Rockwell Automation recently posted three new security advisories that cover 10 bugs, a move that was followed up by a Cybersecurity and Infrastructure Security Agency (CISA) March 26 advisory.
The vulnerabilities cover the industrial automation company’s PowerFlex 527, Arena Simulation product, and the FactoryTalk View ME platform.
Rockwell credited researcher Michael Heinzl for reporting the bugs. Heinzl gets props from the security community for reporting serious flaws where specially crafted files get exploited. Here’s a rundown of how the bugs affected each of the Rockwell Automation products:
PowerFlex 527
For PowerFlex, three high-severity bugs were found that attackers can exploit for denial-of-service attacks. Rockwell Automation has yet to release any patches and advises users to apply mitigations and security best practices. Successful exploitation of this PowerFlex flaw could crash the device and require a manual restart to recover.
Arena Simulation
This includes five high-severity arbitrary code execution bugs and one medium-severity information disclosure and DoS issue. Successful exploitation of these vulnerabilities could crash the application or let an attacker run harmful code on the system.
FactoryTalk View ME
This one describes a medium-severity security cross-site scripting issue in FactoryTalk View ME discovered during internal testing. Software updates have been released to patch the vulnerability. Successful exploitation of this vulnerability could lead to the loss of view or control of the PanelView product.
Reports of vulnerabilities increasing
The volume of reported system vulnerabilities doubles almost every year, and it's tough for security teams to keep up, said Jose Seara, founder and CEO at DeNexus. However, Seara noted that teams should take all of these advisories seriously, but evaluate them based on how critical they are and their exploitability.
“Understanding the financial impact of a vulnerability being exploited by threat actors is the third aspect of the risk mitigation decision process that can be informed by cyber risk quantification,” said Seara.
John Gunn, chief executive officer at Token pointed out that it’s interesting to observe the remarkable differences between the strict standards we have for the safety of air travel, such as for Boeing airplanes, versus the absence of standards, oversight, and regulation for cybersecurity measures.
“The seemingly infinite number of new advisories and necessary patches are a direct product of ‘best efforts’ by providers with a greater focus on profits than cybersecurity,” said Gunn.