Forescout Technologies recently disclosed three vulnerabilities affecting operational technology (OT) products from Wago and Schneider Electric, as part of their OT:Icefall research initiative. This disclosure follows the public revelation of 61 vulnerabilities impacting over 100 OT products from 13 different vendors. The newly identified vulnerabilities, tracked as CVE-2023-1619 and CVE-2023-1620, impact Wago 750 controllers utilizing the Codesys v2 runtime.
These vulnerabilities could be exploited by authenticated attackers to cause a denial-of-service (DoS) condition. The issues arise from poor implementation of protocol parsers and an insufficient session expiration bug, both allowing an authenticated attacker to crash a device. The remediation involves a manual reboot in both cases. Wago 750 automation controllers, widely used in commercial facilities, energy, manufacturing, and transport, support various protocols such as BACnet/IP, CANopen, DeviceNet Ethernet/IP, KNX, LonWorks, Modbus, and PROFIBUS. Additionally, Forescout revealed details about a high-severity vulnerability in Schneider Electric ION and PowerLogic product lines, identified earlier but not disclosed at the vendor’s request. Tracked as CVE-2022-46680, this vulnerability affects the power meters’ ION/TCP protocol implementation, exposing user credentials in plaintext with every message.
While these devices should not be accessible from the internet, Forescout discovered between 2,000 and 4,000 potentially unique devices exposed online, emphasizing the importance of securing these critical systems. As the one-year OT:Icefall research concludes, Forescout highlights instances of incomplete patches, some originating in software supply-chain components, leading to new vulnerabilities. Despite this, the vendor response to OT:Icefall has been commendable, especially when compared to the 2021 Project Memoria research, where only 22.5% of impacted vendors issued advisories for roughly 100 vulnerabilities in TCP/IP stacks. The comprehensive advisories issued for most discovered flaws demonstrate an improvement in addressing vulnerabilities in critical infrastructure.
Reference:
