German industrial automation solutions provider Wago has released patches for several of its programmable logic controllers (PLCs) to address four vulnerabilities, including ones that can be exploited to take full control of the targeted device. Two of the flaws have been assigned a critical severity rating based on their CVSS score, including CVE-2022-45138, a missing authentication issue, and CVE-2022-45140, which allows an unauthenticated attacker to write arbitrary data with root privileges. According to Ryan Pickren from the Georgia Institute of Technology’s Cyber-Physical Security Lab, “These bugs can be chained together and weaponized in two different ways: 1) direct network access (I.e. the adversary is within the ICS or is attacking an Internet-facing device) or 2) Via cross-origin web requests (I.e. the adversary lures somebody within the ICS into viewing their malicious website). Neither scenario requires any user-interaction (besides just visiting the site) or permissions. The chain is completely unauthenticated.” In a real-world attack, a threat actor could exploit these vulnerabilities to maliciously control actuators, falsify sensor measurements, and disable all safety controls. Pickren said these vulnerabilities are part of a much larger trend in ICS security that will be described in detail in an upcoming academic paper.
Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.
By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.
Accelerate Security Teams
Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.