On April 6, 2023, CISA (Cybersecurity and Infrastructure Security Agency, the American counterpart of Anssi) published seven advisories concerning weaknesses in ICS and SCADA systems from several vendors. Some of these are considered critical and two of them have already been publicly exploited.
The most problematic are probably those affecting Industrial Control Links’ ScadaFlex series SCADA controllers. These flaws have a CVSS (Common Vulnerability Scoring System) score of 9.1 out of 10: they could allow an unauthenticated attacker to overwrite, delete, or create files remotely.
CISA also points out the low complexity of such an attack. At least one exploit of these vulnerabilities has already been made public. What’s worse, no patch is available because the vendor, Industrial Control Links, is closing down. However, the US authorities are proposing mitigating measures.
Also of concern: a critical data deserialization flaw, with a CVSS score of 9.8, affects Rockwell Automation’s FactoryTalk software. It allows an unauthenticated remote attacker to execute code with system-level privileges. No patch is currently available, but Rockwell is working on a software update.
In the meantime, the company has recommended several workarounds and defensive measures. The FactoryTalk suite powers Rockwell’s industrial equipment in food and beverage, transportation, and water management.
CISA also reports several high severity flaws (CVSS score between 9.8 and 9.9), but fixed in more recent versions of the software. They affect:
- versions 8.26.0 and earlier of the mySCADA myPRO software, which is used in the energy, food, transportation and water management industries;
- Hitachi MicroSCADA System Data Manager SDM600 software versions 1.2 FP3 HF4 and earlier, specializing in energy installations.
The warning also indicates flaws of lesser severity (from 7.8 to 8.8), which have been patched. They concern:
- Kostac PLC programming software from Koyo Electronics, a subsidiary of the JTEKT group;
- JTEKT Screen Creator Advance 2 screen recording program;
- Several models of Korenix JetWave industrial communication gateways.