© 2023 CyberNews - Latest tech news,
product reviews, and analyses.

If you purchase via links on our site, we may receive affiliate commissions.

CISA alerts of Siemens, GE Digital, and Contec flaws in ICSs

US cybersecurity watchdog published several advisories, informing security flaws impacting Industrial Control Systems (ICSs) via Siemens, GE, and Contec products.

The US Cybersecurity and Infrastructure Security Agency (CISA) published several advisories warning of critical vulnerabilities that affect ICSs.

ICS is used to manage instrumentation tasks efficiently in almost all industries and critical infrastructure such as transportation, energy, water treatment, and manufacturing.

According to CISA, Siemens faces the most severe issues as one of the flaws (CVE-2022-45092), an arbitrary code execution bug, was awarded the score of 9.9, indicating the vulnerability is critical.

“An authenticated remote attacker with access to the affected product’s web-based management (443/TCP) could potentially read and write arbitrary files to and from the device’s file system. An attacker could leverage this to trigger remote code execution on the affected component,” CISA said.

Another patched bug affecting Siemens systems, an OS command injection vulnerability tracked as CVE-2022-2068, received a CVSS score of 9.8. The vulnerability allowed an attacker to execute arbitrary commands.

The German manufacturing giant patched several other vulnerabilities, such as an RSA implementation flaw (CVE-2022-2274, CVSS score 9.8) and an authentication bypass flaw CVE-2022-35256, CVSS score 9.8).

CISA also said that exploitation of GE Digital’s Proficy Historian product flaws could crash the device, cause a buffer overflow condition and allow remote code execution (RCE).

One of the bugs (CVE-2022-46732, CVSS score 9.8), an authentication bypass flaw, allowed executing commands regardless of authentication status.

Meanwhile, a flaw (CVE-2022-44456. CVSS score 10.0) affecting Contec’s CONPROSYS HMI System could have allowed attackers to execute commands on the device’s server.

“CONPROSYS HMI System versions 3.4.4 and prior are vulnerable to an OS Command Injection, which could allow an unauthenticated, remote attacker to send specially crafted requests that could execute commands on the server,” CISA said.

The set of CISA’s advisories also included Mitsubishi Electric, however, none of the flaws impacting the Japanese manufacturer crossed into ‘critical flaw’ territory.

ICS flaws can result in major disruptions for companies and entire nations. For example, US authorities discovered a new strain of malware that targets ICSs. Dubbed INCONTROLLER, the malware abuses known vulnerabilities and can inflict severe damage on the infrastructure it’s unleashed upon.

More from Cybernews:

Twitter OK's blue checks for Taliban

HR platform’s data leak turns into privacy nightmare for employees

Gas app sold to Discord

Nissan data breach exposed client’s full names and dates of birth

NIST to launch AI guidelines amid ChatGPT fears

Subscribe to our newsletter

Leave a Reply

Your email address will not be published. Required fields are marked