The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has launched a number of Industrial Control Systems (ICS) advisories warning of vital safety flaws affecting merchandise from Sewio, InHand Networks, Sauter Controls, and Siemens.
The most extreme of the failings relate to Sewio’s RTLS Studio, which could possibly be exploited by an attacker to “get hold of unauthorized entry to the server, alter info, create a denial-of-service situation, acquire escalated privileges, and execute arbitrary code,” based on CISA.
This contains CVE-2022-45444 (CVSS rating: 10.0), a case of hard-coded passwords for choose customers within the software’s database that probably grant distant adversaries unrestricted entry.
Also notable are two command injection flaws (CVE-2022-47911 and CVE-2022-43483, CVSS scores: 9.1) and an out-of-bounds write vulnerability (CVE-2022-41989, CVSS rating: 9.1) that might end in denial-of-service situation or code execution.
The vulnerabilities affect RTLS Studio model 2.0.0 as much as and together with model 2.6.2. Users are advisable to replace to model 3.0.0 or later.
CISA, in a second alert, highlighted a set of 5 safety defects in InHand Networks InRouter 302 and InRouter 615, together with CVE-2023-22600 (CVSS rating: 10.0), that might result in command injection, info disclosure, and code execution.
“If correctly chained, these vulnerabilities may end in an unauthorized distant consumer totally compromising each cloud-managed InHand Networks gadget reachable by the cloud,” the company mentioned.
All firmware variations of InRouter 302 previous to IR302 V3.5.56 and InRouter 615 earlier than InRouter6XX-S-V2.3.0.r5542 are inclined to bugs.
Security vulnerabilities have additionally been disclosed in Sauter Controls Nova 220, Nova 230, Nova 106, and moduNet300 that might enable unauthorized visibility to delicate info (CVE-2023-0053, CVSS rating: 7.5) and distant code execution (CVE-2023-0052, CVSS rating: 9.8).
The Swiss-based automation firm, nonetheless, doesn’t plan to launch fixes for the recognized points owing to the truth that the product line is now not supported.
Lastly, the safety company detailed a cross-site scripting (XSS) flaw in Siemens Mendix SAML tools (CVE-2022-46823, CVSS rating: 9.3) that might allow a menace actor to realize delicate info by tricking customers into clicking a specifically crafted hyperlink.
Users are suggested to allow multi-factor authentication and replace Mendix SAML to variations 2.3.4 (Mendix 8), 3.3.8 (Mendix 9, Upgrade Track), or 3.3.9 (Mendix 9, New Track) to mitigate potential dangers.