The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has published three Industrial Control Systems (ICS) advisories about multiple vulnerabilities in software from ETIC Telecom, Nokia, and Delta Industrial Automation.
Prominent among them is a set of three flaws affecting ETIC Telecom’s Remote Access Server (RAS), which “could allow an attacker to obtain sensitive information and compromise the vulnerable device and other connected machines,” CISA said.
This includes CVE-2022-3703 (CVSS score: 9.0), a critical flaw that stems from the RAS web portal’s inability to verify the authenticity of firmware, thereby making it possible to slip in a rogue package that grants backdoor access to the adversary.
Two other flaws relate to a directory traversal bug in the RAS API (CVE-2022-41607, CVSS score: 8.6) and a file upload issue (CVE-2022-40981, CVSS score: 8.3) that can be exploited to read arbitrary files and upload malicious files that can compromise the device.
Israeli industrial cybersecurity firm OTORIO has been credited with discovering and reporting the flaws. All versions of ETIC Telecom RAS 4.5.0 and prior are vulnerable, with the issues addressed by the French company in version 4.7.3.
The second advisory from CISA concerns three flaws in Nokia’s ASIK AirScale 5G Common System Module (CVE-2022-2482, CVE-2022-2483, and CVE-2022-2484), which could pave the way for arbitrary code execution and stoppage of secure boot functionality. All the flaws are rated 8.4 on the CVSS severity scale.
Read the full article here