The myPRO product from Czech industrial automation company mySCADA is currently affected by several critical vulnerabilities that could allow remote, unauthenticated attackers to gain complete control of targeted systems.
Overview of myPRO
myPRO is a human-machine interface (HMI) and supervisory control and data acquisition (SCADA) system used for visualizing and controlling industrial processes. This product is compatible with Windows, macOS, and Linux, running on servers, PCs, and embedded devices.
Vulnerability Discovery
Cybersecurity researcher Michael Heinzl, known for identifying many industrial control system (ICS) vulnerabilities, discovered that myPRO’s Manager and Runtime components are affected by five types of security flaws. These include OS command injection, improper and missing authentication, and path traversal issues.
Responsible Disclosure and Patching
The vulnerabilities were reported by Heinzl to mySCADA through the Cybersecurity and Infrastructure Security Agency (CISA) in July and August 2024. mySCADA has since released patches in myPRO Manager 1.3 and myPRO Runtime 9.2.1 to address these issues.
Severity of Vulnerabilities
Four of the five vulnerabilities have been rated as ‘critical’, while one has been classified as ‘high severity’. These flaws allow remote, unauthenticated attackers to execute arbitrary OS commands with elevated privileges and gain unauthorized access to the system and its files.
Potential Impact
Successful exploitation of these vulnerabilities could enable attackers to gain admin control and completely compromise both the myPRO product and the underlying system. Although the internet search engine Censys shows several dozen internet-exposed mySCADA HMIs, it is unclear how many of these are vulnerable to the recently patched issues.
Risk Mitigation
The exposure to attacks depends on system configuration. By default, the vulnerable service listens on all network interfaces after installation. CISA has noted that there are no known instances of these vulnerabilities being exploited in the wild.
Conclusion
The discovery and patching of these critical vulnerabilities in myPRO highlight the importance of timely security updates and vigilant monitoring of industrial control systems.