Top ICS Vulnerabilities This Week: Cyble Urges Siemens and Rockwell Automation Fixes

Key Takeaways

• Cyble researchers this week investigated 11 industrial control system (ICS) vulnerabilities, in systems from Siemens, Rockwell Automation, Yokogawa, Kastle Systems, IDEC Corporation and MegaSys Computer Technologies.
• Two of the vulnerabilities require immediate attention: an uncontrolled resource consumption vulnerability in Siemens SIMATIC S7-200 SMART CPUs, and an insufficient verification of data authenticity vulnerability in Rockwell Automation’s RSLogix 5 and RSLogix 500 software that could allow scripts to execute without user intervention.
• Cyble researchers also reported on the additional 9 ICS vulnerabilities, and recommended 11 ICS security best practices for organizations to implement and follow.

Overview

Cyble Research and Intelligence Lab (CRIL) researchers investigated 11 vulnerabilities in industrial control systems (ICS) for the week of Sept. 17-23 and urged security teams to prioritize patching two of them, in Siemens SIMATIC S7-200 SMART CPUs and Rockwell Automation’s RSLogix 5 and RSLogix 500 software.

The other 9 vulnerabilities are in systems from Yokogawa, Kastle Systems, IDEC Corporation and MegaSys Computer Technologies.

Siemens and Rockwell Automation Vulnerabilities

Cyble researchers recommend prioritizing two vulnerabilities in particular:

CVE-2024-43647, which affects multiple Siemens SIMATIC S7-200 SMART CPUs, including various CR, SR, and ST models. This vulnerability stems from improper handling of TCP packets with incorrect structures, which can lead to a denial-ofservice (DoS) condition. An unauthenticated attacker can remotely exploit this flaw with minimal complexity, potentially causing the target system to become unavailable. The vulnerability does not compromise confidentiality or integrity but significantly impacts availability, as it can entirely disrupt access to affected devices until manual intervention is applied to restore operations.

CVE-2024-7847 is a high-severity vulnerability found in Rockwell Automation’s RSLogix 5 and RSLogix 500 software, which are widely used in industrial control systems (ICS). This flaw allows remote code execution (RCE) through malicious VBA-embedded scripts within project files. Once an unsuspecting user opens a manipulated project file, the embedded script can execute without user intervention, potentially giving attackers unauthorized access to critical systems.

Other ICS Vulnerabilities

The other vulnerabilities investigated by CRIL researchers include:

CVE-2024-45682, a command injection vulnerability in Millbeck Communications Proroute H685t-w: Version 3.2.334

CVE-2024-38380, a cross-site scripting (XSS) vulnerability in Millbeck Communications Proroute H685t-w: Version 3.2.334

CVE-2024-8110, an unchecked return value flaw in Yokogaw’s Dual-redundant Platform for Computer (PC2CKM): Versions R1.01.00 to R2.03.00

CVE-2024-41927, a cleartext transmission of sensitive information vulnerability in certain IDEC Corporation FC6A and FC6B Series MICROSmart CPU modules and FT1A Series SmartAXIS Pro/Lite versions

CVE-2024-28957, a generation of predictable identifiers flaw in certain IDEC Corporation FC6A and FC6B Series MICROSmart CPU modules and FT1A Series SmartAXIS Pro/Lite versions

CVE-2024-41716, a cleartext transmission of sensitive information vulnerability in IDEC Corporation WindLDR: Ver.9.1.0 and prior, and WindO/I-NV4: Ver.3.0.1 and prior

CVE-2024-6404, an improper input validation vulnerability in MegaSys Computer Technologies Telenium Online Web Application: versions 8.3 and prior

CVE-2024-45861, a use of hardcoded credentials flaw in Kastle Systems Access Control System: firmware before May 1, 2024

CVE-2024-45862, a cleartext transmission of sensitive information vulnerability in Kastle Systems Access Control System: firmware before May 1, 2024

Cyble Recommendations

Cyble researchers also recommended 11 ICS security best practices for security teams to follow:

1. Keep track of security and patch advisories and alerts issued by vendors and state authorities.
2. Follow a risk-based vulnerability management approach to reduce the risk of exploitation of assets and implement a Zero-Trust Policy.
3. Threat Intelligence Analysts should support the organizational patch management process by continuously monitoring critical vulnerabilities published in the KEV Catalog of CISA, actively exploited in the wild, or identified in mass exploitation attempts on the internet.
4. Develop a comprehensive patch management strategy that includes inventory management, patch assessment, testing, deployment, and verification. Automate the process where possible to ensure consistency and efficiency.
5. Implement proper network segmentation to prevent attackers from performing discovery and lateral movement and to minimize exposure of critical assets.
6. Conduct regular audits, vulnerability assessments, and pentesting exercises to find security loopholes that attackers may exploit.
7. Continuous monitoring and logging can help in detecting network anomalies early.
8. Utilize Software Bill of Materials (SBOM) to gain more visibility into individual components, libraries, and their associated vulnerabilities.
9. Install physical controls to prevent unauthorized personnel from accessing your devices, components, peripheral equipment, and networks.
10. Create and maintain an incident response plan that outlines procedures for detecting, responding to, and recovering from security incidents. Regularly test and update the plan to ensure its effectiveness and alignment with current threats.
11. Conduct ongoing cybersecurity training programs for all employees, particularly those with access to OT systems. This includes educating staff on recognizing phishing attempts, proper use of authentication mechanisms, and the importance of following security protocols to prevent accidental security breaches.