CISA added Twelve Industrial Control Systems Advisories affecting Major Manufacturers


CISA (Cybersecurity & Infrastructure Security Agency) released many advisories related to Industrial Control Systems affecting many manufacturers including Sewio, Ronds,  InHand, Panasonic, Siemens, and Philips.

Lets have a quick look of affetectd product line

Sewio’s RTLS Studio version 2.0.0 up to and including version 2.6.2 

Successful exploitation of these vulnerabilities could allow an attacker to obtain unauthorized access to the server, alter information, create a denial-of-service condition, gain escalated privileges, and execute arbitrary code.

CVE-2022-45444, CVE-2022-47911, CVE-2022-43483, CVE-2022-41989, CVE-2022-45127, CVE-2022-47395, CVE-2022-47917, CVE-2022-46733, CVE-2022-43455 has been assigned to this vulnerability.


RONDS Equipment Predictive Maintenance Solution v1.19.5
Successful exploitation of these vulnerabilities could allow an unauthorized user to leak login credentials and download files. In some circumstances, an unauthorized user can use login credentials to achieve remote code execution.
CVE-2022-3091, CVE-2022-2893 has been assigned to this vulnerability.
 

InHand Networks InRouter 302: All versions prior to IR302 V3.5.56 and InHand Networks InRouter 615: All versions prior to InRouter6XX-S-V2.3.0.r5542
Successful exploitation of these vulnerabilities could allow a message queuing telemetry transport (MQTT) command injection, unauthorized disclosure of sensitive device information, and remote code execution. If properly chained, these vulnerabilities could result in an unauthorized remote user fully compromising every cloud-managed InHand Networks device reachable by the cloud.
CVE-2023-22597, CVE-2023-22598, CVE-2023-22599, CVE-2023-22600, CVE-2023-22601 has been assigned to this vulnerability.


Panasonic Sanyo CCTV Network Camera VCC-HD5600P version 2.03-06, VDC-HD3300P version 2.03-08, VDC-HD3300P version 1.02-05, VCC-HD3300 version 2.03-02, VDC-HD3100P version 2.03-00, VCC-HD2100P version 2.03-02
Successful exploitation of this vulnerability could allow attackers to perform actions via HTTP without validity checks.
CVE-2022-4621 has been assigned to this vulnerability.


SAUTER Controls Nova 220 , Nova 230, Nova 106, moduNet300
Successful exploitation of these vulnerabilities could allow unauthorized visibility to sensitive information and remote code execution.
CVE-2023-0052, CVE-2023-0053 has been assigned to this vulnerability.


Johnson Controls Metasys ADS/ADX/OAS Version 10.X: All versions prior to 10.1.6  and Metasys ADS/ADX/OAS Version 11.X: All versions prior to 11.0.3
Successful exploitation of this vulnerability could result in exposed credentials in plain text to unauthenticated users.
CVE-2021-36204 has been assigned to this vulnerability.


Hitachi Energy Lumada APM – SaaS: Versions 6.0.0.0 to 6.4.220601.0 and Lumada APM – On Premises: Versions 6.0.0.0.0 to 6.4.0
Successful exploitation of this vulnerability could allow an attacker to gain unauthorized access to any Power BI reports installed or manipulate asset issue comments on assets.
CVE-2022-2155 has been assigned to this vulnerability.


Siemens S7-1500 CPU devices, Siemens Mendix SAML Module, Siemens Automation License Manager and Siemens Solid Edge before V2023 MP1
Successful exploitation of this vulnerability could allow an attacker with physical access to the device to replace the boot image of the device and execute arbitrary code, gain sensitive information by tricking users into accessing a malicious link, modify and rename license files, extract licenses, and overwrite arbitrary files on the target system, potentially leading to privilege escalation and remote code execution, execute code while parsing files in different formats.
CVE-2022-38773, CVE-2022-46823, CVE-2022-43513, CVE-2022-43514, CVE-2022-47967 has been assigned to this vulnerability.


Philips Patient Information Center iX (PIC iX) and Efficia CM Series (Update A)
Successful exploitation of these vulnerabilities may allow an attacker unauthorized access to data (including patient data) and create a denial of service resulting in temporary interruption of viewing physiological data at the central station. Exploitation does not enable modification or change to point-of-care devices.
CVE-2021-43548, CVE-2021-43552, CVE-2021-43550 has been assigned to this vulnerability.

No comments:

Schneider Electric Confirms Data Theft in Developer Platform Hack

  Schneider Electric, a leading French multinational in energy and automation solutions, has confirmed that a cybersecurity incident involvi...