A report published recently by the Cybersecurity and Infrastructure Security Agency (CISA) warned about two new ICS vulnerabilities found in products widely used in healthcare, critical manufacturing, and other sectors susceptible to cybercrime activity.
Among the affected products are Baxter's Connex Health Portal, as well as Mitsubishi Electric's MELSEC line of programmable controllers for the home and office.
In response to the vulnerabilities found in the respective technologies, both vendors have released updates to plug the vulnerabilities and recommended mitigations for customers who wish to mitigate risk further.
According to CISA's advisory, two vulnerabilities were identified in Baxter's Connex Health Portal (formerly Hillrom and Welch Allyn) that could be remotely exploited and have low attack complexity, which made them suitable for remote attacks.
The CVE-2024-6795 vulnerability is one of the highest severity (CVSS score of 10.0) SQL injection vulnerabilities that an unauthenticated attacker could exploit to run arbitrary SQL queries on affected systems through one of the vulnerabilities, assignment CVE-2024-6795. It was described by CISA that this vulnerability would allow attackers to view, manipulate, and delete sensitive data, in addition to taking other administrator-level actions, including shutting down the database in some cases.
As part of the U.S.
Cybersecurity and Infrastructure Security Agency (CISA) various advisory letters regarding industrial control systems (ICS) have been released, including one specifically for medical devices as well as two updates. As part of the project, we are developing advisories that serve to provide ICS owners with timely information about security threats, vulnerabilities, and exploits. It had previously been announced that the cybersecurity agency was deploying advisories across critical infrastructure sectors to warn users and technical administrators about ICS vulnerabilities and offer mitigation strategies.
Hughes Network Systems has identified hardware vulnerabilities in its WL3000 Fusion software equipment that are caused by bugs in the hardware.
This report contains updated information on vulnerabilities in Mitsubishi Electric's MELSEC iQ-R, Q, and L Series, as well as the MELSEC iQ-R, iQ-L Series, and the MELIPC Series, which are all produced by Mitsubishi Electric. During the CISA study, the vulnerability in the hardware architecture of the Baxter Connex Health Portal was also identified.
CISA warned it in an advisory that Hughes' WL3000 Fusion Software deployed across critical infrastructure sectors appears to have several vulnerabilities that are not sufficiently protected such as credentials that are insufficiently protected and sensitive data that are not encrypted. The report states that if these vulnerabilities are exploited successfully, an attacker could gain access read-only to information associated with network configurations and terminal configurations, and otherwise gain access to confidential data.
It is important to note that credentials for gaining access to device configuration information are stored in flash memory unencrypted. It is also possible with these credentials, to gain read-only access to information about the network configuration and terminal configuration. It has been assigned the designation CVE-2024-39278 as the vulnerability that needs to be addressed. The CVSS v3.1 base score was determined to be 4.2 out of a possible five points, and the CVSS v4 base score was calculated to be 5.1.
A report by CISA also revealed that credentials for accessing device configurations were being transmitted using an unencrypted protocol that was not secure. These credentials would allow the administrator to access only the data associated with the configuration of the network and the terminals.
The vulnerability has been identified as CVE-2024-42495 and it has been assigned a severity of critical. The CVSS v3.1 base score has been determined to be 6.5, and the CVSS v4 base score has also been calculated to be 7.1, based on the CVSS v3.1 and CVSS v4 scores.
During publishing this advisory, Hughes Networks pointed out that the vulnerabilities had been corrected, which did not require any user action.
There is a risk of remote attackers, unauthenticated and remotely situated, running arbitrary SQL queries anywhere, at any time, including accessing, changing, and deleting sensitive data, as well as performing administrative operations on the database such as halting it.
Two vulnerabilities in this system are associated with one CVE-2024-6795, and a CVSS v3.1 base score of 10.0 has been calculated for this vulnerability.
A CISA report also indicated that the system was not appropriately protecting against an improper access control vulnerability in the application. As a result, an unauthorized user could have access to clinical and sensitive information about patients, as well as be able to change or delete information about the clinic.
There has been a vulnerability identified as CVE-2024-6796 and it has been assigned a CVSS v3.1 base score of 8.2, which makes it a high vulnerability.
As revealed by the advisory, Baxter is unaware of any exploits of these vulnerabilities or any compromises of personally identifiable information or health information related to this vulnerability.
The Cybersecurity and Infrastructure Security Agency (CISA) has identified and flagged vulnerabilities in industrial control systems (ICS) used in products from Baxter and Mitsubishi.
These vulnerabilities, which posed potential cybersecurity risks, were promptly addressed by both companies. Following their discovery, Baxter implemented the necessary patches to rectify the issues. As a result, no further action is required from users at this time.
In addition to these remedial actions, CISA has issued general recommendations to mitigate future risks. One of the key suggestions is to minimize network exposure for all control system devices and systems, ensuring that they are not directly accessible from the internet.
CISA further advises that control system networks and remote devices should be placed behind firewalls and segregated from business networks to enhance security.
For instances where remote access is necessary, organizations are encouraged to adopt more secure solutions such as Virtual Private Networks (VPNs). However, CISA stresses the importance of maintaining up-to-date versions of VPN software, as vulnerabilities may exist in older versions.
It is also emphasized that the overall security of the VPN is dependent on the security of the devices it connects to, underscoring the need for comprehensive security measures across all connected devices.
By following these defensive measures, organizations can reduce the likelihood of exploitation and enhance the security of their industrial control systems against potential cyber threats.