Researchers Expose New Severe Flaws in Wago and Schneider Electric OT Products

News

Jun 20, 2023Ravie LakshmananOperational Technology

Three security vulnerabilities have been disclosed in operational technology (OT) products from Wago and Schneider Electric.

The flaws, per Forescout, are part of a broader set of shortcomings collectively called OT:ICEFALL, which now comprises a total of 61 issues spanning 13 different vendors.

“OT:ICEFALL demonstrates the need for tighter scrutiny of, and improvements to, processes related to secure design, patching and testing in OT device vendors,” the company said in a report shared with The Hacker News.

The most severe of the flaws is CVE-2022-46680 (CVSS score: 8.8), which concerns the plaintext transmission of credentials in the ION/TCP protocol used by power meters from Schneider Electric.

Cybersecurity

Successful exploitation of the bug could enable threat actors to gain control of vulnerable devices. It’s worth noting that CVE-2022-46680 is one among the 56 flaws originally unearthed by Forescout in June 2022.

Operational Technology

The other two new security holes (CVE-2023-1619 and CVE-2023-1620, CVSS scores: 4.9) relate to denial-of-service (DoS) bugs impacting WAGO 750 controllers that could be activated by an authenticated attacker by sending specific malformed packets or specific requests after being logged out.

In concluding the OT:ICEFALL research, Forescout notes that vendors still lack a fundamental understanding of secure-by-design practices and that they release incomplete patches and fail to implement appropriate security testing procedures.

“This is worrying because as OT products start implementing security controls and end up getting certified, the perception of their security posture might change and the sense of urgency around compensating controls might drop – leading to a false sense of security,” the company said.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

Products You May Like

Articles You May Like

How Confidence Between Teams Impacts Cyber Incident Outcomes
INTERPOL Arrests 8 in Major Phishing and Romance Fraud Crackdown in West Africa
Sellafield Fined for Cybersecurity Failures at Nuclear Site
Why system resilience should mainly be the job of the OS, not just third-party applications
Separating the bee from the panda: CeranaKeeper making a beeline for Thailand

Leave a Reply

Your email address will not be published. Required fields are marked *