Not only ordinary computers are at risk from hackers, but also industrial equipment. Attacks against such professional devices are less talked about, even though the extent of the damage caused can be huge in these cases as well.
The US Cybersecurity and Infrastructure Security Agency (CISA) published four industrial control systems (ICS) advisoriesin which he drew attention to several security flaws affecting Siemens, GE Digital and Contec products – reports The Hacker News.
The most critical issues were identified in Siemens’ SINEC INS system, which could lead to remote code execution via a path traversal (CVE-2022-45092, CVSS score: 9.9) and a command injection (CVE-2022-2068, CVSS score: 9.8) flaw. Siemens also fixed an authentication bypass vulnerability in the llhttp parser (CVE-2022-35256, CVSS score 9.8) and an out-of-bounds write flaw in the OpenSSL library (CVE-2022-2274, CVSS score 9.8) that could be exploited for remote code execution. The German automation company has already released Service Pack 2 Update 1 in December 2022 to eliminate bugs.
Regardless, a critical flaw was also discovered in GE’s Digital Proficy Historian solution that could result in code execution regardless of authentication status. Tracked as CVE-2022-46732 (CVSS score: 9.8), the bug affects Proficy Historian versions 7.0 and later and has already been fixed in Proficy Historian version 2023.
“An attacker can exploit this fact and bypass Historian authentication by pretending to be a local service. This allows remote attackers to log into any GE Proficy Historian server and force it to perform unauthorized operations,” said Uri Katz of Claroty security researcher of an industrial security company.
CISA also updated its ICS advisory published last month, which details a critical vulnerability (CVE-2022-44456, CVSS score: 10.0) in the Contec CONPROSYS HMI system that could allow a remote attacker to send specially crafted requests to arbitrary to run commands. Although this flaw was fixed by Contec in version 3.4.5, the software has since been found to be vulnerable to four additional bugs that could lead to information disclosure and unauthorized access.
Users of the CONPROSYS HMI System are recommended to upgrade to version 3.5.0 or later and take steps to minimize network exposure and isolate such devices from business networks.
The warnings come less than a week after CISA issued 12 similar warnings warning of critical flaws in software from Sewio, InHand Networks, Sauter Controls and Siemens.