CISA warns of holes in industrial Advantech and Hitachi kit • The Register

This week, the US government’s Cybersecurity and Infrastructure Security Agency (CISA) expanded its ever-growing list of vulnerabilities in industrial control systems (ICS) and critical infrastructure technology.

The latest warnings point to serious deficiencies in products from Advantech and Hitachi Energy that serve both consumer and commercial markets.

The twin alerts include warnings about vulnerabilities in Advantech’s R-SeeNet that could be exploited by remote attackers to take control of this industrial network router monitoring software or delete PDF files from the system.

Two of the vulnerabilities – tracked as CVE-2022-3386 and CVE-2022-3385, with a severity of 9.8 out of 10 – affect stack-based buffer overflow bugs in version 2.4.17 and earlier of the R-SeeNet agency software. Both vulnerabilities would “allow an unauthorized attacker [to] Use an oversized filename to overflow the stack buffer and allow remote code execution,” the recommendation reads.

The third bug is a traversal bug affecting version 2.4.19 of the software that would allow an attacker to exploit vulnerable PHP code to delete PDF files.

Devices running R-SeeNet software are used in industries such as manufacturing, power, water and wastewater, according to CISA.

Advantech recommends organizations to update their R-SeeNet software to version 2.4.21 or later, while CISA recommends minimizing the appliances’ exposure to the public internet, as with all control system devices. Local control system networks and remote devices should be housed behind firewalls and isolated from corporate networks. When remote access is required, organizations should use VPNs and other security controls.

The Advisory regarding Hitachi Energy’s Transformer Asset Performance Management (APM) Edge Appliances is an update of a December 2, 2021 alert of 29 bugs affecting versions 1.0, 2.0 and 3.0. The local software is used to manage electrical transformers.

“Hitachi Energy is aware of public reports of this vulnerability in the following open source software components: OpenSSL, LibSSL, libxml2 and GRUB2 bootloader,” CISA wrote in its alert. “The vulnerability also affects some APM Edge products. An attacker who successfully exploited this vulnerability could result in the product becoming inaccessible.”

The vendor advises organizations to upgrade to version 4.0, which includes updates to the vulnerable components that address the issue. Hitachi Energy also provides a deeper dive into the deficiencies and how to fix them.

CISA has been vocal about the cyber threats to ICS and other critical devices. It has warned that cyber crews are targeting such environments, as demonstrated by the attacks on Colonial Pipeline and JBS Foods last year.

CISA and other US federal agencies — including the FBI, Department of Energy and NSA — warned in April that snoopers were developing custom tools specifically aimed at gaining control of ICS and SCADA (Supervisory Control and Data Acquisition) devices .

The Advantech and Hitachi Energy alerts come a week after CISA issued advisories regarding vulnerabilities in 25 ICS products from Siemens, Hitachi and Mitsubishi Electric, and a month after similar alerts on eight such systems.

So many vulnerabilities

In a report released earlier this year, SynSaber, an operational technology (OT) cybersecurity and asset surveillance company, said that CISA confirmed 681 CVE-attributed security bugs in the first half of 2022. The company divided the CVEs into a number of categories – from those that can be patched with software to those that can’t be fixed without changing protocols or replacing systems.

It found that 13 percent of the vulnerabilities had no patches or mitigations available, and another 34 percent required firmware updates. It warned that 40.7 percent of bugs are urgent and should be prioritized. Another 50.7 percent required a more complex fix — like firmware updates that address a large number of devices in the field — but still required urgent attention.

“You can’t just fix a vulnerability in a protocol or upgrade an entire SCADA environment,” the report’s authors write. “Organizations may be dealing with these CVEs for a long time, and other compensating controls will likely be required.”

“The volume of CVEs reported through CISA ICS Advisories and other entities is unlikely to decrease. It is important for asset owners and those defending critical infrastructure to understand when remedial actions are available and how those remedial actions should be implemented and prioritized,” they added. ® CISA warns of holes in industrial Advantech and Hitachi kit • The Register

Rick Schindler

World Time Todays is an automatic aggregator of the all world’s media. In each content, the hyperlink to the primary source is specified. All trademarks belong to their rightful owners, all materials to their authors. If you are the owner of the content and do not want us to publish your materials, please contact us by email – The content will be deleted within 24 hours.

Related Articles

Back to top button