CISA Releases Four New ICS Advisories Addressing Critical Vulnerabilities

On September 5, 2024, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued four new advisories highlighting vulnerabilities in Industrial Control Systems (ICS) used across multiple sectors.

CISA Releases Four New ICS Advisories Addressing Critical Vulnerabilities
The original image was generated by OpenAI's DALL-E and edited by the author. Source: OpenAI (September 2024)

Introduction

On September 5, 2024, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued four new advisories highlighting vulnerabilities in Industrial Control Systems (ICS) used across multiple sectors. These advisories cover software from Hughes Network Systems, Baxter, and Mitsubishi Electric, revealing severe risks that could be exploited to compromise critical infrastructure.

The advisories pertain to the following systems:

  1. Hughes Network Systems WL3000 Fusion Software: This software suffers from insufficiently protected credentials and a lack of encryption for sensitive data.
  2. Baxter Connex Health Portal: Critical vulnerabilities, including SQL Injection and improper access control, put sensitive medical data at risk.
  3. Mitsubishi Electric MELSEC iQ-R, Q, and L Series (Update E): A denial-of-service (DoS) vulnerability that affects several of Mitsubishi Electric's CPU modules.
  4. Mitsubishi Electric MELSEC iQ-R, iQ-L Series, and MELIPC Series (Update E): A DoS vulnerability in the Ethernet communication module.

These vulnerabilities were identified by anonymous researchers and reported to CISA and the vendors. The following sections break down each advisory and its associated risks.

Report Overview

  1. Hughes Network Systems WL3000 Fusion Software:
    • Vulnerability: Unencrypted credentials stored in flash memory, allowing attackers read-only access to sensitive configuration data.
    • CVE-2024-39278: Insufficiently Protected Credentials, CVSS v4 score of 5.1.
    • CVE-2024-42495: Missing encryption of sensitive data, CVSS v4 score of 7.1.
    • Risk: Exploitation can expose network configuration information.
  2. Baxter Connex Health Portal:
    • Vulnerability: SQL Injection and improper access control.
    • CVE-2024-6795: SQL Injection, CVSS v3.1 score of 10.0.
    • CVE-2024-6796: Improper access control, CVSS v3.1 score of 8.2.
    • Risk: Attackers can inject malicious SQL queries, modify or delete sensitive patient data, and shut down database services.
  3. Mitsubishi Electric MELSEC iQ-R, Q, and L Series (Update E):
    • Vulnerability: Uncontrolled resource consumption leading to a denial-of-service condition.
    • CVE-2020-5652: CVSS v3.1 score of 7.5.
    • Risk: This vulnerability allows attackers to disable Ethernet communication on CPU modules, disrupting ICS operations.
  4. Mitsubishi Electric MELSEC iQ-R, iQ-L Series, and MELIPC Series (Update E):
    • Vulnerability: Improper resource shutdown or release, leading to a denial-of-service.
    • CVE-2022-33324: CVSS v3.1 score of 7.5.
    • Risk: Remote attackers can cause a denial-of-service condition in the Ethernet communication module.

Insights and Analysis

These advisories underscore the critical need for ICS operators to ensure their systems are not vulnerable to potential exploitation. With ICS being essential to sectors like healthcare and manufacturing, even minor disruptions can have significant consequences.

The vulnerabilities in Hughes Network Systems WL3000 Fusion Software, especially the lack of encryption for sensitive data, highlight the importance of securing data in transit and storage. Similarly, the SQL Injection vulnerability in the Baxter Connex Health Portal showcases how attackers can exploit unsecured entry points to manipulate or access sensitive data.

Organizations should also be vigilant in their patch management practices. Mitsubishi Electric’s vulnerabilities, particularly those resulting in denial-of-service, demonstrate how unpatched systems can become targets for disruptive attacks, potentially leading to operational shutdowns.

These vulnerabilities pose significant risks to organizations using the affected ICS products, particularly those in critical infrastructure sectors such as healthcare, manufacturing, and telecommunications. Users should act quickly to patch affected systems and implement CISA’s recommended cybersecurity measures to prevent potential attacks.

For more detailed mitigation strategies, visit the CISA ICS webpage.

Indicators of Compromise (IOCs)

No specific Indicators of Compromise (IOCs) were provided in the source material.

MITRE ATT&CK Techniques

TacticTechniqueIDDescription
Initial AccessExploit Public-Facing ApplicationT1190Exploiting SQL Injection vulnerability in Baxter Connex Health Portal.
Credential AccessUnsecured CredentialsT1552.001Exploiting unencrypted credentials in Hughes Network Systems WL3000 Fusion Software.
ImpactDenial of ServiceT1499Denial-of-service attacks targeting Mitsubishi Electric MELSEC systems.

References

CISA Releases Four Industrial Control Systems Advisories | CISA
Hughes Network Systems WL3000 Fusion Software | CISA
Baxter Connex Health Portal | CISA
Mitsubishi Electric MELSEC iQ-R, Q and L Series (Update E) | CISA
Mitsubishi Electric MELSEC iQ-R, iQ-L Series and MELIPC Series (Update E) | CISA