November 25, 2024 at 11:03AM
The myPRO system by mySCADA has critical vulnerabilities allowing remote attackers to gain control. Discovered by researcher Michael Heinzl, the flaws include OS command injection and improper authentication. mySCADA has released patches, but the exact number of vulnerable systems remains unclear. CISA reports no known exploitations to date.
### Meeting Takeaways
1. **Vulnerability Overview**: The myPRO product by mySCADA has multiple critical vulnerabilities that can allow remote, unauthenticated attackers to gain full control of the affected systems.
2. **Product Description**: myPRO operates as a human-machine interface (HMI) and supervisory control and data acquisition (SCADA) system, compatible with Windows, macOS, Linux, servers, PCs, and embedded devices.
3. **Vulnerability Discovery**: Cybersecurity researcher Michael Heinzl discovered five significant flaws within myPRO’s Manager and Runtime components.
4. **Types of Vulnerabilities**: The vulnerabilities include:
– OS command injection
– Improper and missing authentication
– Path traversal issues
5. **Severity Ratings**: Four vulnerabilities have been classified as ‘critical’, while one is labeled as ‘high severity’.
6. **Exploitation Potential**: The flaws enable attackers to execute arbitrary OS commands with elevated privileges and gain unauthorized system access, potentially leading to a complete compromise of the product and its underlying system.
7. **Patch Release**: In response to these vulnerabilities, mySCADA released patches with myPRO Manager 1.3 and myPRO Runtime 9.2.1 in July and August 2024.
8. **System Exposure**: There are indications from internet search engine Censys that numerous mySCADA HMIs are exposed online; however, it remains uncertain how many are vulnerable due to the recent vulnerabilities.
9. **Default Configuration Risks**: The default settings of the vulnerable service are noteworthy; it listens on all network interfaces once installed, which can increase exposure risks.
10. **Current Security Status**: CISA has stated that, as of now, they are not aware of any active exploitation of these vulnerabilities.
11. **Historical Context**: This is not the first instance of critical vulnerabilities being found in mySCADA’s myPRO product; similar issues were noted in 2021.
### Next Steps
– Monitor for further updates and advisories from CISA and mySCADA.
– Assess system configurations and apply patches if using affected versions of myPRO.
– Consider conducting a security audit on internet-exposed mySCADA systems.