The US Cybersecurity and Infrastructure Security Agency (CISA) has released new ICS (industrial control systems) alert urging organisations to patch key flaws or DoS attacks. It has pointed to vulnerabilities found in multiple open-source and proprietary Object Management Group (OMG) Data-Distribution Service (DDS) implementations.
The bugs are found in multiple vendors’ products including CycloneDDS, FastDDS, GurumDDS, OpenDDS, Connext DDS Professional, Connext DDS Secure, Connext DDS Micro, and CoreDX DDS.
“CISA is issuing this advisory to provide early notice of the reported vulnerabilities and identify baseline mitigations for reducing risks to these and other cybersecurity attacks. Successful exploitation of these vulnerabilities could result in denial-of-service or buffer-overflow conditions, which may lead to remote code execution or information exposure,” reads the advisory.
While many of the vendors have mitigated to the vulnerabilities, CISA warned that it had not yet received a response from Korean firm Gurum Networks, and users should contact it directly.
CISA recommends users take defensive measures to minimise the risk of exploitation of these vulnerabilities. Specifically, it urges users to minimise network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet, locate control system networks and remote devices behind firewalls, and isolate them from the business network.
When remote access is required, CISA recommends to use secure methods, such as Virtual Private Networks (VPNs), recognising VPNs may have vulnerabilities and should be updated to the most current version available.
CISA’s readiness to alert ICS customers about security flaws can be linked to the Biden administration’s focus on enhancing critical national infrastructure security across the US.