Today CISA’s NCCIC-ICS published four control system security advisories for products from Schneider Electric, Rockwell Automation, Hitachi Energy, and ThreatQuotient. They also published a medical device security advisory for products from BD.
Schneider Advisory
This advisory describes an improper input validation vulnerability in the Schneider Modicon PLCs. The vulnerability was reported by Wooyeon Jo and Irfan Ahmed of Virginia Commonwealth University. Schneider provides generic mitigation measures pending development of a fix.
NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to lead to a denial-of-service and a loss of confidentiality and integrity in the controller.
NOTE: I briefly discussed this vulnerability on Saturday.
Rockwell Advisory
This advisory describes three vulnerabilities in the Rockwell PowerMonitor 1000 Remote products. The vulnerabilities were reported by Vera Mens of Claroty Research. Rockwell has a new firmware version that mitigates the vulnerabilities.
The three reported vulnerabilities are:
Unprotected alternate channel - CVE-2024-12371,
Heap-based buffer overflow - CVE-2024-12372, and
Classic buffer overflow - CVE-2024-12373
NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerabilities to allow an attacker to perform edit operations, create admin users, perform factory reset, execute arbitrary code, or cause a denial-of-service condition.
Hitachi Energy Advisory
This advisory discusses an improper input validation vulnerability in the Hitachi Energy TropOS devices. This is a third-party (NTP) vulnerability. Hitachi Energy has a new version that mitigates the vulnerability.
NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to allow an attacker to cause a denial-of-service condition.
NOTE: I briefly discussed this vulnerability in this product on February 3rd, 2024. NCCIC-ICS previously reported the underlying vulnerability (ICSA-14-051-04) on September 6th, 2018.
ThreatQuotient Advisory
This advisory describes a command injection vulnerability in the ThreatQuotient ThreatQ Platform. Dawid Golak reported this vulnerability to CISA. ThreatQuotient has a new version that mitigates the vulnerability.
NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to allow an attacker to perform remote code execution.
BD Advisory
This advisory describes a use of default credentials vulnerability in multiple BD Diagnostic Solutions products. The vulnerability is self-reported. CISA reports that: “BD has already communicated to users with affected products and is working with them to update default credentials [emphasis added] on affected products.”
NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit the vulnerability to allow an attacker to use default credentials to access, modify, or delete sensitive data, which could impact the availability of the system or cause a system shutdown. The BD advisory reports that: “A threat actor would have to compromise your local network and, in some cases, may also need to be physically present at the instrument in order to use these product service credentials.”
NOTE: Apparently BD is continuing to use default credentials for their maintenance personnel to access the devices, they are simply changing the current default credential, probably because the previous credential was compromised. The advisory description above provides the justification for the continued use of default credentials.