Emerson has updates and mitigations to handle cleartext transmission of sensitive information, insufficient verification of data authenticity insufficiently protected credentials, and download of code without integrity check vulnerabilities in its PACSystem and Fanuc lines, according to a report with CISA.

CISA is aware of a public report, known as “OT:ICEFALL”, detailing vulnerabilities found in multiple operational technology (OT) vendors. CISA is issuing this advisory to provide notice of the reported vulnerabilities and identify baseline mitigations for reducing risks to these and other cybersecurity attacks.

Daniel dos Santos and Jos Wetzels from Forescout Technologies reported these vulnerabilities.

Successful exploitation of these vulnerabilities could allow remote code execution, loss of sensitive information, or a denial-of-service condition.

The following Emerson products suffer from the vulnerabilities:

Schneider Bold
  • PAC Machine Edition: All versions (CVE-2022-30263, CVE-2022-30265)
  • PACSystem RXi: All versions (CVE-2022-30263, CVE-2022-30268, CVE-2022-30266)
  • PACSystem RX3i: All versions (CVE-2022-30263, CVE-2022-30268, CVE-2022-30265)
  • PACSystem RSTi-EP: All versions (CVE-2022-30263, CVE-2022-30268, CVE-2022-30266, CVE-2022-30265)
  • PACSystem VersaMax: All versions (CVE-2022-30263, CVE-2022-30265)
  • Fanuc VersaMax: All versions (CVE-2022-30263, CVE-2022-30268, CVE-2022-30266)

In one issue, the affected product utilizes a protocol that allows cleartext transmission of credentials. This could allow an attacker to retrieve these over the network and gain control of the PLC, but cryptographically secure authentication using the SRP-6a protocol is supported and recommended. Enabling authentication on the PLC prevents replay attacks, and requires the attacker to intercept and modify an active connection. Implementation of a non-routing control network also requires compromise of the network topology before SRTP packets can be intercepted.

CVE-2022-30263 is the case number for this vulnerability, which has a CVSS v3.1 base score of 5.9. There is also a CVSS v4 base score of 4.4.

In addition, the affected products use the Winloader utility to manage firmware updates by serial port or a serial-over-Ethernet link found to not use authentication. This could allow an attacker to push malicious firmware images to the controller and cause a denial-of-service condition or allow remote code execution. This vulnerability only effects version of the CPE302, 205, and 310 that were produced before the “-Bxxx” hardware revisions.

CVE-2022-30268 is the case number for this vulnerability, which has a CVSS v3.1 base score of 4.9. There is also a CVSS v4 base score of 5.2.

Also, the affected product uses a simple hashing scheme by client-side JavaScript. This could allow an attacker to intercept the hashes and strip the hashing scheme to obtain the credentials in plaintext. These credentials are only valid for 5 minutes due to the TLS protocol used, and also requires physical presence to press a button on the device, limiting this attack to being physically present and in a very short window. If this is accomplished, this only allows the attacker to upgrade or downgrade the firmware version. Due to this threat of Man-in-the-Middle attack, documentation recommends limiting physical access to networking equipment, and disabling IP routing on control networks. This vulnerability does not apply to older PLCs without a network-based update process.

CVE-2022-30266 is the case number for this vulnerability, which has a CVSS v3.1 base score of 4.0. There is also a CVSS v4 base score of 4.1.

Meanwhile, control logic downloaded to the PLC, which can be either written in one of the IEC 61131-3 languages or written in C and supplied as an ELF binary block, is not cryptographically authenticated.

CVE-2022-30265 is the case number for this vulnerability, which has a CVSS v3.1 base score of 4.4. There is also a CVSS v4 base score of 5.6.

The product sees use mainly in the energy sector, and on a global basis.

No known exploit targets these vulnerabilities. However, an attacker could leverage these vulnerabilities.

To mitigate the issues, Emerson recommends the following:

For CVE-2022-30263, see the following sections of PACSystems RXi, RX3i and RSTi-EP Secure Deployment Guide (GFK-2830Y)

  • 2.4 General Recommendations
  • 4.3.3 Secure Login
  • 4.3.4 Recommendations, Paragraph 2
  • If SRP6-a is not being used to secure authentication, see Section 2.4 General Recommendations and Section 6.1 Reference Architecture
  • 5.2.1.1 Disabling Ethernet Services

For CVE-2022-30268, see the following sections of PACSystems RXi, RX3i and RSTi-EP Secure Deployment Guide (GFK-2830Y)

  • 4.3 Authentication
  • 4.3.4 Recommendations, Paragraph 3
  • 4.3.4.1 Personnel Security Protection
  • 4.3.4.2 Physical Security Perimeter Protection

Emerson updated the Fanuc VersaMax Secure Deployment Guide (GFK-2955D) to include the following:

For CVE-2022-30266, see the following sections of PACSystems RXi, RX3i and RSTi-EP Secure Deployment Guide (GFK-2830Y):

  • 2.4 General Recommendations
  • 5.2.1.1 Disabling Ethernet Services
  • 6.1 Reference Architecture

For CVE-2022-30265, see the following sections of the PACSystems RXi, RX3i and RSTi-EP Secure Deployment Guide (GFK-2830Y):

  • 4.3.4.1 Personnel Security Protection
  • 4.3.4.2 Physical Security Perimeter Protection
ISSSource

Pin It on Pinterest

Share This