close
close

CISA warns of critical software vulnerabilities in industrial devices

CISA warns of critical software vulnerabilities in industrial devices

The US Cybersecurity and Infrastructure Security Agency (CISA) has urged manufacturing companies to implement measures after one Rockwell Automation and several Mitsubishi systems were found to be vulnerable to cyber attacks.

In a new security advisory for Industrial Control Systems (ICS) published on October 31, CISA shared details on four sets of recently discovered vulnerabilities affecting ICS systems:

  • Rockwell Automation FactoryTalk ThinManager
  • Mitsubishi Electric FA engineering software products
  • Mitsubishi Electric Multiple FA engineering software products
  • Mitsubishi Electric MELSEC iQ-R series/iQ-F series

The vulnerabilities affecting Rockwell Automation FactoryTalk ThinManager, CVE-2024-10386 and CVE-2024-10387, are missing authentication for critical functions and an out-of-bounds read error, respectively. Successful exploitation of these vulnerabilities could allow an attacker to send crafted messages to the device, potentially resulting in database manipulation or a denial of service condition.

These critical vulnerabilities (CVSS scores of 9.3 and 8.7) can be exploited remotely and require low attack complexity.

The largest vulnerability affecting Mitsubishi Electric FA Engineering Software Products, CVE-2023-6943, has a CVSS score of 9.8.

It would allow an attacker to execute malicious code by remotely calling a function with a path to a malicious library while connected to the products. As a result, unauthorized users may disclose, tamper with, destroy or delete product information, or cause a denial-of-service (DoS) condition on the products.

The largest vulnerability affecting Mitsubishi Electric MELSEC iQ-R Series/iQ-F Series, CVE-2023-2060, has a CVSS score of 8.7.

This authentication bypass vulnerability in an FTP function on an EtherNet/IP module is due to weak password requirements. This could allow an unauthenticated attacker to remotely access the module via FTP through a dictionary attack or password sniffing.

The advisory also includes other vulnerabilities with lower severity scores.

CISA mitigation recommendations

Rockwell Automation and Mitsubishi shared specific recommendations to limit the exploitation of all these vulnerabilities. These can be found in the advice from CISA.

CISA also recommended that users take defensive measures to minimize the risk of exploitation of these vulnerabilities. These include:

  • Minimizing network exposure for all operating systems and/or systems, and ensuring they are not accessible from the Internet
  • Locating operating system networks and external devices behind firewalls and isolating them from corporate networks
  • When remote access is required, using more secure methods such as virtual private networks (VPNs), identifying VPNs may have vulnerabilities and should be updated to the latest version available