ICS Network Controllers Open to Remote Exploit, No Patches Available
CISA advisory warns of critical ICS device flaws, but a lack of available fixes leaves network administrators on defense to prevent exploits.
A security advisory issued this week by the Cybersecurity and Infrastructure Security Agency (CISA) alerts administrators of vulnerabilities in two industrial control systems devices — Unitronics Vision Series PLCs and Mitsubishi Electric MELSEC iQ-R Series.
CISA warned that the Unitronics Vision Series PLC controller is open to remote exploit due to its storage of passwords in a recoverable format. This vulnerability (CVE-2024-1480) was assigned a CVSS score of 8.7.
Unitronics has not responded to, or worked with, the agency to mitigate the issue, leaving networks with these devices open to cyberattack, according to CISA. The advisory recommends ensuring the controllers are not connected to the Internet, isolating them from business networks, protecting the devices behind firewalls, and using secure methods, like virtual private networks (VPNs), for remote access.
The remaining ICS vulnerabilities impact the Mitsubishi Electric Corporation MELSEC iQ-R CPU Module. A design flaw in the CPU, tracked under CVE-2021-20599, has been assigned a CVSS score of 9.1. The unit transmits passwords in cleartext, which are easily intercepted by adversaries.
The Mitsubishi MELSEC CPUs also harbor a trio of reported flaws that could allow a threat actor to compromise usernames, access the device, and deny access to legitimate users. These include: exposure of sensitive information (CVE-2021-20594, CVSS 5.9); insufficiently protected credentials (CVE-2021-20597, CVSS 7.4); and a restrictive account lockout mechanism (CVE-2021-20598, CVSS 3.7).
Mitsubishi is working to provide mitigations and workarounds for the issues. However, systems with these devices are unable to be updated with a fix, according to CISA. The agency advises administrators with these devices in their networks to shore up defenses with firewalls, remote access limitations, and IP address restrictions.
"Mitsubishi Electric has released the fixed version ... but updating the product to the fixed version is not available," the advisory said. "CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability."
About the Author
You May Also Like
Cybersecurity Day: How to Automate Security Analytics with AI and ML
Dec 17, 2024The Dirt on ROT Data
Dec 18, 2024