Four reports and two years have passed since the first Claroty Biannual ICS Risk & Vulnerability Report, and in that time, we have established two constants: the number of vulnerabilities being disclosed continues to increase, and the growing population of researchers and product CIRT teams looking for exploitable flaws in ICS and OT products remain on an upward trajectory.
With those two trends all but certain to continue for the time being, it's time to readjust the industry's focus toward remediation and mitigation efforts. Finding and counting vulnerabilities has its place, but it's meaningless to users without reliable processes for addressing the risk these vulnerabilities pose to the industrial enterprise.
Today, Claroty's research arm Team82 releases its latest Biannual ICS Risk & Vulnerability Report, which provides decision-makers with a clear picture and understanding of the ICS and OT vulnerability landscape for the second half of 2021. While we cannot gloss over the 110% increase in the number of vulnerabilities disclosed during the latter half of last year (797 disclosed industry-wide), we believe it's important to highlight which vulnerabilities are being fully remediated by affected vendors, show you what are the best mitigations available when patches or updates are not immediately available, and how vendors are maturing their internal security practices to catch and fix bugs before attackers exploit them.
Let's look at some highlights from the report:
The Extended Internet of Things (XIoT) is an umbrella term for connected cyber-physical systems, encompassing not only operational technology, but also connected medical devices, and other IoT systems within the enterprise. Many of these were not designed to be securely connected online, yet that's not stopping the momentum of digital transformation within heavy industry, healthcare, and elsewhere.
Our dataset for this report demonstrates increased attention from vulnerability researchers into these sectors as well. Decision-makers needing justification for the prioritization of XIoT cybersecurity need look no further than the chart below, which illustrates how 34% of vulnerabilities disclosed in just the last six months of 2021 were found in software and firmware running within systems not designated as purely OT.
Team82 has found more than 260 vulnerabilities since its inception, doing so in a coordinated fashion with affected vendors to great success. Finding and counting vulnerabilities is important, but only if it leads to a mature, safe ecosystem that is able to patch bugs, distribute fixes to users, and those remediations are implemented in a timely manner.
Our dataset confirms that software remediations are relatively much simpler to develop for ICS products than firmware updates, which have much longer development and implementation cycles. That trend is reflected in our data as well, which reveals that 74% of fully remediated vulnerabilities are software-based.
Vulnerability disclosures aren't always accompanied by a software patch or firmware update; many times, for example, products are no longer supported by vendors and instead they urge users to upgrade equipment to current levels rather than supply further security updates. Couple this with an overwhelming number of legacy products still humming along supporting industrial processes worldwide, and companies' windows of exposure can be extensive. Have look at some data related to the 29 vulnerabilities disclosed in end-of-life products:
In those cases where patches are not, or won't be, available, affected vendors and industry groups such as ICS-CERT may recommend mitigations—many of which should be considered security best practices and fundamental security hygiene measures—to blunt the impact of software and firmware vulnerabilities until a fix is available. Here are the top mitigation options recommended by affected vendors and industry groups.
Here's another sign of a maturing vulnerability research ecosystem: Team82 tracks parties disclosing vulnerabilities, and third-party research organizations and independent researchers continue to report the most vulnerabilities to affected vendors. But we're also seeing a growing number of vulnerabilities being found and publicly disclosed by internal research teams, below.
Team82, meanwhile, has partnered with many vendors on research initiatives, including leading automation vendors such as SiemensAG, Schneider Electric, and Rockwell Automation, all of which have mature internal product security teams that are vigilant about finding and fixing vulnerabilities in their products. Many smaller vendors are following that lead, and realizing the importance of lessening their users' exposure to exploit attempts.
We urge you to download the report, share it with your technical colleagues and internal decision-makers. This is the best snapshot you'll find of the current XIoT vulnerability landscape, and an essential tool to help prioritize vulnerability remediation efforts, and risk mitigation within your company.
CWE-345 INSUFFICIENT VERIFICATION OF DATA AUTHENTICITY:
In 2N Access Commander versions 3.1.1.2 and prior, a local attacker can escalate their privileges in the system which could allow for arbitrary code execution with root permissions.
Update to Access Commander version 3.2.
CVSS v3: 4.7
CWE-345 INSUFFICIENT VERIFICATION OF DATA AUTHENTICITY:
In 2N Access Commander versions 3.1.1.2 and prior, an Insufficient Verification of Data Authenticity vulnerability could allow an attacker to escalate their privileges and gain root access to the system.
Update to Access Commander version 3.2.
CVSS v3: 6.3
CWE-22 IMPROPER LIMITATION OF A PATHNAME TO A RESTRICTED DIRECTORY ('PATH TRAVERSAL'):
In 2N Access Commander versions 3.1.1.2 and prior, a Path Traversal vulnerability could allow an attacker to write files on the filesystem to achieve arbitrary remote code execution.
Update to Access Commander version 3.2.
CVSS v3: 7.2
CWE-290: AUTHENTICATION BYPASS BY SPOOFING
Snap One OVRC cloud uses the MAC address as an identifier to provide information when requested. An attacker can impersonate other devices by supplying enumerated MAC addresses and receive sensitive information about the device.
Read more: "The Problem with IoT Cloud Connectivity and How it Exposed All OvrC Devices to Hijacking"
CVSS v3: 7.5
CWE-306: MISSING AUTHENTICATION FOR CRITICAL FUNCTION
A vulnerability exists in Snap One OVRC cloud where an attacker can impersonate a Hub device and send requests to claim and unclaimed devices. The attacker only needs to provide the MAC address of the targeted device and can make a request to unclaim it from its original connection and make a request to claim it.
OvrC Pro: All versions prior to 7.3 are affected.
Read more: "The Problem with IoT Cloud Connectivity and How it Exposed All OvrC Devices to Hijacking"
CVSS v3: 9.1
