Industry News

CISA Reveals Cyber Security Vulnerabilities in Siemens, Hitachi Energy, Johnson Controls, Delta Electronics

26 October 2022

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) released on 25 October 2022  eight ICS (industrial control systems) advisories, including one covering AliveCor KardiaMobile medical devices. These advisories provide timely information about current security issues, cyber security vulnerabilities, and exploits surrounding ICS equipment from Siemens, Hitachi Energy, Johnson Controls, Delta Electronics, Haas, and Heidenhain, which are deployed across critical infrastructure sectors.

The Alive KardiaMobile equipment has been identified to include cyber security vulnerabilities that enable authentication bypass by assumed-immutable data and missing encryption of sensitive data, CISA said in its advisory. Exploitation of these vulnerabilities could lead to attackers stealing or faking personal cardiograms or enabling a denial-of-service attack. Attackers must be at close range to carry out these attacks.

Used across North America and Europe, CISA said that the smartphone application for the affected product is vulnerable to the publicly known ‘Intent Manipulation’ exploit on Android phones. The exploit allows attackers to bypass app authentication and view or alter information in the app.

The other vulnerability identified covers the physical IoT device of the affected product and has no encryption for its data-over-sound protocols. Exploiting the vulnerability could allow an attacker to read patient electrocardiography (EKG) results or create a denial-of-service condition by emitting sounds at similar frequencies as the device, disrupting the smartphone microphone’s ability to accurately read the data. To carry out this attack, the attacker must be close (less than 5 feet) to pick up and emit sound waves.

Carlos Cilleruelo Rodríguez and Javier Junquera Sánchez of the University of Alcalá reported these vulnerabilities to CISA, the advisory disclosed.

The Kardia App usage instructions include recommendations for users to use passcode (PIN) or biometric identification for their smartphone devices. CISA recommends users take defensive measures to minimize the risk of exploitation of the vulnerability. The agency also reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA revealed that Siemens Siveillance Video 2022 R2 used globally across the communications and commercial facilities sectors has been identified to include weak authentication vulnerability. Breach of this vulnerability could allow an unauthenticated remote attacker to access the application without a valid account.

“Siemens Siveillance Video Mobile Server versions prior to V22.2a(80) contain an authentication bypass vulnerability that could allow an unauthenticated remote attacker to access the application without a valid account,” CISA said in its advisory. Milestone’s PSIRT reported this vulnerability to Siemens, it added.

Siemens has released a hotfix for Siveillance Video 2022 R2 and recommends applying the hotfix on all installations of the mobile server. Users have been advised to update to V22.2a(80) or a later version by applying the latest hotfix of the Mobile Server Installer.

The company also identified specific workarounds and mitigations users can apply to reduce the risk. It suggests users enable the feature ‘Servers > Mobile Servers > Deny the built-in Administrators role access to the mobile servers’ for all configured mobile servers.

CISA also announced cyber security vulnerabilities in Delta Electronics’ DIAEnergie hardware, which could allow an attacker to inject arbitrary code to retrieve and modify database contents and execute system commands. Michael Heinzl reported these vulnerabilities to the security agency.

The cross-site scripting and SQL injection cyber security vulnerabilities affect the DIAEnergie industrial energy management system deployed in the critical manufacturing sector. Delta did not publicly release v1.9.01.002, and users are encouraged to contact Delta front-end sales or agents to get this updated version.

CISA announced cyber security vulnerabilities across Delta Electronics’ InfraSuite Device Master equipment used in the energy sector. These vulnerabilities include deserialization of untrusted data, path traversal and missing authentication for critical function. “Successful exploitation of these vulnerabilities could allow an unauthenticated attacker to remotely execute code, cause a denial-of-service condition by remotely deleting files or changing group privileges, or remotely read and write files, all with local administrator privileges,” the agency said in its advisory.

Delta Electronics InfraSuite Device Master versions 00.00.01a and prior deserialize user-supplied data provided through the Device-DataCollect service port without proper verification, the advisory revealed. An attacker could provide malicious serialized objects to execute arbitrary code upon deserialization. The same hardware Delta have also been found to deserialize user-supplied data provided through the Device-Gateway service port without proper verification. An attacker could provide malicious serialized objects to execute arbitrary code upon deserialization.

The Delta Electronics InfraSuite Device Master Versions 00.00.01a and prior mishandle .ZIP archives containing characters used in path traversal, which could result in remote code execution. “The database backup function in Delta Electronics InfraSuite Device Master Versions 00.00.01a and prior lacks proper authentication. An attacker could provide malicious serialized objects which, when deserialized, could activate an opcode for a backup scheduling function without authentication. This function allows the user to designate all function arguments and the file to be executed. This could allow the attacker to start any new process and achieve remote code execution,” CISA revealed.

The security agency said that Delta Electronics InfraSuite Device Master versions 00.00.01a and prior allow unauthenticated users to trigger the WriteConfiguration method, which could allow an attacker to provide new values for user configuration files such as UserListInfo.xml, potentially leading to the changing of administrative passwords. “Delta Electronics InfraSuite Device Master versions 00.00.01a and prior allow unauthenticated users to access the aprunning endpoint, which could allow an attacker to retrieve any file from the ‘RunningConfigs’ directory. The attacker could then view and modify configuration files such as UserListInfo.xml, which would allow them to see existing administrative passwords,” it adds.

In another advisory, CISA revealed that Hitachi Energy DMS600 contains a reliance on uncontrolled component vulnerability which can be remotely exploited and low attack complexity. Breaching the cyber security vulnerabilities could allow an attacker to gain unauthorized access to information.

Used across the global energy sector, CISA said that a vulnerability exists when Hitachi Energy MicroSCADA X DMS600 v4.5 uses an affected version of PostgreSQL. “While modifying certain SQL array values, missing bounds checks let authenticated database users write arbitrary bytes to a wide area of server memory. Successful exploitation of this vulnerability could allow attackers to gain access to the data, causing confidentiality and integrity issues,” it adds.

Additionally, a vulnerability exists when Hitachi Energy MicroSCADA X DMS600 v4.5 uses an affected version of PostgreSQL. “When using an ‘INSERT … ON CONFLICT … DO UPDATE’ command on a purpose-crafted table, an authenticated database user could read arbitrary bytes of server memory,” CISA adds.

CISA announced that a cross-site scripting vulnerability has been found in equipment from CKS, a subsidiary of Johnson Controls. The CKS CEVAS, a deployment management and billing system, could allow a user to bypass authentication and retrieve data with specially crafted SQL queries. Christian Vierschilling and Caroline Moesler reported this vulnerability to Johnson Controls.

A remotely exploitable vulnerability has been identified in the Heidenhain TNC 640 controlling a HARTFORD 5A-65E CNC machine, which enables improper authentication, CISA said in its advisory. Used across multiple critical infrastructure sectors, the exploitation of the cyber security vulnerability could cause a loss of sensitive data, manipulation of information, and denial-of-service.

The Heidenhain Controller TNC 640, version 340590 07 SP5, running HEROS 5.08.3 controlling the HARTFORD 5A-65E CNC machine is vulnerable to improper authentication, which may allow an attacker to deny service to the production line, steal sensitive data from the production line, and alter any products created by the production line, CISA revealed. Marco Balduzzi of Trend Micro reported this vulnerability to CISA.

Heidenhain is working with HARTFORD Machinery of She Hong Industrial Co. Ltd. to develop mitigations. To reduce the risk of exploitation, Heidenhain has advised users to block LSV2 and DNC communication by means of the integrated firewall in the controller’s HEROS operating system, use zone-firewalls to isolate and segment the network of the affected devices, and ask machinery vendor running Heidenhain controllers for updates to a recent Software-Version, where SSH-tunneling is standard.

Kaynak:https://industrialcyber.co/industrial-cyber-attacks/cisa-reveals-cyber-security-vulnerabilities-in-siemens-hitachi-energy-johnson-controls-delta-electronics/