CISA Flags ICS Bugs in Baxter, Mitsubishi Products

This week the US Cybersecurity and Infrastructure Security Agency (CISA) warned about two new industrial control systems (ICS) vulnerabilities in products widely used in healthcare and critical manufacturing — sectors prone to attract cybercrime.

The vulnerabilities affect Baxter's Connex Health Portal and Mitsubishi Electric’s MELSEC line of programmable controllers. Both vendors have issued updates for the vulnerabilities and recommended mitigations that customers of the respective technologies can take to further mitigate risk.

Baxter Connex Vulnerabilities

CISA's advisory contained information on two vulnerabilities in Baxter's Connex Health Portal (formerly Hillrom and Welch Allyn) that it described as remotely exploitable and involving low attack complexity. One of the vulnerabilities, assigned as CVE-2024-6795, is a maximum severity (CVSS score of 10.0) SQL injection issue that an unauthenticated attacker can leverage to run arbitrary SQL queries on affected systems. CISA described the flaw as giving attackers the ability to access, modify, and delete sensitive data and take other admin level actions, including shutting down the database.

The other vulnerability in Baxter's Connex Health Portal, tracked as CVE-2024-6796, has to do with improper access control and has a CVSS severity rating of 8.2 on 10. The flaw gives attackers a way to potentially access sensitive patient and clinician information and to modify or delete some of the data. As with CVE-2024-6795, the improper access vulnerability in Baxter Connex Health Portal is also remotely exploitable, involves low attack complexity, and does not require the threat actor to have any special privileges.

Baxter has fixed the issues, but CISA has recommended that affected organizations also minimize network exposure for all control system devices and to make sure they are not accessible from the Internet. CISA also wants organizations to stick firewalls in front of control system networks and to use secure remote access methods such as VPNs where remote access is a requirement.

So far, there is no sign of exploit activity targeting either vulnerability, CISA said. But healthcare technologies have become a major target for cybercriminals in recent years. This year alone, there have been multiple incidents involving major healthcare players. Among the most notable of them was a ransomware attack on health insurance firm Change Healthcare earlier this year that knocked critical-claims-related services offline for days. Though Change Healthcare paid a $22 million ransom to the BlackCat ransomware group following the attack, the threat actor leaked sensitive health information on millions of Americans on the Dark Web anyway. In another incident, attackers — believed to be the Rhysida ransomware group — knocked systems offline at Chicago’s Lurie Children's Hospital and compromised records belonging to more than 790,000 patients.

Multiple factors have contributed to the healthcare sector becoming a major target for cybercriminals. These include the fact that healthcare organizations usually hold a lot of valuable data and are particularly vulnerable to any kind of operational disruptions and degradation in their ability to serve patients.

Mitsubishi MELSEC Flaws

Meanwhile CISA's advisory on Mitsubishi Electric's MELSEC programmable controllers for industrial automation and control applications have to do with vulnerabilities the vendor announced previously. One of the advisories involves a #denial of service of vulnerability that Mitsubishi first disclosed in 2020 (CVE-2020-5652) and has kept updating through the years as new issues related to the flaw have continued to crop up. The latest advisory adds more Mitsubishi MELSEC products to the list of affected technologies and provides new information on mitigating against the threat. The other vulnerability, identified as CVE-2022-33324, is also a denial-of-service issue, but one resulting from what CISA described as improper resource shutdown or release. Mitsubishi first disclosed the flaw in December 2022 and has kept updating its advisory with new information. The latest update, which adds new products to the list of affected technologies and provides new mitigation advice, is the company's third just this year for CVE-2022-33324.

Vulnerabilities in ICS and other Information technology products in the manufacturing sector are a particular concern for two reasons: More than 75% of manufacturing companies have unpatched high-severity vulnerabilities in their environment; and attacks against manufacturing companies have surged in recent years. A report that Armis released earlier this year showed a 165% increase in attacks on manufacturing companies in 2023, making it the second-most targeted sector after utilities.