CISA is warning about a set of vulnerabilities in the widely deployed CONPROSYS human-machine interface software that can allow a remote unauthenticated attacker to inject commands into the system and execute arbitrary code.
The most serious bug (CVE-2022--44456) emerged in October when the vendor, Contec, issued an advisory about the vulnerability and released an updated version of the software. Since then, four other vulnerabilities have emerged in that version, which was 3.4.5. Those newly discovered vulnerabilities include the use of default credentials and improper access controls. To address those bugs, Contec has released version 3.5.0 of CONPROSYS.
That original vulnerability is an OS command injection flaw that could allow an attacker to gain remote code execution.
“We have discovered a vulnerability in the server-side PHP code of our WEB HMI/SCADA software CONPROSYS HMI System (CHS). If this vulnerability is exploited by a malicious attacker, data may be stolen or tampered with, or a malicious program may be executed to destroy the system,” the Contec advisory says.
“When a malicious entity sends a request to PHP on the server, an OS command can be embedded to execute arbitrary commands. If this vulnerability is exploited by an attacker, there is a possibility of data theft or falsification, execution of malicious programs, and system corruption.”
CONPROSYS is a comprehensive industrial IoT system that is deployed in a wide range of settings, including manufacturing, agriculture, technology, automotive and many others. Of the four newer vulnerabilities discovered in the software, the most serious are the improper access control and use of default credentials. The access control issue, in particular, is worrisome.
“In CONPROSYS HMI System Ver.3.4.5 and prior, a remote unauthenticated attacker could obtain the server certificate, including the private key of the product,” the CISA advisory says.
There is also a bug that could allow an attacker in a machine-in-the-middle scenario to steal user credentials, and a separate cross-site scripting vulnerability that could be used to obtain sensitive information.
Organizations that have deployed CONPROSYS versions 3.4.5 or earlier should upgrade to version 3.5.0 as soon as possible to address these vulnerabilities.