Review – 7 Advisories and 2 Updates Published – 3-31-22

Today, CISA’s NCCIC-ICS published seven control system security advisories for products from Rockwell Automation (2), General Electric Renewables, Mitsubishi Electric, Fuji Electric, Hitachi Energy, and Schneider Electric. They also updated to advisories for products from Mitsubishi and PTC.

Rockwell Advisory #1 - This advisory describes a code injection vulnerability in the Rockwell Studio 5000 Logix Designer.

Rockwell Advisory #2 - This advisory describes an inclusion of functionality from an untrusted control sphere vulnerability in the Rockwell Logix Controllers.

Commentary: Claroty’s report on both of these vulnerabilities makes an important point about these (and previously-reported similar vulnerabilities in other vendor PLCs):

“Successful stealthy exploits of programmable logic controllers (PLCs) are among the rarest, most time-consuming, and investment-heavy attacks. Stuxnet’s authors established the playbook for hacking PLCs by figuring out how to conceal malicious bytecode running on a PLC while the engineer programming the controller sees only normalcy on their engineering workstation. Without advanced forensics utilities, the execution of such malicious code cannot be discovered. [emphasis added]”

General Electric Advisory - This advisory describes six vulnerabilities (one third-party vulnerability with known exploit) in the General Electric MDS iNET/iNETII/SD/TD220/ TD220MAX Radios.

Mitsubishi Advisory - This advisory describes six vulnerabilities in the Mitsubishi FA CPU module products.

Fuji Advisory - This advisory describes five vulnerabilities in the Fuji Alpha5 servo drive system.

NOTE: I reported on four of the five ZDI advisories that form the basis for this advisory back in October, 2021. Those advisories were recently updated (March 23, 2022) to include the CVE numbers.

Hitachi Energy Advisory - This advisory describes four vulnerabilities in the Hitachi Energy e-mesh EMS optimizer software for energy resources.

NOTE: I briefly reported on the underlying Hitachi Energy advisory on January 15^th, 2022. This advisory is based on the recent update that revised the CVSS Base Score and Vector.

Schneider Advisory - This advisory describes an improper restriction of XML external entity reference in the Schneider SCADAPack Workbench software.

Mitsubishi Update - This update provides additional information on an advisory that was originally published on October 29^th, 2020 and most recently updated on January 13^th, 2022.

PTC Update - This update provides additional information on an advisory that was originally published on March 8^th, 2022 and most recently updated on March 15^th, 2022.

 

For more details on these advisories, including links to researcher reports, third-party advisories and exploits, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/7-advisories-and-2-updates-published - subscription required.