"CISA Warns of Critical Vulnerabilities in 3 Industrial Control System Software"

The US Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) has issued three Industrial Control Systems (ICS) advisories regarding multiple vulnerabilities in software from ETIC Telecom, Nokia, and Delta Industrial Automation. CISA highlighted three flaws in ETIC Telecom's Remote Access Server (RAS) that could allow attackers to obtain sensitive information and compromise the vulnerable device and other connected machines. This includes CVE-2022-3703 (CVSS score: 9.0), a critical flaw caused by the RAS web portal's inability to verify the authenticity of firmware, allowing an adversary to slip in a rogue package that grants backdoor access. Two other flaws concern a directory traversal bug in the RAS Application Programming Interface (API) (CVE-2022-41607, CVSS score: 8.6) and a file upload flaw (CVE-2022-40981, CVSS score: 8.3), both of which can be exploited to read arbitrary files and upload malicious files that can compromise the device. All versions of ETIC Telecom RAS 4.5.0 and earlier are vulnerable, with the French company addressing the issues in version 4.7.3. This article continues to discuss CISA's warning of critical vulnerabilities in ETIC Telecom, Nokia, and Delta Industrial Automation.

THN reports "CISA Warns of Critical Vulnerabilities in 3 Industrial Control System Software"