Recently, the CISA issued multiple advisories to warn industrial organizations about new vulnerabilities affecting various products from mySCADA Technologies, Nexx, and Hitachi Energy, among others.
Flaws affecting Hitachi Energy
- CVE-2022-3682, a highly severe flaw affects Hitachi Energy’s MicroSCADA System Data Manager SDM600. The flaw has a CVSS score of 9.9 and can allow attackers to take remote control of the devices.
- Another set of five critical vulnerabilities affecting Hitachi Energy’s MicroSCADA System Data Manager SDM600 was identified.
- These flaws—CVE-2022-3682, CVE-2022-3683, CVE-2022-3684, CVE-2022-3685, and CVE-2022-3686—are related to improper upload of files, authorization, resources shutdown, and privilege management.
- All these flaws affect versions prior to v1.2 FP3 HF4 and v1.3.0 of MicroSCADA System Data Manager SDM600.
Flaws affecting mySCADA Technologies
- A total of five flaws have been found affecting myPRO HMI/SCADA systems.
- They are tracked as CVE-2023-28400, CVE-2023-28716, CVE-2023-28384, CVE-2023-29169, and CVE-2023-29150.
- These flaws affect versions prior to 8.26.0 of myPRO from SCADA and can allow attackers to launch command injection attacks.
Flaws affecting Nexx
- The five flaws affecting Nexx devices are tracked CVE-2023-1748, CVE-2023-1749, CVE-2023-1750, CVE-2023-1751, and CVE-2023-1752.
- They affect multiple versions of the Garage Door Controller, Smart Plug, and Smart Alarm from Nexx Smart Home Device.
- Successful exploitation of these vulnerabilities can allow an attacker to receive sensitive information, execute API requests, or hijack devices.
Other flaws that need a patch
- Multiple versions of Korenix Jetwave are impacted by flaws tracked as CVE-2023-23294, CVE-2023-23295, and CVE-2023-23296.
- Attackers can exploit these vulnerabilities to gain full access to the underlying operating system or cause a DoS condition.
- JTEKT ELECTRONICS is affected by multiple out-of-bound read flaws that can allow attackers to disclose information or execute arbitrary code.
- The flaws are CVE-2023-22345, CVE-2023-22346, CVE-2023-22347, CVE-2023-22349, CVE-2023-22350, CVE-2023-22353. The remaining use-after-free flaw is tracked as CVE-2023-22360.
- ScadaFlex II SCADA Controllers from Industrial Links are impacted by a flaw (CVE-2022-25359) that can allow attackers to overwrite, delete, or create files.
- Rockwell Automation's FactoryTalk Diagnostic is affected by a critical data deserialization vulnerability that allows a remote attacker to execute arbitrary code with SYSTEM level privileges.
Conclusion
Respective vendors have issued security patches to address the flaws. Organizations using vulnerable products can fix the issues by following the recommended security measures and updating the products to the latest versions.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/0671_shutterstock_626272727.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/dc08_shutterstock_2190600601.jpg)
