November 1, 2024 at 01:20PM
CISA warns of critical security vulnerabilities in Mitsubishi Electric and Rockwell Automation factory automation software, allowing remote code execution, authentication bypass, and denial-of-service. Two severe bugs (CVE-2023-6943, CVE-2024-10386) have high CVSS scores of 9.8. Manufacturers should apply mitigations promptly due to increased cyber threats from nation-state actors.
### Meeting Takeaways
1. **Critical Vulnerabilities Identified**:
– **Mitsubishi Electric (CVE-2023-6943)**:
– CVSS Score: 9.8
– Risks: Remote code execution (RCE), authentication bypass, denial-of-service (DoS), data manipulation.
– **Rockwell Automation (CVE-2024-10386)**:
– CVSS Score: 9.8
– Risks: Potential for database manipulation due to missing authentication check.
2. **Summary of Vulnerabilities**:
– The vulnerabilities are part of a broader set of issues affecting the smart factory portfolios of both companies, outlined in CISA’s Halloween disclosure.
– Current mitigations have been provided by the suppliers to help manufacturers prevent future breaches.
3. **Noncritical Issues**:
– **Rockwell Automation**:
– CVE-2024-10387: Out-of-bounds read leading to DoS (CVSS 7.5).
– **Mitsubishi Electric**:
– CVE-2023-6942: Unauthenticated bypass of authentication (CVSS 7.5).
– CVE-2023-2060: Authentication bypass in MELSEC iQ-R/iQ-F Series via weak FTP requirements (CVSS 8.7).
4. **Recommendations for Manufacturers**:
– Immediate application of patches and mitigations is essential due to the high-profile target status of smart factories.
– Increased vigilance is advised due to ongoing nation-state cyber threats, particularly from Russian and Chinese advanced persistent threats (APTs) targeting critical infrastructure.
5. **Contextual Risks**:
– CISA has reported a rise in cyberattacks on US utilities, telecoms, and critical infrastructure.
– Canada is also experiencing sustained cyber assaults, particularly from China.
**Action Items**:
– Ensure all relevant software and systems are patched according to the guidance provided by Mitsubishi Electric and Rockwell Automation.
– Monitor for updates on emerging threats and vulnerabilities affecting industrial control systems.