The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued a handful of alerts to address vulnerabilities in industrial control appliances and security cameras.
The U.S. cybersecurity authority said that a number of devices, including those from
Siemens, Aveva, and PTZOptics, could be vulnerable to various forms of remote attack and should be updated as soon as possible.
The vulnerabilities range from simple flaws such as hard-coded known credentials to command injection flaws and race conditions that could potentially allow for malicious code execution.
In the case of Siemens, CISA issued six advisories for various issues in its industrial control systems’ hardware and firmware. Affected products include Technomatix Plant Simulation, RUGGEDCOM, SCALANCE, SIMATIC-S7-1500 CPUs, and Siemens Energy Services.
The
SIMATIC CPU advisory is particularly ugly, containing a laundry list of security flaws and exposures in the platform and its firmware.
Among the issues cited by CISA include “Missing Encryption of Sensitive Data, Out-of-bounds Read, Use After Free, Stack-based Buffer Overflow, Incorrect Provision of Specified Functionality, Out-of-bounds Write, Incorrect Calculation of Buffer Size, and Heap-based Buffer Overflow,” among multiple other security vulnerabilities.
The flaws affect versions 3.1.5 and prior of the S7-1500 CPU. Administrators are advised to update as soon as possible to avoid possible attack.
Meanwhile, CISA said that a number of pan-tilt-zoom cameras operating under the brand names
ValueHD, PTZOptics, multiCAM Systems and SMTAV contain a common set of vulnerabilities that could allow for threat actors to remotely access and take control.
The flaws include a command-injection vulnerability, use of known hard-coded credentials, and improper authentication.
“Successful exploitation of these vulnerabilities could allow an attacker to leak sensitive data, execute arbitrary commands, and access the admin web interface using hard-coded credentials,” CISA warned.
Attacking camera vulnerabilities has become something of a pattern lately. Last week, researchers warned that some
40,00 internet-connected surveillance cameras are prone to remote takeover attacks due to improper configurations and common security vulnerabilities.
The final set of advisories was reserved for products from the Aveva PI industrial control system line. The patched flaws include buffer overflows, cross-site scripting on the Aveva PI API, and improper validation.
“Successful exploitation of these vulnerabilities could allow an attacker to persist arbitrary code in the administrative portal of the product or cause a denial-of-service condition,” CISA warned.
While a denial-of-service attack is not considered a worst-case scenario for software and service applications, in the context of a vital industrial control system it would mean disaster, as taking ICS hardware offline could essentially cripple operational technology (OT) networks and factory floors.
Administrators would be well advised to review the CISA advisories and apply all necessary updates.
