CISA and friends raise alarm on critical flaws in industrial equipment, infrastructure

Nearly 60 holes found affecting 'more than 30,000' machines worldwide


Updated Fifty-six vulnerabilities – some deemed critical – have been found in industrial operational technology (OT) systems from ten global manufacturers including Honeywell, Ericsson, Motorola, and Siemens, putting more than 30,000 devices worldwide at risk, according to private security researchers. 

Some of these vulnerabilities received CVSS severity scores as high as 9.8 out of 10. That is particularly bad, considering these devices are used in critical infrastructure across the oil and gas, chemical, nuclear, power generation and distribution, manufacturing, water treatment and distribution, mining and building and automation industries. 

The most serious security flaws include remote code execution (RCE) and firmware vulnerabilities. If exploited, these holes could potentially allow miscreants to shut down electrical and water systems, disrupt the food supply, change the ratio of ingredients to result in toxic mixtures, and … OK, you get the idea.

Forescout's Vedere Labs said it discovered the bugs in devices built by ten vendors in use across the security company's customer base, and collectively named them OT:ICEFALL. According to the researchers, the vulnerabilities affect at least 324 organizations globally – and in reality this number is probably much larger since Forescout only has visibility into its own customers' OT devices.

In addition to the previously named manufacturers, the researchers said they found flaws in products from Bently Nevada, Emerson, JTEKT, Omron, Phoenix Contact, and Yokogawa.

So far today, the US government's Cybersecurity and Infrastructure Security Agency (CISA) has issued these advisories for various critical and high-severity flaws in some of the equipment, with exploitation outcomes:

Most of the 56 flaws reported by Vedere Labs occur in level 1 and level 2 OT devices. Level 1 devices – such as programmable logic controllers (PLCs) and remote terminal units (RTUs) – control physical processes, while level 2 devices include supervisory control and data acquisition (SCADA) and human-machine interface systems. 

In addition to the near three-score bugs detailed today in a public report by Vedere, the threat-hunting team discovered four others that are still under wraps due to responsible disclosure. One of the four allows credentials to be compromised, two allow an attacker to manipulate OT systems' firmware, and the final one is an RCE via memory write flaw.

Many of these holes are a result of OT products' so-called "insecure-by-design" construction, Forescout's head of security research Daniel dos Santos told The Register. Several OT devices don't include basic security controls, which makes them easier for attackers to exploit, he explained. 

Forescout's analysis comes ten years after Digital Bond's Project Basecamp that also looked at OT devices and protocols, and deemed them "insecure by design."

Since that earlier analysis, "there have been real-word real incidents, real malware that has abused insecure-by-design functionality of devices to cause disruption and physical damage, like Industroyer in the Ukraine in 2016, or Triton in the Middle East in 2017," dos Santos said.

In fact, some of the vulnerabilities detailed by Forescout have already been targeted to compromise industrial control systems. This includes CVE-2022-31206 – an RCE affecting Omron NJ/ NX controllers, targeted by Incontroller, a suspected state-sponsored malware tool.

"One instance of insecure-by-design is unauthenticated protocols," dos Santos said. "So basically, whenever you interact with the device you can call sensitive functions on the device, invoke this function directly without it asking for a password."

The security researchers found nine vulnerabilities related to protocols that have no authentication on them: CVE-2022-29953, CVE-2022-29957, CVE-2022- 29966, CVE-2022-30264, CVE-2022-30313, CVE-2022-30317, CVE-2022-29952 and CVE-2022-30276. Most of these can be exploited to download and run firmware and logic on someone else's equipment, thus leading to RCEs, or shutdowns and reboots, which can cause denial of service conditions. Ideally, machines using these protocols are not connected to computers and other systems in a way that would allow a network intruder to exploit them.

Credential compromise is the most common

Vedere Labs counted five of the flaws more than once because they have multiple potential impacts.

More than a third of the 56 flaws (38 percent) can be abused to compromise user login credentials, while 21 percent, if exploited, could allow a miscreant to manipulate the firmware, and 14 percent are RCEs. In terms of the other vulnerability types, denial of service and configuration manipulation account for eight percent, authentication bypass vulns make up six percent, file manipulation comes in at three percent, and logic manipulation at two percent.

The researchers noted that patching these security issues won't be easy – either because they are the result of OT products being insecure by design, or because they require changes in device firmware and supported protocols. "Realistically, that process will take a very long time," they wrote.

Because of this, they did not disclose all of the technical details for the buggy OT devices – hence the lack of depth here. They did, however, suggest that customers follow each vendor's security advisories – due out today or soon – for more details. Additionally, the security shop recommends isolating OT and industrial control systems' networks from corporate networks and the internet when possible.

More information can be found in Vedere's report and advisories from CISA's ICS-CERT. ®

Update

This story was updated to include links to CISA's advisories today.


Other stories you might like

  • Cisco warns of security holes in its security appliances
    Bugs potentially useful for rogue insiders, admin account hijackers

    Cisco has alerted customers to another four vulnerabilities in its products, including a high-severity flaw in its email and web security appliances. 

    The networking giant has issued a patch for that bug, tracked as CVE-2022-20664. The flaw is present in the web management interface of Cisco's Secure Email and Web Manager and Email Security Appliance in both the virtual and hardware appliances. Some earlier versions of both products, we note, have reached end of life, and so the manufacturer won't release fixes; it instead told customers to migrate to a newer version and dump the old.

    This bug received a 7.7 out of 10 CVSS severity score, and Cisco noted that its security team is not aware of any in-the-wild exploitation, so far. That said, given the speed of reverse engineering, that day is likely to come. 

    Continue reading
  • What to do about inherent security flaws in critical infrastructure?
    Industrial systems' security got 99 problems and CVEs are one. Or more

    The latest threat security research into operational technology (OT) and industrial systems identified a bunch of issues — 56 to be exact — that criminals could use to launch cyberattacks against critical infrastructure. 

    But many of them are unfixable, due to insecure protocols and architectural designs. And this highlights a larger security problem with devices that control electric grids and keep clean water flowing through faucets, according to some industrial cybersecurity experts.

    "Industrial control systems have these inherent vulnerabilities," Ron Fabela, CTO of OT cybersecurity firm SynSaber told The Register. "That's just the way they were designed. They don't have patches in the traditional sense like, oh, Windows has a vulnerability, apply this KB."

    Continue reading
  • Halfords suffers a puncture in the customer details department
    I like driving in my car, hope my data's not gone far

    UK automobile service and parts seller Halfords has shared the details of its customers a little too freely, according to the findings of a security researcher.

    Like many, cyber security consultant Chris Hatton used Halfords to keep his car in tip-top condition, from tires through to the annual safety checks required for many UK cars.

    In January, Hatton replaced a tire on his car using a service from Halfords. It's a simple enough process – pick a tire online, select a date, then wait. A helpful confirmation email arrived with a link for order tracking. A curious soul, Hatton looked at what was happening behind the scenes when clicking the link and "noticed some API calls that seemed ripe for an IDOR" [Insecure Direct Object Reference].

    Continue reading
  • If you're using older, vulnerable Cisco small biz routers, throw them out
    Severe security flaw won't be fixed – as patches released this week for other bugs

    If you thought you were over the hump with Patch Tuesday then perhaps think again: Cisco has just released fixes for a bunch of flaws, two of which are not great.

    First on the priority list should be a critical vulnerability in its enterprise security appliances, and the second concerns another critical bug in some of its outdated small business routers that it's not going to fix. In other words, junk your kit or somehow mitigate the risk.

    Both of these received a CVSS score of 9.8 out of 10 in severity. The IT giant urged customers to patch affected security appliances ASAP if possible, and upgrade to newer hardware if you're still using an end-of-life, buggy router. We note that miscreants aren't actively exploiting either of these vulnerabilities — yet.

    Continue reading
  • Zero Trust: What does it actually mean – and why would you want it?
    'Narrow and specific access rights after authentication' wasn't catchy enough

    Systems Approach Since publishing our article and video on APIs, I’ve talked with a few people on the API topic, and one aspect that keeps coming up is the importance of security for APIs.

    In particular, I hear the term “zero trust” increasingly being applied to APIs, which led to the idea for this post. At the same time, I’ve also noticed what might be called a zero trust backlash, as it becomes apparent that you can’t wave a zero trust wand and instantly solve all your security concerns.

    Zero trust has been on my radar for almost a decade, as it was part of the environment that enabled network virtualization to take off. We’ve told that story briefly in our SDN book – the rise of microsegmentation as a widespread use-case was arguably the critical step that took network virtualization from a niche technology to the mainstream.

    Continue reading
  • How refactoring code in Safari's WebKit resurrected 'zombie' security bug
    Fixed in 2013, reinstated in 2016, exploited in the wild this year

    A security flaw in Apple's Safari web browser that was patched nine years ago was exploited in the wild again some months ago – a perfect example of a "zombie" vulnerability.

    That's a bug that's been patched, but for whatever reason can be abused all over again on up-to-date systems and devices – or a bug closely related to a patched one.

    In a write-up this month, Maddie Stone, a top researcher on Google's Project Zero team, shared details of a Safari vulnerability that folks realized in January this year was being exploited in the wild. This remote-code-execution flaw could be abused by a specially crafted website, for example, to run spyware on someone's device when viewed in their browser.

    Continue reading
  • FabricScape: Microsoft warns of vuln in Service Fabric
    Not trying to spin this as a Linux security hole, surely?

    Microsoft is flagging up a security hole in its Service Fabric technology when using containerized Linux workloads, and urged customers to upgrade their clusters to the most recent release.

    The flaw is tracked as CVE-2022-30137, an elevation-of-privilege vulnerability in Microsoft's Service Fabric. An attacker would need read/write access to the cluster as well as the ability to execute code within a Linux container granted access to the Service Fabric runtime in order to wreak havoc.

    Through a compromised container, for instance, a miscreant could gain control of the resource's host Service Fabric node and potentially the entire cluster.

    Continue reading

Biting the hand that feeds IT © 1998–2022