CISA: Patch These ICS Flaws Across Multiple Vendors
The US authorities have released a new industrial control systems (ICS) alert urging impacted organizations to patch key middleware or risk denial of service and remote code execution attacks.
The Cybersecurity and Infrastructure Security Agency (CISA) pointed to a series of vulnerabilities impacting open-source and proprietary implementations of the Object Management Group (OMG) Data-Distribution Service (DDS).
The bugs are found in multiple vendors’ equipment: CycloneDDS, FastDDS, GurumDDS, OpenDDS, Connext DDS Professional, Connext DDS Secure, Connext DDS Micro, and CoreDX DDS.
“CISA is issuing this advisory to provide early notice of the reported vulnerabilities and identify baseline mitigations for reducing risks to these and other cybersecurity attacks,” it said. “Successful exploitation of these vulnerabilities could result in denial-of-service or buffer-overflow conditions, which may lead to remote code execution or information exposure.”
While the affected products have been updated by most of the vendors, CISA warned that it had not yet received a response from Korean firm Gurum Networks, and urged impacted customers to contact it directly.
As well as apply the relevant patches, organizations were also told to air-gap ICS devices and systems, or at least to isolate them from business networks and place