A safety advisory issued this week by the Cybersecurity and Infrastructure Safety Company (CISA) alerts directors of vulnerabilities in two industrial management programs units — Unitronics Imaginative and prescient Collection PLCs and Mitsubishi Electrical MELSEC iQ-R Collection.
CISA warned that the Unitronics Imaginative and prescient Collection PLC controller is open to distant exploit as a consequence of its storage of passwords in a recoverable format. This vulnerability (CVE-2024-1480) was assigned a CVSS rating of 8.7.
Unitronics has not responded to, or labored with, the company to mitigate the difficulty, leaving networks with these units open to cyberattack, in accordance with CISA. The advisory recommends making certain the controllers aren’t related to the Web, isolating them from enterprise networks, defending the units behind firewalls, and utilizing safe strategies, like digital personal networks (VPNs), for distant entry.
The remaining ICS vulnerabilities affect the Mitsubishi Electrical Company MELSEC iQ-R CPU Module. A design flaw within the CPU, tracked beneath CVE-2021-20599, has been assigned a CVSS rating of 9.1. The unit transmits passwords in cleartext, that are simply intercepted by adversaries.
The Mitsubishi MELSEC CPUs additionally harbor a trio of reported flaws that might permit a risk actor to compromise usernames, entry the system, and deny entry to reputable customers. These embrace: publicity of delicate info (CVE-2021-20594, CVSS 5.9); insufficiently protected credentials (CVE-2021-20597, CVSS 7.4); and a restrictive account lockout mechanism (CVE-2021-20598, CVSS 3.7).
Mitsubishi is working to supply mitigations and workarounds for the problems. Nevertheless, programs with these units are unable to be up to date with a repair, in accordance with CISA. The company advises directors with these units of their networks to shore up defenses with firewalls, distant entry limitations, and IP tackle restrictions.
“Mitsubishi Electrical has launched the mounted model … however updating the product to the mounted model just isn’t obtainable,” the advisory mentioned. “CISA recommends customers take defensive measures to reduce the danger of exploitation of this vulnerability.”
