Team82 Blog / 4 min read
Four reports and two years have passed since the first Claroty Biannual ICS Risk & Vulnerability Report, and in that time, we have established two constants: the number of vulnerabilities being disclosed continues to increase, and the growing population of researchers and product CIRT teams looking for exploitable flaws in ICS and OT products remain on an upward trajectory.
With those two trends all but certain to continue for the time being, it's time to readjust the industry's focus toward remediation and mitigation efforts. Finding and counting vulnerabilities has its place, but it's meaningless to users without reliable processes for addressing the risk these vulnerabilities pose to the industrial enterprise.
Today, Claroty's research arm Team82 releases its latest Biannual ICS Risk & Vulnerability Report, which provides decision-makers with a clear picture and understanding of the ICS and OT vulnerability landscape for the second half of 2021. While we cannot gloss over the 110% increase in the number of vulnerabilities disclosed during the latter half of last year (797 disclosed industry-wide), we believe it's important to highlight which vulnerabilities are being fully remediated by affected vendors, show you what are the best mitigations available when patches or updates are not immediately available, and how vendors are maturing their internal security practices to catch and fix bugs before attackers exploit them.
Let's look at some highlights from the report:
The Extended Internet of Things (XIoT) is an umbrella term for connected cyber-physical systems, encompassing not only operational technology, but also connected medical devices, and other IoT systems within the enterprise. Many of these were not designed to be securely connected online, yet that's not stopping the momentum of digital transformation within heavy industry, healthcare, and elsewhere.
Our dataset for this report demonstrates increased attention from vulnerability researchers into these sectors as well. Decision-makers needing justification for the prioritization of XIoT cybersecurity need look no further than the chart below, which illustrates how 34% of vulnerabilities disclosed in just the last six months of 2021 were found in software and firmware running within systems not designated as purely OT.
Team82 has found more than 260 vulnerabilities since its inception, doing so in a coordinated fashion with affected vendors to great success. Finding and counting vulnerabilities is important, but only if it leads to a mature, safe ecosystem that is able to patch bugs, distribute fixes to users, and those remediations are implemented in a timely manner.
Our dataset confirms that software remediations are relatively much simpler to develop for ICS products than firmware updates, which have much longer development and implementation cycles. That trend is reflected in our data as well, which reveals that 74% of fully remediated vulnerabilities are software-based.
Vulnerability disclosures aren't always accompanied by a software patch or firmware update; many times, for example, products are no longer supported by vendors and instead they urge users to upgrade equipment to current levels rather than supply further security updates. Couple this with an overwhelming number of legacy products still humming along supporting industrial processes worldwide, and companies' windows of exposure can be extensive. Have look at some data related to the 29 vulnerabilities disclosed in end-of-life products:
In those cases where patches are not, or won't be, available, affected vendors and industry groups such as ICS-CERT may recommend mitigations—many of which should be considered security best practices and fundamental security hygiene measures—to blunt the impact of software and firmware vulnerabilities until a fix is available. Here are the top mitigation options recommended by affected vendors and industry groups.
Here's another sign of a maturing vulnerability research ecosystem: Team82 tracks parties disclosing vulnerabilities, and third-party research organizations and independent researchers continue to report the most vulnerabilities to affected vendors. But we're also seeing a growing number of vulnerabilities being found and publicly disclosed by internal research teams, below.
Team82, meanwhile, has partnered with many vendors on research initiatives, including leading automation vendors such as SiemensAG, Schneider Electric, and Rockwell Automation, all of which have mature internal product security teams that are vigilant about finding and fixing vulnerabilities in their products. Many smaller vendors are following that lead, and realizing the importance of lessening their users' exposure to exploit attempts.
We urge you to download the report, share it with your technical colleagues and internal decision-makers. This is the best snapshot you'll find of the current XIoT vulnerability landscape, and an essential tool to help prioritize vulnerability remediation efforts, and risk mitigation within your company.
CWE-285: IMPROPER AUTHORIZATION
Certain MQTT wildcards are not blocked on the system, which might result in an attacker obtaining data from throughout the system after gaining access to any device.
Successful exploitation of these vulnerabilities could result in an attacker bypassing authentication and gaining administrator privileges, forging JWT tokens to bypass authentication, writing arbitrary files to the server and achieving code execution, gaining access to services with the privileges of a PowerPanel application, gaining access to the testing or production server, learning passwords and authenticating with user or administrator privileges, injecting SQL syntax, writing arbitrary files to the system, executing remote code, impersonating any client in the system and sending malicious data, or obtaining data from throughout the system after gaining access to any device.
CVSS v3: 6.5
CWE-321: USE OF HARD-CODED CRYPTOGRAPHIC KEY
The devices Power Panel manages use identical certificates based on a hard-coded cryptographic key. This can allow an attacker to impersonate any client in the system and send malicious data.
Successful exploitation of these vulnerabilities could result in an attacker bypassing authentication and gaining administrator privileges, forging JWT tokens to bypass authentication, writing arbitrary files to the server and achieving code execution, gaining access to services with the privileges of a PowerPanel application, gaining access to the testing or production server, learning passwords and authenticating with user or administrator privileges, injecting SQL syntax, writing arbitrary files to the system, executing remote code, impersonating any client in the system and sending malicious data, or obtaining data from throughout the system after gaining access to any device.
CVSS v3: 6.5
CWE-89: IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS USED IN AN SQL COMMAND ('SQL INJECTION')
An attacker with certain MQTT permissions can create malicious messages to all Power Panel devices. This could result in an attacker injecting SQL syntax, writing arbitrary files to the system, and executing remote code.
Successful exploitation of these vulnerabilities could result in an attacker bypassing authentication and gaining administrator privileges, forging JWT tokens to bypass authentication, writing arbitrary files to the server and achieving code execution, gaining access to services with the privileges of a PowerPanel application, gaining access to the testing or production server, learning passwords and authenticating with user or administrator privileges, injecting SQL syntax, writing arbitrary files to the system, executing remote code, impersonating any client in the system and sending malicious data, or obtaining data from throughout the system after gaining access to any device.
CVSS v3: 8.8
CWE-257: STORING PASSWORDS IN A RECOVERABLE FORMAT
The key used to encrypt passwords stored in the database can be found in the application code, allowing the passwords to be recovered.
Successful exploitation of these vulnerabilities could result in an attacker bypassing authentication and gaining administrator privileges, forging JWT tokens to bypass authentication, writing arbitrary files to the server and achieving code execution, gaining access to services with the privileges of a PowerPanel application, gaining access to the testing or production server, learning passwords and authenticating with user or administrator privileges, injecting SQL syntax, writing arbitrary files to the system, executing remote code, impersonating any client in the system and sending malicious data, or obtaining data from throughout the system after gaining access to any device.
CVSS v3: 4.9
CWE-489: ACTIVE DEBUG CODE
Hard-coded credentials for the test server can be found in the production code. This might result in an attacker gaining access to the testing or production server.
Successful exploitation of these vulnerabilities could result in an attacker bypassing authentication and gaining administrator privileges, forging JWT tokens to bypass authentication, writing arbitrary files to the server and achieving code execution, gaining access to services with the privileges of a PowerPanel application, gaining access to the testing or production server, learning passwords and authenticating with user or administrator privileges, injecting SQL syntax, writing arbitrary files to the system, executing remote code, impersonating any client in the system and sending malicious data, or obtaining data from throughout the system after gaining access to any device.
CVSS v3: 9.8
