CISA warns of vulnerabilities in industrial systems

CISA agency published 8 recommendations [ 7 , 1 ] by industrial control systems (ICS), warning about critical shortcomings in the products of Hitachi Energy, Myskada Technologies, Industrial Control Links and Nexx.

He heads the list cve-2022-3682 (CVSS: 9, 9, 9, 9, 9, 9 9), which affects Microscada System Data Manager SDM600, Hitachi Energy, which can allow the attacker to get remote control over the product.

Vulnerability arises due to a problem with checking the rights of access to files, which allows cybercriminals to load a specially created message into a system that leads to the execution of an arbitrary code. Hitachi Energy released the SDM600 1.3.0.1339 update to eliminate The problem for sdm600 to version 1.2 FP3 HF4 (assembly number 1.2.23000.291).

The recommendations also describe 5 critical vulnerabilities of the introduction of commands- cve-2023-28400 , cve-2023-28716 , cve-2023-28384 , cve-2023-29169 and cve-2023-29150 (CVSS: 9.9) in MyScada MyPro version 8.26.0 and earlier.

Successful operation of errors can allow an authenticated attacker to introduce arbitrary commands of the operating system, ”CISA warned, calling for users to renew to version 8.29.0 or higher.

In the controllers Industrial Control Links Scadaflex II SCADA, a critical security error cve-2022222222222222 -25359 (CVSS: 9.1), which can allow a hacker who has passed authenticity, rewrite, delete or create files.

At the same time, the Industrial Control Links reported that she was closing her business. This product can be considered obsolete; Further support of this product may not be available. Users are recommended to minimize the impact on the network, isolate the control systems from business networks and place them behind the firewalls to eliminate potential risks.

completes the list of 5 disadvantages, including one critical error cve-2023-1748 (CVSS: 9.3), which affects garage garage controllers, intellectual sockets and intellectual alarms of Nexx.

/Reports, release notes, official announcements.