New "Icefall" Bugs Include Critical DoS Flaw

Researchers at Forescout have released details of more OT product vulnerabilities that they say stem from an “insecure-by-design” approach to manufacturing.

The bugs, which include a critical denial of service (DoS) CVE, are found in products from German vendors Codesys and Festo.

CVE-2022-4048 is a logic manipulation bug in the Codesys V3 automation software for engineering control systems. Forescout said Codesys is running on several million devices and around 1000 models from over 500 manufacturers.

The vulnerability stems from weak cryptography, namely:

  • Session keys are generated using an insecure pseudo-random number generator (PRNG) working off a small and predictable seed
  • The encryption scheme uses an insecure mode of operation – compromising confidentiality and integrity regardless of session key strength

The second vulnerability, CVE-2022-3079, is a denial-of-service bug which affects Festo CPX-CEC-C1 and CPX-CMXX Codesys V2 controllers. It enables unauthenticated, remote access to critical webpage functions, which may cause DoS.

While these first two flaws were given a CVSS rating of 7.7 and 7.5 respectively, the final one, impacting Festo controllers using the FGMC protocol, is a rated critical with a CVSS of 9.8.

CVE-2022-3270 was categorized by Forescout as stemming from an insecure engineering protocol, potentially leading to DoS. The Festo Generic Multicast (FGMC) protocol allows for the unauthenticated reboot of controllers over the network, meaning attackers can tamper with devices, including controllers, once they’ve gained remote access via the network.

Forescout said it discovered 1000 Festo controllers among its customers, mainly in the manufacturing sector.

The findings follow a major report published by Forescout over the summer in which it found 56 vulnerabilities in products from 10 OT manufacturers, highlighting the poor security practices followed by many in this space.

“By connecting OT to IoT and IT devices, vulnerabilities that once were seen as insignificant due to their lack of connectivity are now high targets for bad actors,” warned Forescout head of security research, Daniel dos Santos.

“It is crucial for asset owners to understand how these legacy systems, the lack of vulnerability management surrounding them, and the often-false sense of security offered by certifications complicate OT risk management efforts.”

What’s Hot on Infosecurity Magazine?