Schneider Electric's Easergy medium voltage protection relays are vulnerable to several vulnerabilities, according to the advisory by US Cybersecurity and Infrastructure Security Agency (CISA).
The agency said in a bulletin on February 24, 2022, "Successful exploitation of these vulnerabilities may disclose device credentials, cause a denial-of-service condition, device reboot, or allow an attacker to gain full control of the relay. This could result in loss of protection to your electrical network."
Easergy P3 versions prior to v30.205 and Easergy P5 versions before v01.401.101 are affected by the two high-severity flaws. The following are the weaknesses in detail:
- CVE-2022-22722 (CVSS score: 7.5) - Use of hardcoded credentials that could be used to monitor and alter device traffic with the device.
- CVE-2022-22723 and CVE-2022-22725 (CVSS score: 8.8) – A buffer overflow vulnerability that could lead to programme crashes and execution of arbitrary code by sending specially crafted packets to the relay over the network.
Schneider Electric patched the weaknesses detected and reported by Red Balloon Security researchers Timothée Chauvin, Paul Noalhyt, and Yuanshe Wu as part of updates released on January 11, 2022.
The alert comes less than ten days after CISA released another alert warning of several key vulnerabilities in Schneider Electric's Interactive Graphical SCADA System (IGSS) that, if exploited, could lead to data disclosure and loss of control of the SCADA system with IGSS running in production mode.
In similar news, the US Federal Bureau of Investigation has issued a security alert for General Electric's Proficy CIMPLICITY SCADA software, alerting of two security flaws that might be exploited to expose sensitive information, gain code execution, and escalate local privileges.
The advisories follow a report from industrial cybersecurity firm Dragos that discovered that 24 per cent of the total 1,703 ICS/OT vulnerabilities reported in 2021 had no fixes available, with 19 per cent having no mitigation, restricting operators from taking any steps to protect their systems from potential threats.
Dragos also discovered malicious activity from three new groups that were discovered attacking ICS systems last year, including Kostovite, Erythrite, and Petrovite. Each of which targeted the OT environments of renewable energy, electrical utility, and mining and energy firms in Canada, Kazakhstan, and the United States.
