Home>Blog>The Hacker News Headlines>CISA Warns of Critical Vulnerabilities in 3 Industrial Control System Software
The Hacker News Headlines

CISA Warns of Critical Vulnerabilities in 3 Industrial Control System Software

The U.S. Cybersecurity and Infrastructure Security Agency (CISA)
has published[1]
three Industrial Control Systems (ICS) advisories about multiple
vulnerabilities in software from ETIC Telecom, Nokia, and Delta
Industrial Automation.

Prominent among them is a set of three flaws affecting ETIC
Telecom’s Remote Access Server (RAS), which “could allow an
attacker to obtain sensitive information and compromise the
vulnerable device and other connected machines,” CISA said.

This includes CVE-2022-3703 (CVSS score: 9.0), a critical flaw
that stems from the RAS web portal’s inability to verify the
authenticity of firmware, thereby making it possible to slip in a
rogue package that grants backdoor access to the adversary.

Two other flaws relate to a directory traversal bug in the RAS
API (CVE-2022-41607, CVSS score: 8.6) and a file upload issue
(CVE-2022-40981, CVSS score: 8.3) that can be exploited to read
arbitrary files and upload malicious files that can compromise the
device.

Israeli industrial cybersecurity firm OTORIO has been credited
with discovering and reporting the flaws. All versions of ETIC
Telecom RAS 4.5.0 and prior are vulnerable, with the issues
addressed[2]
by the French company in version 4.7.3.

The second advisory from CISA concerns three flaws in Nokia’s
ASIK AirScale 5G Common System Module (CVE-2022-2482,
CVE-2022-2483, and CVE-2022-2484), which could pave the way for
arbitrary code execution and stoppage of secure boot functionality.
All the flaws are rated 8.4 on the CVSS severity scale.

“Successful exploitation of these vulnerabilities could result
in the execution of a malicious kernel, running of arbitrary
malicious programs, or running of modified Nokia programs,” CISA
noted.

CyberSecurity

The Finnish telecom giant is said to have published mitigation
instructions for the flaws that impact ASIK versions 474021A.101
and ASIK 474021A.102. The agency is recommending that users contact
Nokia directly for further information.

Lastly, the cybersecurity authority has also warned of a path
traversal vulnerability (CVE-2022-2969, CVSS score: 8.1) that
affects Delta Industrial Automation’s DIALink products and could be
leveraged to plant malicious code on targeted appliances.

The shortcoming has been addressed in version 1.5.0.0 Beta 4,
which CISA said can be obtained by reaching out to Delta Industrial
Automation directly or via Delta field application engineering
(FAEs).

References

  1. ^
    published
    (www.cisa.gov)
  2. ^
    addressed
    (www.etictelecom.com)

Read more

Leave a Reply

Powered By Anakyst UK Work done easy Discover Great Places People Websites in Nigeria. Be Discovered and Discover Great Places People Products & Websites in Nigeria. Tell us what you need to advertise online onradio ontv and where you want to advertise and discover talented publishers and advertisers within minutes for just a fraction of the cost!JobScout | Developed By Rara Theme. Powered by WordPress.