Last week, the United States’ Cybersecurity and Infrastructure Security Agency (CISA) issued an industrial control system (ICS) alert on various vulnerabilities affecting Schneider Electric’s Easergy medium voltage protection relays.
“Successful exploitation of these vulnerabilities may disclose device credentials, cause a denial-of-service condition, device reboot, or allow an attacker to gain full control of the relay,” revealed the agency in a recent bulletin. “This could result in loss of protection to your electrical network.”
Easergy P3 versions before v30.205 and Easergy P5 versions before v01.401.101 are affected by the two high-severity vulnerabilities. The following are the flaws in detail:
- CVE-2022-22722 (CVSS score of 7.5) – Hardcoded credentials were used. They might be exploited to monitor and modify communications linked with the device.
- CVE-2022-22723 and CVE-2022-22725 (CVSS score of 8.8) – By sending specially designed packets to the relay through the network, a buffer overflow vulnerability might result in program crashes and the execution of arbitrary code.
Schneider Electric patched the weaknesses detected and reported by Red Balloon Security researchers Timothée Chauvin, Paul Noalhyt, and Yuanshe Wu as part of updates released on January 11, 2022. The warning comes after CISA released another alert of multiple critical vulnerabilities in Schneider Electric’s Interactive Graphical SCADA System (IGSS) that, if exploited, could lead to “data disclosure and loss of control of the SCADA system with IGSS running in production mode.”
In related news, the US Federal Bureau of Investigation has issued a security alert for General Electric’s Proficy CIMPLICITY SCADA software, warning of two security flaws that might be exploited to divulge sensitive information, gain code execution, and escalate local privileges. The advisories follow a Year In Review report from industrial cybersecurity firm Dragos that found that 24% of 1,703 ICS/OT flaws reported in 2021 had no patches available, with 19% having no mitigation, preventing operators from taking any steps to protect their systems from potential threats.
Dragos also discovered malicious activity from three new groups targeting ICS systems last year, including Kostovite, Erythrite, and Petrovite, which each targeted the OT environments of renewable energy, electrical utility, and mining and energy firms in Canada, Kazakhstan, and the United States.