Valmet Oy ACN CS

Main Article: Operating Systems

2022: Identification of a number of vulnerabilities in Valmet Oy ACN CS

Experts from the National Cyber ​ ​ Police of RTK-Solar have identified a number of vulnerabilities in the software for industrial automation of the Finnish company Valmet. Most of them are critical with a hazard level of 9.6 to the maximum possible 10 points on the CVSS 3.0 scale. This was announced by the company "RTK-Solar" on November 24, 2022.

Illustration: cryptorussian.net

Vulnerabilities discovered by experts from the National Cyber ​ ​ Police, led by the head of research, Ilya Karpov, affect the components of automated control system the Metso DNA technological process: the Valmet System 2019 software package operating system and the Valmet Oy ACN CS. Vulnerabilities are associated with absence (protection of transmitted data CWE-319), unencrypted storage critical information (CWE-256, CWE-312), unsafe privilege management (CWE-250, CWE-269), insufficient validation of inputs (data CWE-20, CWE-328), unsafe use (cryptographic algorithms CWE-916) and absence for authentications a critical function (CWE-287, CWE-306, CWE-489). If they are used, they can malefactors remotely elevate privileges in the system, gain access to, protected information execute arbitrary code, including on, cause server a denial of service and implement a "person attack in the middle" to intercept data.

Immediately after identifying the vulnerabilities in the Metso DNA software system, the researchers of the National Cyber ​ ​ Poligon reported them to the vendor, and also transmitted the information to the FSTEC of Russia. To reduce the risk of potential incidents related to the exploitation of discovered vulnerabilities, RTK-Solar experts recommend using compensatory measures. Information on vulnerabilities and detailed recommendations on minimizing the risks of their operation are published in the Information Security Threats Data Bank of the FSTEC of Russia (BDU:2022-06151 - BDU: 2022-06158).

As a result of the departure of a number of foreign vendors from the country, Russian users of imported solutions were deprived of the opportunity to receive security updates from manufacturers. The lack of patch management poses a serious threat to enterprises, especially at critical information infrastructure facilities. Attacks related to exploiting vulnerabilities are one of the most common vectors of penetration into the infrastructure of companies. The ongoing import substitution process in the future will allow replacing, among other things, specific foreign industrial equipment with domestic one. However, due to the lack of a component base and the lack of Russian analogues in a number of areas, enterprises need to pay increased attention to vulnerability management, and researchers, together with manufacturers, need to increase their competencies and develop communities of vulnerability research in domestic products. noted Dmitry Malinkin, Deputy Director of the Department of the National Cyber ​ ​ Police of RTK-Solar.

After publishing information in the BDU FSTEC of Russia about the identified vulnerabilities in Valmet software, RTK-Solar experts also transferred information about them cyber security Finland to the National Cyber ​ ​ Security Center Finland (NCSC-FI).