The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued four Industrial Control Systems (ICS) advisories pointing to several security flaws affecting products from Siemens, GE Digital, and Contec. I’m here.
The most severe issues have been identified in Siemens SINEC INS, path traversal flaw (CVE-2022-45092, CVSS score: 9.9) and command injection (CVE-2022-2068, CVSS score: 9.8).
Siemens also patched the llhttp parser authentication bypass vulnerability (CVE-2022-35256, CVSS score: 9.8) and the OpenSSL library out-of-bounds write bug (CVE-2022-2274, CVSS score: 9.8). Applying. ) can be exploited to trigger remote code execution.
The German automation company released Service Pack 2 Update 1 software in December 2022 to mitigate the flaw.
Separately, GE Digital’s Proficy Historian solution also revealed a serious flaw that could lead to code execution regardless of authentication status. This issue, tracked as CVE-2022-46732 (CVSS score: 9.8), affects Proficy Historian versions 7.0 and above and is fixed in Proficy Historian 2023.
“Attackers can take advantage of this fact to bypass the historian’s authentication by impersonating a local service,” said Uri Katz, a security researcher at industrial security firm Claroty. “This would allow a remote attacker to log into any of her GE Proficy Historian servers and force unauthorized actions.”
CISA also updated its ICS advisory published last month to detail a critical command injection vulnerability (CVE-2022-44456, CVSS score: 10.0) in Contec CONPROSYS HMI systems. This vulnerability could allow a remote attacker to send a specially crafted request to execute arbitrary commands. .
This flaw was fixed by Contec in version 3.4.5, but the software was subsequently found to be vulnerable to four additional flaws that could lead to information disclosure and unauthorized access.
Users of CONPROSYS HMI systems are advised to update to version 3.5.0 or later, in addition to taking steps to minimize network exposure and to isolate such devices from business networks. increase.
The advisory comes less than a week after CISA released 12 alerts warning of critical flaws affecting software from Sewio, InHand Networks, Sauter Controls and Siemens.
