CISA warns of critical flaws in ICS and SCADA software from multiple vendors

The US Cybersecurity and Infrastructure Security Agency (CISA) published seven advisories this week covering vulnerabilities in industrial control systems (ICS) and supervisory control and data acquisition (SCADA) software from multiple vendors. Some of the flaws are rated critical and two of them already have public exploits.

The impacted products include:

• Scadaflex II controllers made by Industrial Control Links
• Screen Creator Advance 2 and Kostac PLC programming software from JTEKT Electronics
• Korenix JetWave industrial wireless access points and communications gateways
• Hitachi Energy’s MicroSCADA System Data Manager SDM600
• mySCADA myPRO software
• Rockwell Automation’s FactoryTalk Diagnostics

ScadaFlex II series controllers are what’s known in the industry as packaged controllers, stand-alone systems that are built with custom software, processing power and I/O capabilities for controlling and monitoring other industrial processes. According to CISA, multiple versions of the software running on the SC-1 and SC-2 controllers are impacted by a critical vulnerability — CVE-2022-25359 with CVSS score 9.1 — that could allow unauthenticated attackers to overwrite, delete, or create files on the system.

The flaw can be exploited remotely and has a low attack complexity. Moreover, a public proof-of-concept exploit is available for it. No patch is available because the vendor is in the process of closing their business, so these systems are effectively end-of-life. Owners of these assets can take defensive measures such as restricting network access to them, not exposing them directly to the internet or business networks, placing them behind firewalls, and using secure VPNs for remote access if needed.

The Kostac PLC Programming Software is the engineering software that’s used to manage Kostac programming logic controllers (PLCs) made by Koyo Electronics, a subsidiary of JTEKT Group. The software works with Kostac SJ Series, DL05 and DL06 Series, DL205 Series, PZ Series, DL405 and SU Series, and the SS Series.

According to the CISA advisory, the software has three memory vulnerabilities with a CVSS severity score of 7.8 0 — CVE-2023-22419, CVE-2023-22421, and CVE-2023-22424. These flaws, two out-of-bound memory reads and a use-after-free can lead to information disclosure and arbitrary code execution when processing PLC programs or specifically crafted project files and comments. Versions 1.6.10.0 and later of the software include patches for these flaws and more general mitigations to prevent similar issues.

JTEKT also has a screen recording program called Screen Creator Advance 2 that also has five out-of-bound read flaws and a use-after-free rated with 7.8 on the CVSS scale. The vendor advises users to update to versions 0.1.1.4 Build01A and above.

Multiple models of Korenix JetWave industrial communications gateways are impacted by three command injection and uncontrolled resource consumption vulnerabilities rated with 8.8 on the CVSS scale. Exploitation of the command injection flaws — CVE-2023-23294 and CVE-2023-23295 — can give attackers full access to the operating system running on the devices, and exploitation of the resource consumption issue — CVE-2023-23296 — can result in a denial-of-service condition. The vendor released patched firmware versions for the impacted models.

The mySCADA myPRO HMI and SCADA software has five vulnerabilities through which attackers can execute arbitrary commands on the operating system. The flaws impact myPRO versions 8.26.0 and prior and are rated with 9.9 out of 10 on the CVSS scale as they are easy to exploit remotely and technical details about the vulnerabilities are already available on the internet. The myPRO system is popular in several fields including energy, food and agriculture, transportation systems, and water and wastewater systems. The vendor patched the issues in  version 8.29.0.

The Hitachi MicroSCADA System Data Manager SDM600 is an industrial management tool for energy-related installations and has multiple vulnerabilities that allow unrestricted uploads of files with dangerous types, improper authorization of API usage, improper resource shutdown and improper privilege management. Exploitation of these vulnerabilities, which are also rated 9.9 on the CVSS scale, could allow a remote attacker to take control of the product.

Hitachi advises users of SDM600 versions prior to v1.2 FP3 HF4 (Build Nr. 1.2.23000.291) to update to v1.3.0.1339. The company also published additional workarounds and general defense recommendations that are included in the CISA advisory.

Rockwell Automation’s FactoryTalk Diagnostic software is a subsystem of the FactoryTalk Service Platform, a Windows software suite that accompanies Rockwell industrial products used in many industry sectors: food and agriculture, transportation systems, and water and wastewater systems. The software has a critical data deserialization vulnerability rated with 9.8 on the CVSS scale that can allow a remote unauthenticated attacker to execute arbitrary code with SYSTEM level privileges. There’s no patch available but Rockwell is working on an update to the software. In the meantime, the company has recommended several compensating controls and defensive steps.