRouter 302 prior to IR302 V3.5.56 and the InRouter 615 prior to InRouter6XX-S-V2.3.0.r5542 are susceptible to the bug.
Sauter Controls Nova 220, Nova 230, Nova 106, and moduNet300 also have disclosed security vulnerabilities that allow unauthorized visibility into sensitive information (CVE-2023-0053, CVSS score: 7.5) and remote code execution ( CVE-2023-0052) could be possible. , CVSS score: 9.8).
However, the Swiss-based automation company has no plans to release fixes for the identified issues as their product line is no longer supported.
Finally, the security agency detailed a cross-site scripting (XSS) flaw (CVE-2022-46823, CVSS score: 9.3) in the Siemens Mendix SAML device. This allows an attacker to trick a user into clicking a specially crafted button to obtain sensitive information. Link.
Update Mendix SAML to version 2.3.4 (Mendix 8), 3.3.8 (Mendix 9, upgrade track), or 3.3.9 (Mendix 9, new track) to enable multi-factor authentication and reduce potential risks. ) is recommended.
