Industrial software vuln actively exploited says CISA – but little evidence of real-world attacks
A Delta Electronics industrial control system (ICS) software package is being actively targeted according to CISA, which has added 10 new vulnerabilities to its KEV catalogue, including four critical vulns.
CVE-2021-38406, affecting Delta’s DOPSoft 2 software, was first reported in April 2021; improper validation of user-supplied data can allow out-of-bounds writes, potentially allowing code execution.
While the vuln, rated as 7.8 (high), is less severe than some others newly added to the CISA KEV catalogue, the potential for attackers to infiltrate ICSs makes this issue highly notable.The risks from infiltration of industrial systems and operational technology (OT) has become an increasing concern due to the escalating volume of cyber attacks against industrial organisations such as utilities.
The recent hack of South Staffs Water by ransomware group Clop is a case in point: while the company claimed its SCADA systems were unaffected, security researcher Kevin Beaumont’s analysis of the Clop data dump suggests they did access control systems. This would have potentially allowed them to affect water supplies, although there is no evidence they did; The Stack has contacted South Staffs Water for comment.
According to a Kaspersky report, almost 40% of industrial control systems were targeted by attackers in the second half of 2021, although these attacks mostly consisted of stealing credentials, deploying spyware, or dropping cryptocurrency mining software – rather than seeking to control industrial systems. Attacks which actually affect physical environments are rare, but – like the recent attack on an Iranian foundry – can have significant consequences.
What is CVE-2021-38406?
The software affected by CVE-2021-38406, DOPSoft, is used to program Delta’s Human Machine Interface (HMI) devices, and can also communicate with other Delta software and hardware systems, albeit in limited ways. Based in Taiwan, Delta’s ICS products are widely used in manufacturing and building automation.
Because of the way DOPSoft is used, actual exploitable situations involving the software are likely rare – but could result in very serious consequences if an attacker was able to make changes to HMI devices or other systems.
Security researchers who picked up on the KEV addition failed to find any details of how the vulnerability is being actively exploited. The most prominent recent reference to it is in a report from Palo Alto’s Unit 42 on exploits observed in the wild, published on 19 August – but while the Delta CVE is tagged in the article, it doesn’t provide any details as to how it is being exploited (in contrast to specific discussion of two-dozen other vulnerabilities).
The vulnerability only affects DOPSoft v2.00.07 and earlier. That version of the software was released in 2017, and the current DOPSoft is version 4. As the affected software is EOL, official advice is to stop using it – theoretically one of the easier fixes in the wider issues of Operational Technology security flaws, practically given complex dependencies and asset discovery issues in the operational technology space not always as simple as it sounds.
See: Potemkin security standards propping up “insecure by design” OT
The Stack has contacted Delta, Palo Alto and CISA for comment.
Along with the potentially worrying CVE-2021-38406, the new critical additions to the CISA KEV catalogue include CVE-2022-26352, a flaw in dotCMS 3.0, which can lead to RCE thanks to the ability to upload files with unsanitised file names, allowing attackers to save executable files in improper locations.
CVE-2022-24706 affects Apache CouchDB prior to version 3.2.2, allowing RCE on improperly secured default installations of the database. The NIST listing notes: “The CouchDB documentation has always made recommendations for properly securing an installation, including recommending using a firewall in front of all CouchDB installations.”
CVE-2022-24112 affects Apache APISIX, with attackers using the batch-requests plugin to bypass IP restrictions on the admin API. APISIX’s use of a default, built-in API token makes this more severe, allowing RCE – but even if this is changed, IP checks can still be bypassed.
CVE-2022-22963 details how in VMWare’s Spring Cloud Function a malicious Spring Expression can allow RCE, in versions 3.2.2, 3.1.6 and earlier, when using routing functionality. Upgrading to later versions of Spring Cloud Function mitigates the issue.
Other high-rated vulnerabilities which CISA says are now being actively exploited include a heap buffer overflow in Google Chrome’s WebRTC (CVE-2022-2294), the ability to view and delete database snapshots in Grafana (CVE-2021-39226), and sandbox escape in a wide variety of Apple software (CVE-2021-31010).
Two vulnerabilities in PEAR, the open-source PHP component repository, also made the KEV list: CVE-2020-36193 and CVE-2020-28949. Both rely on inadequate checking of filenames and symbolic links, enabling forbidden write operations.