The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has released several Industrial Control Systems (ICS) advisories warning of critical security flaws affecting products from Sewio, InHand Networks, Sauter Controls, and Siemens.
The advisories mention various vulnerability types, and the CVSS scores range from 5.9 to 10.0.
- Proficy Historian v7.0 and higher versions
- SINEC INS: versions prior to V1.0 SP2 Update 1
- CONPROSYS HMI System (CHS): Ver.3.4.4 and prior
- CONPROSYS HMI System (CHS): Ver.3.4.5 and prior
- MELSEC iQ-F Series with serial number 17X**** or later:
- MELSEC iQ-F Series with serial number 179**** and prior:
- FX5U-xMy/z x=32,64,80, y=T,R, z=ES,DS,ESS,DSS: Versions 1.074 and prior
- MELSEC iQ-F Series FX5UC-32MT/DS-TS, FX5UC-32MT/DSS-TS, FX5UC-32MR/DS-TS: Versions 1.280 and prior
CVE-2022-46732 (CVSS score: 9.8): It is an authentication bypass vulnerability that makes use of a different path or channel.
CVE-2022-45092 (CVSS score: 9.9): It is a path traversal vulnerability found in Siemens SINEC INS that may allow remote code execution. The affected product’s web-based management (443/TCP) could allow an authenticated remote attacker to read and write arbitrary files to and from the device’s file system.
CVE-2022-2068 (CVSS score: 9.8): It is an OS command injection flaw found in Siemens SINEC INS that could lead to remote code execution.
CVE-2022-35256 (CVSS score: 9.8): It is an authentication bypass flaw in the llhttp parser that threat actors could use in remote code execution. The header fields not terminated with CLRF are not handled correctly by the llhttp parser in the http module of Node.js v18.7.0. HRS might result from this.
CVE-2022-2274 (CVSS score: 9.8): It is an out-of-bounds write vulnerability in the OpenSSL library that could be used for remote code execution.
CISA strongly advises all administrators and users to visit the advisories and implement appropriate security measures. If vendor fixes and mitigations are currently available, they are included in the advisories.