Multiple vendors’ ICS and SCADA software contain critical flaws, warns CISA.

The US Cybersecurity and Infrastructure Security Agency (CISA) has released seven advisories this week about vulnerabilities in industrial control systems (ICS) and supervisory control and data acquisition (SCADA) software from various vendors. These advisories cover critical flaws, two of which have public exploits.

The affected products include ScadaFlex II controllers made by Industrial Control Links, Screen Creator Advance 2 and Kostac PLC programming software from JTEKT Electronics, Korenix JetWave industrial wireless access points and communications gateways, Hitachi Energy’s MicroSCADA System Data Manager SDM600, mySCADA myPRO software, and Rockwell Automation’s FactoryTalk Diagnostics.

The ScadaFlex II series controllers are stand-alone systems that are built with custom software, processing power, and I/O capabilities for controlling and monitoring other industrial processes. According to CISA, multiple versions of the software running on the SC-1 and SC-2 controllers are impacted by a critical vulnerability, CVE-2022-25359 with CVSS score 9.1. This flaw could allow unauthenticated attackers to overwrite, delete, or create files on the system. No patch is available because the vendor is in the process of closing their business. Owners of these assets can take defensive measures such as restricting network access to them, not exposing them directly to the internet or business networks, placing them behind firewalls, and using secure VPNs for remote access if needed.

The Kostac PLC Programming Software is engineering software used to manage Kostac programming logic controllers (PLCs) made by Koyo Electronics, a subsidiary of JTEKT Group. The software has three memory vulnerabilities with a CVSS severity score of 7.8 0 — CVE-2023-22419, CVE-2023-22421, and CVE-2023-22424. These flaws can lead to information disclosure and arbitrary code execution when processing PLC programs or specifically crafted project files and comments. Versions 1.6.10.0 and later of the software include patches for these flaws and more general mitigations to prevent similar issues.

JTEKT also has a screen recording program called Screen Creator Advance 2 that has five out-of-bound read flaws and a use-after-free rated with 7.8 on the CVSS scale. The vendor advises users to update to versions 0.1.1.4 Build01A and above.

Multiple models of Korenix JetWave industrial communications gateways are impacted by three command injection and uncontrolled resource consumption vulnerabilities rated with 8.8 on the CVSS scale. Exploitation of the command injection flaws — CVE-2023-23294 and CVE-2023-23295 — can give attackers full access to the operating system running on the devices, and exploitation of the resource consumption issue — CVE-2023-23296 — can result in a denial-of-service condition. The vendor released patched firmware versions for the impacted models.

The mySCADA myPRO HMI and SCADA software has five vulnerabilities through which attackers can execute arbitrary commands on the operating system. The flaws impact myPRO versions 8.26.0 and prior and are rated with 9.9 out of 10 on the CVSS scale as they are easy to exploit remotely, and technical details about the vulnerabilities are already available on the internet. The vendor patched the issues in version 8.29.0.

The Hitachi MicroSCADA System Data Manager SDM600 is an industrial management tool for energy-related installations and has multiple vulnerabilities that allow unrestricted uploads of files with dangerous types, improper authorization of API usage, improper resource shutdown, and improper privilege management. Exploitation of these vulnerabilities, which are also rated 9.9 on the CVSS scale, could allow a remote attacker to take control of the product. Hitachi advises users of SDM600 versions prior to v1.2 FP3 HF4 (Build Nr. 1.2.23000.291) to update to v1.3.0.1339.

Rockwell Automation’s FactoryTalk Diagnostic software is a subsystem of the FactoryTalk Service Platform, a Windows software suite that accompanies Rockwell industrial products used in many industry sectors: food and agriculture, transportation systems, and water and wastewater systems. The software has a critical data deserialization vulnerability rated with 9.8 on the CVSS scale that can allow a remote unauthenticated attacker to execute arbitrary code with SYSTEM level privileges. There’s no patch available but Rockwell is working on an update to the software. In the meantime, the company has recommended several compensating controls and defensive steps.