Three security vulnerabilities have been identified in operational technology (OT) products from Wago and Schneider Electric.
According to Forescout, these defects are part of a broader set of defects collectively referred to as “defects.” OT: Icefallcurrently comprising a total of 61 issues across 13 different vendors.
“OT:ICEFALL demonstrates the need for greater oversight and improvement of processes related to secure design, patching and testing at OT device vendors,” the company said. Said In a report shared with The Hacker News.
The most serious of the flaws are CVE-2022-46680 (CVSS score: 8.8). This is about cleartext transmission of credentials in his ION/TCP protocol used in Schneider Electric’s electricity meters.
Successful exploitation of this bug could allow an attacker to gain control of a vulnerable device. It is worth noting that CVE-2022-46680 is one of his 56 flaws that were first discovered by his Forescout in June 2022.
Two other new security holes (CVE-2023-1619 and CVE-2023-1620CVSS score: 4.9) is related to a denial of service (DoS) bug affecting WAGO 750 controllers, in which an authenticated attacker can send certain malformed packets or specific requests after logging out to May activate this bug.
In conclusion of the OT:ICEFALL study, Forescout found that vendors still lack a basic understanding of secure-by-design practices, release incomplete patches, and fail to implement proper security testing procedures. pointing out that there is no
โThis is alarming because as OT products begin to implement security controls and eventually gain certification, their perception of their security posture changes and the urgency to compensate for controls decreases. , because it can lead to a false sense of security,” the company said.