The U.S. Cybersecurity and Infrastructure Security Agency (CISA) It was published Three Industrial Control Systems (ICS) advisories regarding multiple vulnerabilities in software from ETIC Telecom, Nokia, and Delta Industrial Automation.
Standing out among them is a set of three flaws affecting ETIC Telecom’s Remote Access Server (RAS) that “allow attackers to obtain sensitive information, ,” CISA said.
This includes CVE-2022-3703 (CVSS score: 9.0). This is a critical flaw due to the RAS web portal’s inability to verify the authenticity of the firmware, which allows an adversary to install a rogue package that grants backdoor access.
Two other flaws are related to a directory traversal bug in the RAS API (CVE-2022-41607, CVSS score: 8.6) and a file upload issue (CVE-2022-40981, CVSS score: 8.3), which prevents any It can be exploited to read files. Upload malicious files that can compromise your device.
Israeli industrial cybersecurity company OTORIO is known for finding and reporting flaws. All versions of ETIC Telecom RAS 4.5.0 and earlier are vulnerable and have the following issues: handle Version 4.7.3 by a French company.
The second advisory from CISA concerns three flaws (CVE-2022-2482, CVE-2022-2483, and CVE-2022-2484) in Nokia’s ASIK AirScale 5G Common System Module, which could allow arbitrary code It could pave the way for execution and safe system shutdown. boot function. All flaws are rated 8.4 on the CVSS severity scale.
“Successfully exploiting these vulnerabilities may result in the execution of a malicious kernel, the execution of arbitrary malicious programs, or the execution of modified Nokia programs,” CISA said. I’m here.
The Finnish telecommunications giant is said to have published mitigation procedures for the flaws affecting ASIK versions 474021A.101 and ASIK 474021A.102. The agency encourages users to contact Nokia directly for more information.
Finally, cybersecurity officials have also warned about a path traversal vulnerability (CVE-2022-2969, CVSS score: 8.1). This vulnerability affects Delta Industrial Automation’s DIALink product and can be exploited to inject malicious code into the target appliance.
This shortcoming has been addressed in version 220.127.116.11 Beta 4 and can be obtained by contacting Delta Industrial Automation directly or through Delta Field Application Engineering (FAE), according to CISA.