CISA Issues Warnings About Vulnerabilities in Industrial Control Systems
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has recently highlighted critical vulnerabilities in industrial control systems (ICS) through three advisory alerts. These advisories specifically address security flaws found in software produced by ETIC Telecom, Nokia, and Delta Industrial Automation, posing significant risks to operational integrity and data security.
Among the most severe issues identified are three vulnerabilities related to ETIC Telecom’s Remote Access Server (RAS). CISA has stated that these flaws could facilitate an attacker in acquiring sensitive information and compromising the RAS along with interconnected devices. Notably, one critical vulnerability, labeled CVE-2022-3703, has a CVSS score of 9.0, attributed to the RAS web portal’s inability to verify firmware authenticity. This could enable attackers to install backdoor access points within the affected systems.
In addition to this, the advisories draw attention to a directory traversal vulnerability (CVE-2022-41607, CVSS score: 8.6) and a file upload vulnerability (CVE-2022-40981, CVSS score: 8.3) within the RAS API. Exploitation of these issues can allow unauthorized file access and the potential introduction of malicious software. Israeli cybersecurity firm OTORIO was instrumental in identifying and reporting these vulnerabilities to CISA. All versions of ETIC Telecom RAS 4.5.0 and earlier are deemed vulnerable, with remediation provided in version 4.7.3.
The second advisory concerns Nokia’s ASIK AirScale 5G Common System Module, with three reported vulnerabilities (CVE-2022-2482, CVE-2022-2483, and CVE-2022-2484), each rated 8.4 on the CVSS severity scale. These vulnerabilities could potentially lead to arbitrary code execution and disrupt secure boot functionality. CISA emphasizes that successful exploitation might result in the execution of malicious code or running compromised or altered Nokia applications. Nokia has disseminated mitigation guidance concerning the affected ASIK versions.
Lastly, the advisory includes a path traversal vulnerability impacting Delta Industrial Automation’s DIALink products, categorized as CVE-2022-2969 with a CVSS score of 8.1. An attacker could exploit this flaw to inject malicious code into targeted devices. Delta Industrial Automation has addressed this shortcoming in version 1.5.0.0 Beta 4, and users are encouraged to contact the company directly for updates.
These vulnerabilities present multifaceted challenges that underscore the critical need for proactive cybersecurity measures in industrial environments. The MITRE ATT&CK framework can help contextualize potential adversary tactics, including initial access through exploitation of public-facing applications and privilege escalation, which could be employed in these types of attacks. For business owners and cybersecurity professionals, staying informed and implementing robust security protocols is paramount in mitigating these risks.
In light of these advisories, concerned parties are encouraged to evaluate their systems for potential exposure and reach out to the respective vendors for support and guidance on remediation strategies.