Security News

The U.S. Cybersecurity and Infrastructure Security Agency has published four Industrial Control Systems advisories, calling out several security flaws affecting products from Siemens, GE Digital, and Contec. The most critical of the issues have been identified in Siemens SINEC INS that could lead to remote code execution via a path traversal flaw and command injection.

The U.S. Cybersecurity and Infrastructure Security Agency has released several Industrial Control Systems advisories warning of critical security flaws affecting products from Sewio, InHand Networks, Sauter Controls, and Siemens. The most severe of the flaws relate to Sewio's RTLS Studio, which could be exploited by an attacker to "Obtain unauthorized access to the server, alter information, create a denial-of-service condition, gain escalated privileges, and execute arbitrary code," according to CISA. This includes CVE-2022-45444, a case of hard-coded passwords for select users in the application's database that potentially grant remote adversaries unrestricted access.

The first is a Microsoft Exchange elevation of privileges bug tracked as CVE-2022-41080 that can be chained with the CVE-2022-41082 ProxyNotShell bug to gain remote code execution. Texas-based cloud computing provider Rackspace confirmed one week ago that the Play ransomware gang exploited it as a zero-day to bypass Microsoft's ProxyNotShell URL rewrite mitigations and escalate permissions on compromised Exchange servers.

Two of the US government's leading security agencies are building a machine learning-based analytics environment to defend against rapidly evolving threats and create more resilient infrastructures for both government entities and private organizations. The Department of Homeland Security - in particular its Science and Technology Directorate research arm - and Cybersecurity and Infrastructure Security Agency picture a multicloud collaborative sandbox that will become a training ground for government boffins to test analytic methods and technologies that rely heavily on artificial intelligence and machine learning techniques.

The U.S. Cybersecurity and Infrastructure Security Agency has added two years-old security flaws impacting TIBCO Software's JasperReports product to its Known Exploited Vulnerabilities catalog, citing evidence of active exploitation. TIBCO JasperReports is a Java-based reporting and data analytics platform for creating, distributing, and managing reports and dashboards.

The U.S. Cybersecurity and Infrastructure Security Agency has added two vulnerabilities impacting Veeam Backup & Replication software to its Known Exploited Vulnerabilities Catalog, citing evidence of active exploitation in the wild. "The Veeam Distribution Service allows unauthenticated users to access internal API functions," Veeam noted in an advisory published in March 2022.

The flaw was patched as an actively exploited zero-day bug in the Google Chrome web browser on Friday for Windows, Mac, and Linux users. In a security advisory published right before the weekend, Google said it "Is aware of reports that an exploit for CVE-2022-4262 exists in the wild."

The U.S. Cybersecurity and Infrastructure Security Agency this week released an Industrial Control Systems advisory warning of multiple vulnerabilities in Mitsubishi Electric GX Works3 engineering software. "Successful exploitation of these vulnerabilities could allow unauthorized users to gain access to the MELSEC iQ-R/F/L series CPU modules and the MELSEC iQ-R series OPC UA server module or to view and execute programs," the agency said.

The U.S. Cybersecurity and Infrastructure Security Agency this week released an Industrial Control Systems advisory warning of multiple vulnerabilities in Mitsubishi Electric GX Works3 engineering software. "Successful exploitation of these vulnerabilities could allow unauthorized users to gain access to the MELSEC iQ-R/F/L series CPU modules and the MELSEC iQ-R series OPC UA server module or to view and execute programs," the agency said.

The new Cyber Incident Reporting for Critical Infrastructure Act of 2022 requires CISA to create rules regarding cyber incident reporting by critical infrastructure organizations. CISA will share data from cyber incident reports, including defensive measures and anonymized cyber threat indicators, with other organizations.