The U.S. Cybersecurity and Infrastructure Safety Company (CISA) has launched a number of Industrial Management Techniques (ICS) advisories warning of essential safety flaws affecting merchandise from Sewio, InHand Networks, Sauter Controls, and Siemens.
Essentially the most extreme of the issues relate to Sewio’s RTLS Studio, which could possibly be exploited by an attacker to “get hold of unauthorized entry to the server, alter info, create a denial-of-service situation, achieve escalated privileges, and execute arbitrary code,” according to CISA.
This contains CVE-2022-45444 (CVSS rating: 10.0), a case of hard-coded passwords for choose customers within the utility’s database that probably grant distant adversaries unrestricted entry.
Additionally notable are two command injection flaws (CVE-2022-47911 and CVE-2022-43483, CVSS scores: 9.1) and an out-of-bounds write vulnerability (CVE-2022-41989, CVSS rating: 9.1) that would lead to denial-of-service situation or code execution.
The vulnerabilities affect RTLS Studio model 2.0.0 as much as and together with model 2.6.2. Customers are beneficial to replace to model 3.0.0 or later.
CISA, in a second alert, highlighted a set of 5 safety defects in InHand Networks InRouter 302 and InRouter 615, together with CVE-2023-22600 (CVSS rating: 10.0), that would result in command injection, info disclosure, and code execution.
“If correctly chained, these vulnerabilities may lead to an unauthorized distant consumer absolutely compromising each cloud-managed InHand Networks machine reachable by the cloud,” the company mentioned.
All firmware variations of InRouter 302 previous to IR302 V3.5.56 and InRouter 615 earlier than InRouter6XX-S-V2.3.0.r5542 are prone to bugs.
Safety vulnerabilities have additionally been disclosed in Sauter Controls Nova 220, Nova 230, Nova 106, and moduNet300 that would enable unauthorized visibility to delicate info (CVE-2023-0053, CVSS rating: 7.5) and distant code execution (CVE-2023-0052, CVSS rating: 9.8).
The Swiss-based automation firm, nevertheless, doesn’t plan to launch fixes for the recognized points owing to the truth that the product line is not supported.
Lastly, the safety company detailed a cross-site scripting (XSS) flaw in Siemens Mendix SAML tools (CVE-2022-46823, CVSS rating: 9.3) that would allow a menace actor to realize delicate info by tricking customers into clicking a specifically crafted hyperlink.
Customers are suggested to allow multi-factor authentication and replace Mendix SAML to variations 2.3.4 (Mendix 8), 3.3.8 (Mendix 9, Improve Monitor), or 3.3.9 (Mendix 9, New Monitor) to mitigate potential dangers.