CISA Warns of Critical ICS Flaws in Hitachi, mySCADA, ICL, and Nexx Products
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has published eight Industrial Control Systems (ICS) advisories warning of critical flaws affecting products from Hitachi Energy, mySCADA Technologies, Industrial Control Links, and Nexx.
Topping the list is CVE-2022-3682 (CVSS score: 9.9), impacting Hitachi Energy’s MicroSCADA System Data Manager SDM600 that could allow an attacker to take remote control of the product.
The flaw stems from an issue with file permission validation, thereby permitting an adversary to upload a specially crafted message to the system, leading to arbitrary code execution.
Hitachi Energy has released SDM600 184.108.40.2069 to mitigate the issue for SDM600 versions prior to version 1.2 FP3 HF4 (Build Nr. 1.2.23000.291).
Another set of five critical vulnerabilities – CVE-2023-28400, CVE-2023-28716, CVE-2023-28384, CVE-2023-29169, and CVE-2023-29150 (CVSS scores: 9.9) – relate to command injection bugs present in mySCADA myPRO versions 8.26.0 and prior.
“Successful exploitation of these vulnerabilities could allow an authenticated user to inject arbitrary operating system commands,” CISA warned, urging users to update to version 8.29.0 or higher.
A critical security bug has also been disclosed in Industrial Control Links ScadaFlex II SCADA Controllers (CVE-2022-25359, CVSS score: 9.1) that could allow an authenticated attacker to overwrite, delete, or create files.
“Industrial Control Links has relayed that they are closing their business,” the agency said. “This product may be considered end-of-life; continued support for this product may be unavailable.”
Users are recommended to minimize network exposure, isolate control system networks from business networks, and place them behind firewalls to address potential risks.
Rounding off the list are five shortcomings, including one critical bug (CVE-2023-1748, CVSS score: 9.3), impacting garage door controllers, smart plugs, and smart alarms sold by Nexx.
The vulnerabilities that could enable threat actors to crack open home garage doors, take over smart plugs, and gain remote control of smart alarms, according to security researcher Sam Sabetan, who discovered and reported the issues.
The following versions of Nexx smart home devices are affected –
- Nexx Garage Door Controller (NXG-100B, NXG-200) – Version nxg200v-p3-4-1 and prior
- Nexx Smart Plug (NXPG-100W) – Version nxpg100cv4-0-0 and prior
- Nexx Smart Alarm (NXAL-100) – Version nxal100v-p1-9-1and prior
“Successful exploitation of these vulnerabilities could allow an attacker to receive sensitive information, execute application programmable interface (API) requests, or hijack devices,” CISA said.