Security News > 2023 > June > Researchers Expose New Severe Flaws in Wago and Schneider Electric OT Products
Three security vulnerabilities have been disclosed in operational technology products from Wago and Schneider Electric.
The flaws, per Forescout, are part of a broader set of shortcomings collectively called OT:ICEFALL, which now comprises a total of 61 issues spanning 13 different vendors.
The most severe of the flaws is CVE-2022-46680, which concerns the plaintext transmission of credentials in the ION/TCP protocol used by power meters from Schneider Electric.
The other two new security holes relate to denial-of-service bugs impacting WAGO 750 controllers that could be activated by an authenticated attacker by sending specific malformed packets or specific requests after being logged out.
In concluding the OT:ICEFALL research, Forescout notes that vendors still lack a fundamental understanding of secure-by-design practices and that they release incomplete patches and fail to implement appropriate security testing procedures.
"This is worrying because as OT products start implementing security controls and end up getting certified, the perception of their security posture might change and the sense of urgency around compensating controls might drop - leading to a false sense of security," the company said.
News URL
https://thehackernews.com/2023/06/researchers-expose-new-severe-flaws-in.html
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-05-22 | CVE-2022-46680 | Cleartext Transmission of Sensitive Information vulnerability in Schneider-Electric products A CWE-319: Cleartext transmission of sensitive information vulnerability exists that could cause disclosure of sensitive information, denial of service, or modification of data if an attacker is able to intercept network traffic. | 9.8 |