The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has published four Industrial Control Systems (ICS) advisories, calling out several security flaws affecting products from Siemens, GE Digital, and Contec.
The most critical of the issues have been identified in Siemens SINEC INS that could lead to remote code execution via a path traversal flaw (CVE-2022-45092, CVSS score: 9.9) and command injection (CVE-2022-2068, CVSS score: 9.8).
Also patched by Siemens is an authentication bypass vulnerability in llhttp parser (CVE-2022-35256, CVSS score: 9.8) as well as an out-of-bounds write bug in the OpenSSL library (CVE-2022-2274, CVSS score: 9.8) that could be exploited to trigger remote code execution.
The German automation company, in December 2022, released Service Pack 2 Update 1 software to mitigate the flaws.
Separately, a critical flaw has also been revealed in GE Digital’s Proficy Historian solution that could result in code execution regardless of authentication status. The issue, tracked as CVE-2022-46732 (CVSS score: 9.8), impacts Proficy Historian versions 7.0 and higher, and has been remediated in Proficy Historian 2023.
images from Hacker News
Recent Comments