CISA and friends raise alarm on critical flaws in industrial equipment, infrastructure
Nearly 60 holes found affecting 'more than 30,000' machines worldwide
Updated Fifty-six vulnerabilities – some deemed critical – have been found in industrial operational technology (OT) systems from ten global manufacturers including Honeywell, Ericsson, Motorola, and Siemens, putting more than 30,000 devices worldwide at risk, according to private security researchers.
Some of these vulnerabilities received CVSS severity scores as high as 9.8 out of 10. That is particularly bad, considering these devices are used in critical infrastructure across the oil and gas, chemical, nuclear, power generation and distribution, manufacturing, water treatment and distribution, mining and building and automation industries.
The most serious security flaws include remote code execution (RCE) and firmware vulnerabilities. If exploited, these holes could potentially allow miscreants to shut down electrical and water systems, disrupt the food supply, change the ratio of ingredients to result in toxic mixtures, and … OK, you get the idea.
Forescout's Vedere Labs said it discovered the bugs in devices built by ten vendors in use across the security company's customer base, and collectively named them OT:ICEFALL. According to the researchers, the vulnerabilities affect at least 324 organizations globally – and in reality this number is probably much larger since Forescout only has visibility into its own customers' OT devices.
In addition to the previously named manufacturers, the researchers said they found flaws in products from Bently Nevada, Emerson, JTEKT, Omron, Phoenix Contact, and Yokogawa.
So far today, the US government's Cybersecurity and Infrastructure Security Agency (CISA) has issued these advisories for various critical and high-severity flaws in some of the equipment, with exploitation outcomes:
- Phoenix Contact Classic Line Industrial Controllers – change configurations, manipulate services, or cause a denial-of-service
- Phoenix Contact Classic Line Controllers – upload logic with arbitrary code
- Phoenix Contact ProConOS and MULTIPROG – upload arbitrary malicious code after gaining access to communications
- Siemens WinCC OA – impersonate other users or exploit the client-server protocol without being authenticated
- JTEKT TOYOPUC – denial-of-service condition, change control logic, or disable communication links
Most of the 56 flaws reported by Vedere Labs occur in level 1 and level 2 OT devices. Level 1 devices – such as programmable logic controllers (PLCs) and remote terminal units (RTUs) – control physical processes, while level 2 devices include supervisory control and data acquisition (SCADA) and human-machine interface systems.
In addition to the near three-score bugs detailed today in a public report by Vedere, the threat-hunting team discovered four others that are still under wraps due to responsible disclosure. One of the four allows credentials to be compromised, two allow an attacker to manipulate OT systems' firmware, and the final one is an RCE via memory write flaw.
Many of these holes are a result of OT products' so-called "insecure-by-design" construction, Forescout's head of security research Daniel dos Santos told The Register. Several OT devices don't include basic security controls, which makes them easier for attackers to exploit, he explained.
Forescout's analysis comes ten years after Digital Bond's Project Basecamp that also looked at OT devices and protocols, and deemed them "insecure by design."
- What if ransomware evolved to hit IoT in the enterprise?
- Five Eyes nations fear wave of Russian attacks against critical infrastructure
- Threat group builds custom malware to attack industrial systems
- Detailed: Critical hijacking bugs that took months to patch in Microsoft Azure Defender for IoT
Since that earlier analysis, "there have been real-word real incidents, real malware that has abused insecure-by-design functionality of devices to cause disruption and physical damage, like Industroyer in the Ukraine in 2016, or Triton in the Middle East in 2017," dos Santos said.
In fact, some of the vulnerabilities detailed by Forescout have already been targeted to compromise industrial control systems. This includes CVE-2022-31206 – an RCE affecting Omron NJ/ NX controllers, targeted by Incontroller, a suspected state-sponsored malware tool.
"One instance of insecure-by-design is unauthenticated protocols," dos Santos said. "So basically, whenever you interact with the device you can call sensitive functions on the device, invoke this function directly without it asking for a password."
The security researchers found nine vulnerabilities related to protocols that have no authentication on them: CVE-2022-29953, CVE-2022-29957, CVE-2022- 29966, CVE-2022-30264, CVE-2022-30313, CVE-2022-30317, CVE-2022-29952 and CVE-2022-30276. Most of these can be exploited to download and run firmware and logic on someone else's equipment, thus leading to RCEs, or shutdowns and reboots, which can cause denial of service conditions. Ideally, machines using these protocols are not connected to computers and other systems in a way that would allow a network intruder to exploit them.
Credential compromise is the most common
Vedere Labs counted five of the flaws more than once because they have multiple potential impacts.
More than a third of the 56 flaws (38 percent) can be abused to compromise user login credentials, while 21 percent, if exploited, could allow a miscreant to manipulate the firmware, and 14 percent are RCEs. In terms of the other vulnerability types, denial of service and configuration manipulation account for eight percent, authentication bypass vulns make up six percent, file manipulation comes in at three percent, and logic manipulation at two percent.
The researchers noted that patching these security issues won't be easy – either because they are the result of OT products being insecure by design, or because they require changes in device firmware and supported protocols. "Realistically, that process will take a very long time," they wrote.
Because of this, they did not disclose all of the technical details for the buggy OT devices – hence the lack of depth here. They did, however, suggest that customers follow each vendor's security advisories – due out today or soon – for more details. Additionally, the security shop recommends isolating OT and industrial control systems' networks from corporate networks and the internet when possible.
This story was updated to include links to CISA's advisories today.