CISA warns of critical ICS vulnerabilities in LOYTEC, Hughes, and Baxter products, exposing sensitive data and systems to high-risk attacks.

Key Takeaways

• Three major advisories from CISA address 17 vulnerabilities across products from LOYTEC Electronics GmbH, Hughes Network Systems, and Baxter.
• Multiple products are affected by vulnerabilities allowing for the cleartext transmission of sensitive data, such as passwords, which could be exploited through Man-in-the-Middle (MitM) attacks. Despite being reported in 2021, these vulnerabilities are now publicly disclosed due to the vendor’s lack of response.
• With 629 internet-exposed instances, primarily in Italy and France, the likelihood of exploitation is high. Proof of Concepts (PoCs) for these vulnerabilities is publicly available.
• Other notable vulnerabilities include insufficiently protected credentials and SQL injection, affecting critical infrastructure systems.

Overview

The Cybersecurity and Infrastructure Security Agency (CISA) has highlighted multiple vulnerabilities in ICS products from LOYTEC Electronics GmbH, Hughes Network Systems, and Baxter. Cyble Research & Intelligence Labs (CRIL) stressed critical vulnerabilities and threats identified between September 03, 2024, and September 09, 2024. These vulnerabilities span a range of severity levels and impact various products from LOYTEC Electronics GmbH, Hughes Network Systems, and Baxter.

Multiple vulnerabilities have been identified in LOYTEC Electronics GmbH’s product line. These issues primarily involve the cleartext transmission and storage of sensitive information, along with missing authentication for critical functions and improper access control. Specifically, CVE-2023-46380, CVE-2023-46382, CVE-2023-46383, and CVE-2023-46385 are high-severity vulnerabilities that expose sensitive data such as passwords to potential interception through Man-in-the-Middle (MitM) attacks. These vulnerabilities affect multiple products, including LINX-151, LINX-212, LVIS-3ME12-A1, and various models within the LIOB and L-INX Configurator series.

For instance, CVE-2023-46380 and CVE-2023-46382 both deal with cleartext transmission of sensitive information. The risk associated with these vulnerabilities is significant because attackers can intercept and read sensitive data sent over the network. Exploiting CVE-2023-46384 and CVE-2023-46386, which involve cleartext storage of sensitive information, further compounds the risk, as attackers gaining access to these stored data could potentially exploit it for unauthorized purposes.

Additionally, CVE-2023-46381 and CVE-2023-46387 address missing authentication and improper access control issues. These vulnerabilities allow unauthorized access to critical functions and systems, which can lead to broader system compromises if exploited. The absence of proper authentication mechanisms in these cases means that attackers could bypass security measures and gain unauthorized control.

Hughes Network Systems Vulnerabilities

Hughes Network Systems’ WL3000 Fusion Software is affected by two medium-severity vulnerabilities. CVE-2024-39278 and CVE-2024-42495 highlight insufficiently protected credentials and missing encryption of sensitive data, respectively. CVE-2024-39278 exposes credentials that are not adequately protected, which could be intercepted and misused by attackers.

On the other hand, CVE-2024-42495 involves missing encryption for sensitive data, increasing the risk of data breaches and unauthorized access. These vulnerabilities affect versions of the software before 2.7.0.10, emphasizing the importance of updating to the latest versions to mitigate these risks.

Baxter Vulnerabilities

Baxter’s Connex Health Portal has been identified with critical and high-severity vulnerabilities. CVE-2024-6795 is a critical SQL injection vulnerability that affects all versions of the Connex Health Portal, released before August 30, 2024. SQL injection vulnerabilities allow attackers to execute arbitrary SQL commands on the database, potentially leading to unauthorized data access or modification.

In addition, CVE-2024-6796 involves improper access control, which can result in unauthorized access to sensitive application areas. Both vulnerabilities necessitate immediate patching and updates to protect against potential exploits.

The vulnerabilities identified across these ICS products highlight critical risks that need prompt attention. For LOYTEC Electronics GmbH products, the issues primarily involve data security flaws, while Hughes Network Systems and Baxter face vulnerabilities that affect credential protection and data encryption.

Organizations using these systems should prioritize applying available patches and updates, implementing robust access controls, and enhancing their security posture to mitigate the risks posed by these vulnerabilities. The majority of disclosed vulnerabilities are categorized as high severity, emphasizing the critical need for prompt action and mitigation.

Conclusion

These vulnerabilities highlight critical security issues in ICS products from LOYTEC Electronics GmbH, Hughes Network Systems, and Baxter. Key vulnerabilities include cleartext transmission of sensitive data, SQL injection, and improper access controls, all of which pose significant risks. Organizations must act quickly by applying patches, enhancing access controls, and improving security monitoring. These steps are crucial to mitigating the identified risks and protecting critical infrastructure from exploitation.

Mitigations and Recommendations

1. Implement network segmentation to isolate ICS networks from corporate and internet networks. Use firewalls and DMZs to manage traffic between segments.
2. Apply strong, multifactor authentication and limit access based on the principle of least privilege.
3. Keep ICS hardware and software updated with the latest patches to defend against known vulnerabilities.
4. Deploy monitoring tools to detect suspicious activities and maintain logs for forensic investigations.
5. Develop and test an ICS-specific incident response plan for effective handling of security incidents.
6. Educate staff on ICS-specific threats and best practices, emphasizing the risks of social engineering and untrusted software sources.

Sources

• https://www.cisa.gov/news-events/ics-advisories/icsa-24-247-01
• https://www.cisa.gov/news-events/ics-advisories/icsa-24-249-01
• https://www.cisa.gov/news-events/ics-medical-advisories/icsma-24-249-01

Related