Introduction

The US Cybersecurity and Infrastructure Security Agency (CISA) has issued a critical advisory to manufacturing companies [5], highlighting significant vulnerabilities in industrial control systems (ICS) from Rockwell Automation and Mitsubishi Electric. These vulnerabilities pose substantial risks, including unauthorized access and potential denial-of-service (DoS) attacks, necessitating immediate attention and action from affected organizations.

Description

The advisory [2] [3] [4], published on October 31 [3], details several sets of vulnerabilities affecting ICS:

  1. Rockwell Automation FactoryTalk ThinManager: Advisory ICSA-24-305-01 identifies two critical vulnerabilities, CVE-2024-10386 and CVE-2024-10387 [3]. CVE-2024-10386 [3] [4], with a CVSS score of 9.8 [3] [4], involves a missing authentication check that allows attackers with network access to send crafted messages [4], potentially leading to database manipulation [3] [5]. CVE-2024-10387 [3] [4], which has a CVSS score of 8.7, pertains to an out-of-bounds read. Both vulnerabilities are remotely exploitable with low attack complexity [3], posing significant risks to users, including the potential for denial-of-service (DoS) attacks.

  2. Mitsubishi Electric FA Engineering Software Products: Advisories ICSA-24-030-02 and ICSA-24-135-04 address a major vulnerability, CVE-2023-6943 [3] [4], which also has a CVSS score of 9.8 [4]. This vulnerability allows an attacker to execute malicious code by remotely invoking a function linked to a malicious library [3], potentially resulting in unauthorized access [3], data tampering [3], or denial-of-service conditions [3].

  3. Mitsubishi Electric MELSEC iQ-R Series/iQ-F Series: The vulnerability CVE-2023-2060, noted in advisory ICSA-23-157-02, involves an authentication bypass in an FTP function due to weak password requirements [3]. This flaw permits remote, unauthenticated access via FTP through dictionary attacks or password sniffing [3], with a CVSS score of 8.7 [3] [4].

CISA recommends that manufacturing companies take defensive measures to mitigate the risk of exploitation of these vulnerabilities [1]. Key recommendations include minimizing network exposure by ensuring that control system devices are not accessible from the internet [1], placing control system networks behind firewalls [1], and isolating them from business networks [1]. For remote access [1], CISA advises using secure methods such as Virtual Private Networks (VPNs) [1], while acknowledging that VPNs may have vulnerabilities and should be kept updated [1]. Organizations are urged to conduct proper impact analysis and risk assessments before implementing these defensive measures [1].

The advisory also mentions additional vulnerabilities with lower severity scores and includes CISA’s recommendations for mitigation strategies. Companies observing suspicious activity are encouraged to follow internal procedures and report findings to CISA for tracking and correlation [1]. Given the targeting of smart factories in the ICS sector and the increasing threat from nation-state actors, particularly from Russian and Chinese advanced persistent threats (APTs) [4], manufacturers are strongly urged to apply patches and mitigations promptly [4]. Currently, there have been no reported public exploitations specifically targeting these vulnerabilities [1]. Users and administrators are encouraged to review these advisories for further technical details [2].

Conclusion

The vulnerabilities identified in the advisory underscore the critical need for manufacturing companies to enhance their cybersecurity posture. Immediate implementation of CISA’s recommended defensive measures is essential to mitigate potential risks. As the threat landscape evolves, particularly with the involvement of nation-state actors, organizations must remain vigilant, ensuring that their systems are updated and secure. Proactive measures, including regular patching and risk assessments, will be crucial in safeguarding against future threats.

References

[1] https://www.assurantcyber.com/blog/icsa-24-305-01/
[2] https://www.cisa.gov/news-events/alerts/2024/10/31/cisa-releases-four-industrial-control-systems-advisories
[3] https://www.infosecurity-magazine.com/news/cisa-critical-vulnerabilities-ics/
[4] https://www.darkreading.com/vulnerabilities-threats/critical-auth-bugs-smart-factory-cyberattack
[5] https://thecyberwire.com/podcasts/daily-podcast/2182/transcript