The US authorities have released a new industrial control systems (ICS) alert urging impacted organizations to patch key middleware or risk denial of service and remote code execution attacks.
The Cybersecurity and Infrastructure Security Agency (CISA) pointed to a series of vulnerabilities impacting open-source and proprietary implementations of the Object Management Group (OMG) Data-Distribution Service (DDS).
The bugs are found in multiple vendors’ equipment: CycloneDDS, FastDDS, GurumDDS, OpenDDS, Connext DDS Professional, Connext DDS Secure, Connext DDS Micro, and CoreDX DDS.
“CISA is issuing this advisory to provide early notice of the reported vulnerabilities and identify baseline mitigations for reducing risks to these and other cybersecurity attacks,” it said. “Successful exploitation of these vulnerabilities could result in denial-of-service or buffer-overflow conditions, which may lead to remote code execution or information exposure.”
While the affected products have been updated by most of the vendors, CISA warned that it had not yet received a response from Korean firm Gurum Networks, and urged impacted customers to contact it directly.
As well as apply the relevant patches, organizations were also told to air-gap ICS devices and systems, or at least to isolate them from business networks and place them behind a firewall. VPNs were also recommended for secure remote access.
CISA’s readiness to alert ICS customers about security flaws can be linked to the Biden administration’s focus on enhancing critical national infrastructure security across the US.
The risk to such systems has increased as they’ve acquired connectivity. This is increasingly important from an operational perspective, especially with many employees working remotely, but also opens the door to remote attackers.
Patching can also be problematic in these industrial environments as control systems are business-critical and therefore difficult to take offline while updates are tested.
Among the OMG DDS vulnerabilities highlighted by CISA were stack- and heap-based buffer overflow, amplification, write-what-where condition, and improper handling of syntactically invalid structure/length parameter inconsistency.