Team82 Blog / 3 min read
Twenty-plus years of connecting everything in our lives to the internet has brought us to a place where our ability to innovate and sustain our existence relies in some way on computer code.
Meanwhile, the emergence and prevalence of these cyber physical systems that have a direct touchpoint to the physical world is forcing a new paradigm of risk management decisions.
That’s the context under which we have revamped our biannual report. The State of XIoT Security report was created to help decision makers understand the threat and vulnerability landscape affecting not only the industrial sector but also healthcare and commercial.
Interestingly enough the data in the first half of 2022 report that we’re sharing today for the first time reflects this expansion into the Extended Internet of Things (XIoT). Among the 747 XIoT vulnerabilities (86 affected vendors) published in the 1H 2022, we’re seeing for the first time real movement in the number of published vulnerabilities around enterprise IoT and progress in updating firmware and providing remediations for these components deep within cyber physical systems.
Firmware updates traditionally lag behind software patching and mitigations, for example, but in this report we’re seeing updates for both almost on par with each other. This indicates that enterprise risk managers are looking at connected embedded systems that make up the XIoT, assessing the risk to the systems, and are making progress and patching and updating them.
We hope you find the State of XIoT Security report an important resource that you will share with security executives and the board, as well as with network analysts, engineers, asset owners and operators, and managers responsible for the security of enterprise IoT.
Let’s look at some key findings:
You can see that OT vulnerabilities still dominate Team82’s dataset for the 1H 2022, but it’s noteworthy that the percentage of IoT vulnerabilities has almost doubled since our last report, especially impacting connected smart devices, routers and other networking gear, and cameras—all of which if compromised may afford an attacker deeper access to the enterprise network.
Most of the published XIoT vulnerabilities in the 1H 2022 are either critical (19%) or high severity (46%). And of those severe bugs, many affect the availability of XIoT devices by enabling code execution or denial-of-service attacks.
With the rise in cyber-physical systems across industries, we’re starting to see the expected spikes in published firmware vulnerabilities in IoT devices, as well as the internet of medical things (IoMT), and operational technology devices at Levels 1 and 2 of the Purdue Model for ICS.
Below, you can see that for the 1H 2022, the number of published firmware vulnerabilities is almost on par with software vulnerabilities, a significant reversal from the 2H 2021 report when there was an almost 2-to-1 disparity between software and firmware vulnerabilities.
Meanwhile, vulnerabilities in connected IoT devices—largely firmware issues—trail only Operations Management and Basic Control devices. Vulnerabilities in these products, which include Historian and OPC servers, as well as field devices, for example, are predominantly software-based.
Team82’s 1H 2022 dataset indicates that vendors provided full or partial remediation for 91% of published vulnerabilities.
Breaking that down by software and firmware vulnerabilities, you can see the gains made in firmware fixes for the first half of the year compared to our last report.
When a software patch or firmware update isn’t immediately available, basic security practices should be adhered to in order to blunt the impact of vulnerabilities. Here are the top mitigation steps from Team82’s 1H 2022 dataset.
CWE-284 IMPROPER ACCESS CONTROL:
The entire parent directory - C:\ScadaPro and its sub-directories and files are configured by default to allow users, including unprivileged users, to write or overwrite files.
Measuresoft recommends that users manually reconfigure the vulnerable directories so that they are not writable by everyone.
CVSS v3: 5.5
CWE-256: Plaintext Storage of a Password
In Automation-Direct C-MORE EA9 HMI credentials used by the platform are stored as plain text on the device.
AutomationDirect recommends that users update C-MORE EA9 HMI to V6.78
Affected versions:
CVSS v3: 6.5
CWE-121: Stack-based Buffer Overflow
In Automation-Direct C-MORE EA9 HMI there is a program that copies a buffer of a size controlled by the user into a limited sized buffer on the stack which leads to a stack overflow. The result of this stack-based buffer overflow will lead to a denial-of-service conditions.
AutomationDirect recommends that users update C-MORE EA9 HMI to V6.78
Affected versions:
CVSS v3: 4.3
CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
There is a function in Automation-Direct C-MORE EA9 HMI that allows an attacker to send a relative path in the URL without proper sanitizing of the content.
AutomationDirect recommends that users update C-MORE EA9 HMI to V6.78
Affected versions:
CVSS v3: 7.5
CWE-319: CLEARTEXT TRANSMISSION OF SENSITIVE INFORMATION
The affected product is vulnerable to a cleartext transmission of sensitive information vulnerability, which may allow an attacker to capture packets to craft their own requests.
Softing edgeConnector: Version 3.60 and Softing edgeAggregator: Version 3.60 are affected. Update Softing edgeConnector and edgeAggregator to v3.70 or greater.
CVSS v3: 8.0