Wednesday, January 18, 2023
HomeCyber SecurityCISA Warns of Flaws in Siemens, GE Digital, and Contec Industrial Management...

CISA Warns of Flaws in Siemens, GE Digital, and Contec Industrial Management Programs


Jan 18, 2023Ravie LakshmananICS/SCADA Safety

The U.S. Cybersecurity and Infrastructure Safety Company (CISA) has printed 4 Industrial Management Programs (ICS) advisories, calling out a number of safety flaws affecting merchandise from Siemens, GE Digital, and Contec.

Probably the most essential of the problems have been recognized in Siemens SINEC INS that might result in distant code execution by way of a path traversal flaw (CVE-2022-45092, CVSS rating: 9.9) and command injection (CVE-2022-2068, CVSS rating: 9.8).

Additionally patched by Siemens is an authentication bypass vulnerability in llhttp parser (CVE-2022-35256, CVSS rating: 9.8) in addition to an out-of-bounds write bug within the OpenSSL library (CVE-2022-2274, CVSS rating: 9.8) that might be exploited to set off distant code execution.

The German automation firm, in December 2022, launched Service Pack 2 Replace 1 software program to mitigate the issues.

Individually, a essential flaw has additionally been revealed in GE Digital’s Proficy Historian answer that might lead to code execution no matter authentication standing. The difficulty, tracked as CVE-2022-46732 (CVSS rating: 9.8), impacts Proficy Historian variations 7.0 and better, and has been remediated in Proficy Historian 2023.

“An attacker can benefit from this reality and bypass the historian authentication by impersonating an area service,” Uri Katz, safety researcher at industrial safety agency Claroty, mentioned. “This permits distant attackers the power to log in to any GE Proficy Historian server and power it to carry out unauthorized actions.”

CISA additionally up to date an ICS advisory that was printed final month, detailing a essential command injection vulnerability in Contec CONPROSYS HMI System (CVE-2022-44456, CVSS rating: 10.0) that might allow a distant attacker to ship specifically crafted requests to execute arbitrary instructions.

Whereas this shortcoming was patched by Contec in model 3.4.5, the software program has since been discovered to be susceptible to 4 extra defects that might result in info disclosure and unauthorized entry.

Customers of CONPROSYS HMI System are really helpful to replace to model 3.5.0 or later, along with taking steps to reduce community publicity and isolate such gadgets from enterprise networks.

The advisories come lower than every week after CISA launched 12 such alerts warning of essential flaws impacting software program from Sewio, InHand Networks, Sauter Controls, and Siemens.

Discovered this text attention-grabbing? Comply with us on Twitter and LinkedIn to learn extra unique content material we submit.



RELATED ARTICLES

LEAVE A REPLY

Please enter your comment!
Please enter your name here

- Advertisment -
Google search engine

Most Popular

Recent Comments