1 Advisory Published – 11-15-22
Today, CISA’s NCCIC-ICS published a control system security advisory for products from Mitsubishi. I also take another look at the OT:ICEFALL vulnerabilities and the remediations currently available.
Mitsubishi Advisory
This advisory discusses an OS command injection vulnerability in the Mitsubishi GT SoftGOT2000. This is a third-party (OpenSSL) vulnerability. Mitsubishi has a new version that mitigates the vulnerability.
OT:ICEFALL – Responses
Earlier this month I took a look at the NCCIC-ICS reporting status for the OT:ICEFALL vulnerabilities reported by Forescout. Today I would like to take a look at the measures reported by NCCIC-ICS to correct the vulnerabilities identified by Forescout. The table below looks at the vendor responses to the 38 CVE’s reported in NCCIC-ICS advisories.
The ‘New Version’ response includes each time a vendor has provided a new product version number for the vulnerability identified. There is no indication in any of the 18 NCCIC-ICS advisories that the researchers have been provided an opportunity to verify the efficacy of the fix. The “Mitigation Measures’ label is applied to any CVE where the vendor has provided one or more instructions to reduce or eliminate the potential effects of an exploit of the identified vulnerability; these range from ‘only operate on a secure network’ to instructions on how to disable the vulnerable service.
The advisory for the Omron SYSMAC CS/CJ/CP Series and NJ/NX Series reports that Omron plans to publish a new version of SYSMAC NJ/NX to fix CVE-2022-31206. That new version was ‘due’ in July 2022. NCCIC-ICS has not reported that that fix has occurred, nor can I find a notification on Omron web site.
The advisory for the Motorola Solutions ACE1000 recommends that operators “Upgrade to MOTOTRBO Capacity Max”. This suggestion is only made for CVE-2022-30274, not the four other reported vulnerabilities. I would think that implies that that product is also subject to the other four vulnerabilities being reported for the ACE1000.