Cyble Urges ICS Vulnerability Fixes For TEM, Mitsubishi, And Delta Electronics
Key Takeaways
- Cyble researchers investigated vulnerabilities in five ICS/OT products this week and identified Mitsubishi Electric, TEM, and Delta Electronics products as top priorities for security teams.
- TEM has been unresponsive to reports of vulnerabilities in Opera Plus FM Family Transmitters, version 35.45, so users are urged to take mitigation steps.
- Mitsubishi Electric has no plans to fix vulnerabilities in MELSEC iQ-F FX5-OPC communication units and instead recommended mitigation steps.
Overview
Cyble researchers have identified vulnerabilities in three products used in critical infrastructure environments that merit high-priority attention from security teams.
Cyble’s weekly industrial control system/operational technology (ICS/OT) vulnerability report for Oct. 1-7 investigated 10 vulnerabilities in five ICS/OT products and identified products from Mitsubishi Electric, TEM, and Delta Electronics as top priorities for patching and mitigation.
TEM Opera Plus FM Family Transmitter Vulnerabilities
An attacker could target Opera Plus FM Family Transmitters (CVE-2024-41987 and CVE-2024-41988) by missing authentication for critical function and cross-site request forgery (CSRF) vulnerabilities, as a proof of concept (PoC) is publicly available.
CISA issued an advisory on the vulnerabilities on Oct. 3, 2024, and CVE records were created the same day. CISA notes that TEM has been unresponsive to requests to work with the agency on the vulnerability; the PoC developer, Gjoko Krstic, also reported a lack of response from the company.
The transmitters are used globally in the communications sector; version 35.45 is affected.
CISA recommends the following mitigations:
- Minimize network exposure for all control system devices and systems, ensuring they are not internet-accessible.
- Place control system networks and remote devices behind firewalls and isolate them from business networks.
- When remote access is required, use more secure methods such as VPNs, even though VPNs may have vulnerabilities and should be updated to the most current version. Connected devices must also be secure.
Mitsubishi Electric MELSEC iQ-F FX5-OPC
Mitsubishi Electric’s MELSEC iQ-F FX5-OPC communication units are affected by a NULL pointer dereference vulnerability (CVE-2024-0727) that malicious actors could exploit to create denial-of-service (DoS) conditions by getting a legitimate user to import a specially crafted PKCS#12 format certificate. The issue is caused by an OpenSSL vulnerability that the company detailed in an Oct. 1 advisory.
Mitsubishi Electric has no plans to fix the vulnerability and instead recommends the following mitigations:
- Use within a LAN and block access from untrusted networks and hosts through firewalls.
- Restrict physical access to the product and computers and network devices located within the same network.
- Use a firewall or VPN to prevent unauthorized access when Internet access is required.
- Use the IP filter function to block access from untrusted hosts. For details on the IP filter function, refer to the following manual: MELSEC iQ-F FX5 OPC UA Module User’s Manual “4.4 IP Filter”
- Do not import untrusted certificates.
Delta Electronics DIAEnergie
SQL Injection vulnerabilities (CVE-2024-43699 and CVE-2024-42417) in Delta Electronics’ DIAEnergie industrial energy management system could allow an unauthenticated attacker to exploit the issue to obtain records contained in the targeted product.
Versions v1.10.01.008 and prior are affected, and Delta Electronics recommends that users upgrade to v1.10.01.009.
Optigo Networks and Subnet Solutions
Optigo Networks (CVE-2024-41925 and CVE-2024-45367) and Subnet Solutions PowerSYSTEM Center (CVE-2020-28168, CVE-2021-3749, and CVE-2023-45857) products were also the focus of recent security advisories. Cyble recommended patching the Optigo ONS-S8 Spectra Aggregation Switch vulnerabilities last week.
Recommendations and Mitigations
Cyble also offered general security guidelines for ICS and OT environments:
- Keep track of security, patch advisories, and alerts issued by vendors and state authorities.
- Follow a risk-based vulnerability management approach to reduce the risk of exploitation of assets and implement a Zero-Trust Policy.
- Threat Intelligence Analysts should support the organizational patch management process by continuously monitoring and notifying critical vulnerabilities published in the KEV Catalog of CISA, actively exploited in the wild, or identified in mass exploitation attempts on the internet.
- Develop a comprehensive patch management strategy that includes inventory management, patch assessment, testing, deployment, and verification. Automate the process where possible to ensure consistency and efficiency.
- Implement proper network segmentation to prevent attackers from performing discovery and lateral movement and minimize exposure of critical assets.
- Regular audits, vulnerability assessments, and pen-testing exercises are vital in finding security loopholes that attackers may exploit.
- Continuous monitoring and logging can help in detecting network anomalies early.
- Utilize Software Bill of Materials (SBOM) to gain more visibility into individual components, libraries, and their associated vulnerabilities.
- Install physical controls to prevent unauthorized personnel from accessing your devices, components, peripheral equipment, and networks.
- Create and maintain an incident response plan that outlines procedures for detecting, responding to, and recovering from security incidents. Regularly test and update the plan to ensure its effectiveness and alignment with current threats.
Related