The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has printed 4 Industrial Control Systems (ICS) advisories, calling out a number of safety flaws affecting merchandise from Siemens, GE Digital, and Contec.
The most important of the problems have been recognized in Siemens SINEC INS that would result in distant code execution through a path traversal flaw (CVE-2022-45092, CVSS rating: 9.9) and command injection (CVE-2022-2068, CVSS rating: 9.8).
Also patched by Siemens is an authentication bypass vulnerability in llhttp parser (CVE-2022-35256, CVSS rating: 9.8) in addition to an out-of-bounds write bug within the OpenSSL library (CVE-2022-2274, CVSS rating: 9.8) that might be exploited to set off distant code execution.
The German automation firm, in December 2022, launched Service Pack 2 Update 1 software program to mitigate the failings.
Separately, a crucial flaw has additionally been revealed in GE Digital’s Proficy Historian answer that would end in code execution no matter authentication standing. The challenge, tracked as CVE-2022-46732 (CVSS rating: 9.8), impacts Proficy Historian variations 7.0 and better, and has been remediated in Proficy Historian 2023.
“An attacker can make the most of this reality and bypass the historian authentication by impersonating an area service,” Uri Katz, safety researcher at industrial safety agency Claroty, mentioned. “This permits distant attackers the power to log in to any GE Proficy Historian server and power it to carry out unauthorized actions.”
CISA additionally up to date an ICS advisory that was printed final month, detailing a crucial command injection vulnerability in Contec CONPROSYS HMI System (CVE-2022-44456, CVSS rating: 10.0) that would allow a distant attacker to ship specifically crafted requests to execute arbitrary instructions.
While this shortcoming was patched by Contec in model 3.4.5, the software program has since been discovered to be weak to 4 further defects that would result in data disclosure and unauthorized entry.
Users of CONPROSYS HMI System are advisable to replace to model 3.5.0 or later, along with taking steps to attenuate community publicity and isolate such units from enterprise networks.
The advisories come lower than every week after CISA launched 12 such alerts warning of crucial flaws impacting software program from Sewio, InHand Networks, Sauter Controls, and Siemens.