The U.S. Cybersecurity and Infrastructure Safety Company (CISA) has printed 4 Industrial Management Programs (ICS) advisories, calling out a number of safety flaws affecting merchandise from Siemens, GE Digital, and Contec.
Probably the most essential of the problems have been recognized in Siemens SINEC INS that might result in distant code execution by way of a path traversal flaw (CVE-2022-45092, CVSS rating: 9.9) and command injection (CVE-2022-2068, CVSS rating: 9.8).
Additionally patched by Siemens is an authentication bypass vulnerability in llhttp parser (CVE-2022-35256, CVSS rating: 9.8) in addition to an out-of-bounds write bug within the OpenSSL library (CVE-2022-2274, CVSS rating: 9.8) that might be exploited to set off distant code execution.
The German automation firm, in December 2022, launched Service Pack 2 Replace 1 software program to mitigate the issues.
Individually, a essential flaw has additionally been revealed in GE Digital’s Proficy Historian answer that might lead to code execution no matter authentication standing. The difficulty, tracked as CVE-2022-46732 (CVSS rating: 9.8), impacts Proficy Historian variations 7.0 and better, and has been remediated in Proficy Historian 2023.
“An attacker can benefit from this reality and bypass the historian authentication by impersonating an area service,” Uri Katz, safety researcher at industrial safety agency Claroty, mentioned. “This permits distant attackers the power to log in to any GE Proficy Historian server and power it to carry out unauthorized actions.”
CISA additionally up to date an ICS advisory that was printed final month, detailing a essential command injection vulnerability in Contec CONPROSYS HMI System (CVE-2022-44456, CVSS rating: 10.0) that might allow a distant attacker to ship specifically crafted requests to execute arbitrary instructions.
Whereas this shortcoming was patched by Contec in model 3.4.5, the software program has since been discovered to be susceptible to 4 extra defects that might result in info disclosure and unauthorized entry.
Customers of CONPROSYS HMI System are really helpful to replace to model 3.5.0 or later, along with taking steps to reduce community publicity and isolate such gadgets from enterprise networks.
The advisories come lower than every week after CISA launched 12 such alerts warning of essential flaws impacting software program from Sewio, InHand Networks, Sauter Controls, and Siemens.
