CISA warns of security holes in industrial Advantech, Hitachi kit

This week, the US government's Cybersecurity and Infrastructure Security Agency (CISA) expanded its ever-growing list of vulnerability in industrial control systems (ICS) and critical infrastructure technology.

The latest warnings flag up severe flaws in products from Advantech and Hitachi Energy, which serve both consumer and commercial markets.

The twin advisories include alerts about security holes in Advantech's R-SeeNet that can be exploited by remote attackers to take control of this industrial network router monitoring software or to delete PDF files from the system.

Two of the vulnerabilities – tracked as CVE-2022-3386 and CVE-2022-3385, with severity scores of 9.8 out of 10 – involve stack-based buffer overflow flaws in version 2.4.17 and earlier of the R-SeeNet software, according to the agency. Both vulnerabilities would allow "an unauthorized attacker [to] use an outsized filename to overflow the stack buffer and enable remote code execution," the advisory stated.

The third bug is a traversal flaw affecting version 2.4.19 of the software that would enable an attacker to exploit vulnerable PHP code to delete PDF files.

Appliances running the R-SeeNet software are used in such industrial sectors as manufacturing, energy, water, and wastewater, according to CISA.

• Utility security is so bad, US DoE offers rate cuts to improve it
• Uncle Sam orders federal agencies to step up scans for govt IT security holes
• Moody's turns up the heat on 'riskiest' sectors for cyberattacks
• It's 2022 and there are still thousands of public systems using password-less VNC

Advantech recommends organizations update their R-SeeNet software to version 2.4.21 or later, while CISA advises they minimize the exposure of the appliances – as with all control system devices – to the public internet. Local control system networks and remote devices should be housed behind firewalls and isolated from business networks. If remote access is needed, orgs should use VPNs and other security controls.

The advisory regarding Hitachi Energy's Transformer Asset Performance Management (APM) Edge appliances is an update to an alert issued December 2, 2021 about 29 flaws impacting versions 1.0, 2.0, and 3.0. The on-premises software is used to manage electrical transformers.

"Hitachi Energy is aware of public reports of this vulnerability in the following open source software components: OpenSSL, LibSSL, libxml2 and GRUB2 bootloader," CISA wrote in its alert. "The vulnerability also affects some APM Edge products. An attacker who successfully exploits this vulnerability could cause the product to become inaccessible."

The manufacturer advises organizations upgrade to version 4.0, which includes updates to the vulnerable components that remediate the issue. Hitachi Energy also offers a deeper dive into the flaws and remediation.

CISA has been vocal about the cyber threats to ICS and other critical equipment. It has warned that cyber-crews are targeting such environments, as illustrated by the attacks last year on Colonial Pipeline and JBS Foods.

CISA and other US federal bodies – including the FBI, Department of Energy, and the NSA – warned in April that snoops were creating custom tools specifically to gain control of ICS and supervisory control and data acquisition (SCADA) devices.

The alerts about Advantech and Hitachi Energy come a week after CISA issued advisories about vulnerabilities in 25 ICS products from Siemens, Hitachi, and Mitsubishi Electric, and a month after similar alerts about eight such systems.

So very many vulns

In a report earlier this year SynSaber, an operational technology (OT) cybersecurity and asset monitoring firm, said in the first half of 2022, CISA acknowledged 681 CVE-assigned security bugs. The company broke down the CVEs into a number of categories – from those that can be patched with software to ones that can't be remedied without changing protocols or replacing systems.

It found there were no patches or remediation available for 13 percent of the vulnerabilities, and another 34 percent required firmware updates. It warned that 40.7 percent of the flaws were urgent and should be prioritized. Another 50.7 percent required more complex remediation – such as firmware updates that address a large number of devices in the field – but still required urgent attention.

"One cannot simply patch away a protocol vulnerability, or upgrade an entire SCADA environment," the report's authors wrote. "Organizations may be dealing with these CVEs for a long time, and other compensating controls will likely be required."

"The volume of CVEs reported via CISA ICS Advisories and other entities is not likely to decrease. It's important for asset owners and those defending critical infrastructure to understand when remediations are available, and how those remediations should be implemented and prioritized," they added. ®