CISA Releases Seven Industrial Control Systems Advisories: PART TWO - Firmware Edition.
How are Vulnerabilities Rated?
This advisories report continues from PART ONE and focuses on the firmware of the Industrial Control Systems that can affect critical infrastructure, including Energy, Water and Wastewater Systems, Transportation, Healthcare, and Manufacturing. (NIST) National Vulnerability Database (NVD).
These vulnerabilities are based on the Common Vulnerabilities and Exposures (CVE) vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores:
These latest advisories focus on the firmware of the Industrial Control Systems that can affect critical infrastructure, including Energy, Water and Wastewater Systems, Transportation, Healthcare, and Manufacturing.
Vendor/Product: Westermo EDW-100 (a Serial to Ethernet converter, all versions)
Description: Use of Hard-coded Password
Westermo EDW-100 has a hidden administrator account with a hardcoded password. In the firmware package, in "image.bin", the username root and the password for this account are both hard-coded and exposed as strings that can trivially be extracted. Currently there is no way to change this password.
Impact:
- Hidden root user with hardcoded password: EDW-100 has a hidden root user account with a hardcoded password that cannot be changed, making EDW-100 vulnerable to unauthorized access (CWE-259: Use of Hard-coded Password, CWE-256: Plaintext Storage of a Password)
- Unauthenticated user can read config containing password: (CWE-522: Insufficiently Protected Credentials, CWE-256: Plaintext Storage of a Password)
Source: CVE-2024-36080
Max Severity: Critical
CVSS Score: 9.8
Critical Infrastructure Sectors: Energy, Water and Wastewater Systems, Transportation Systems
Mitigation: To mitigate the risks associated with these vulnerabilities, Westermo recommends network segregation, perimeter protection, network to network protection, and physical security measures. Westermo also recommends replacing EDW-100 with Lynx DSS L105-S1. For further reference see 5-Port Managed Industrial Device Server Switch L105-S1.
Vendor/Product: Mitsubishi Electric MELSEC iQ-R, iQ-L Series and MELIPC Series (Update C)
- MELSEC iQ-R Series R00CPU: firmware versions 32 and prior
- MELSEC iQ-R Series R01CPU: firmware versions 32 and prior
- MELSEC iQ-R Series R02CPU: firmware versions 32 and prior
- MELSEC iQ-R Series R04(EN)CPU: firmware versions 65 and prior
- MELSEC iQ-R Series R08(EN)CPU: firmware versions 65 and prior
- MELSEC iQ-R Series R16(EN)CPU: firmware versions 65 and prior
- MELSEC iQ-R Series R32(EN)CPU: firmware versions 65 and prior
- MELSEC iQ-R Series R120(EN)CPU: firmware versions 65 and prior
- MELSEC iQ-R Series R08SFCPU: firmware versions 29 and prior
- MELSEC iQ-R Series R16SFCPU: firmware versions 29 and prior
- MELSEC iQ-R Series R32SFCPU: firmware versions 29 and prior
- MELSEC iQ-R Series R120SFCPU: firmware versions 29 and prior
- MELSEC iQ-R Series R12CCPU-V: firmware versions 17 and prior
- MELSEC iQ-L Series L04HCPU: All versions
- MELSEC iQ-L Series L08HCPU: All versions
- MELSEC iQ-L Series L16HCPU: All versions
- MELSEC iQ-L Series L32HCPU: All versions
- MELIPC Series MI5122-VW: firmware versions 07 and prior
Description: Improper Resource Shutdown or Release
A denial-of-service vulnerability due to improper resource shutdown or release exists in Mitsubishi Electric MELSEC iQ-R, iQ-L series CPU module, and MELIPC series. This vulnerability could allow a remote attacker to cause a denial-of-service condition in the module's ethernet communication by sending specially crafted packets.
Impact:
- Hidden root user with hardcoded password: EDW-100 has a hidden root user account with a hardcoded password that cannot be changed, making EDW-100 vulnerable to unauthorized access (CWE-259: Use of Hard-coded Password, CWE-256: Plaintext Storage of a Password)
- Unauthenticated user can read config containing password: (CWE-522: Insufficiently Protected Credentials, CWE-256: Plaintext Storage of a Password)
Source: CVE-2024-33324
Max Severity: High
CVSS Score: 7.5
Critical Infrastructure Sectors: Critical Infrastructure
Mitigation:
Mitsubishi Electric fixed the following products:
- MELSEC iQ-R Series R00CPU: firmware versions 33 or later
- MELSEC iQ-R Series R01CPU: firmware versions 33 or later
- MELSEC iQ-R Series R02CPU: firmware versions 33 or later
- MELSEC iQ-R Series R04(EN)CPU: firmware versions 66 or later
- MELSEC iQ-R Series R08(EN)CPU: firmware versions 66 or later
- MELSEC iQ-R Series R16(EN)CPU: firmware versions 66 or later
- MELSEC iQ-R Series R32(EN)CPU: firmware versions 66 or later
- MELSEC iQ-R Series R120(EN)CPU: firmware versions 66 or later
- MELSEC iQ-R Series R08SFCPU: firmware versions 30 or later
- MELSEC iQ-R Series R16SFCPU: firmware versions 30 or later
- MELSEC iQ-R Series R32SFCPU: firmware versions 30 or later
- MELSEC iQ-R Series R120SFCPU: firmware versions 30 or later
- MELSEC iQ-R Series R12CCPU-V: firmware versions 18 or later
- MELIPC Series MI5122-VW: firmware versions 08 or later
Mitsubishi Electric offers the following countermeasures for users:
MELSEC iQ-R Series firmware versions 08 and prior: It is not possible to update to the firmware versions listed above. Follow the mitigation measures below.
- MELSEC iQ-R Series firmware versions 09 or later: Download a fixed firmware update file to update the firmware. Please refer to MELSEC iQ-R Module Configuration Manual "Appendix 2 Firmware Update Function" to learn how to update firmware.
- MELIPC Series: It is not possible to update to the firmware versions listed above. Follow the mitigation measures below.
Mitsubishi Electric recommends users take mitigation measures to minimize the risk of exploiting this vulnerability:
- Use a firewall, virtual private network (VPN), or other means to prevent unauthorized access when internet access is required.
- Use the product inside a local area network (LAN) and use firewalls to block access from untrusted networks and hosts.
- Use an IP filter function to block access from untrusted hosts. For details on the remote password function and IP filter function, users can refer to the following manual for each product:
- MELSEC iQ-R Ethernet User's Manual (Application) 1.13 Security "IP filter."
- MELSEC iQ-L CPU module User's Manual (Application) 24.1 "IP filter Function."
- MELSEC iQ-R C Controller Module User's Manual (Application) 6.6 Security Function "IP filter."
- MELIPC MI5000 Series User's Manual (Application) "11.3 IP Filter Function."
For specific update instructions and additional details, see Mitsubishi Electric advisory 2022-018.
Vendor/Product: Baxter Welch Allyn Connex Spot Monitor v1.52 and prior
Description: Use of Default Cryptographic Key
The impacted product uses a default cryptographic key for potentially critical functionality. An attacker could modify device configurations and firmware data, resulting in impact and/or delay in patient care.
Impact:
An attacker could gain access to user accounts and access sensitive data used by the user accounts.
Source: CVE-2024-1275
Max Severity: Critical
CVSS Score: 9.1
Critical Infrastructure Sectors: Healthcare and Public Health
Mitigation: Baxter has released a software update for all impacted devices and software to address this vulnerability. A new version of the product that mitigates the vulnerability is available as follows:
- Welch Allyn Connex Spot Monitor: Version 1.52.01 (available October 16, 2023)
Baxter recommends users upgrade to the latest versions of their products. Information on how to update products to their new versions can be found on the Baxter disclosure page or the Hillrom disclosure page.
Baxter recommends the following workarounds to help reduce risk:
- Apply proper network and physical security controls.
- Ensure a unique encryption key is configured and applied to the product (as described in the Connex Spot Monitor Service Manual).