{"id":563816,"date":"2023-01-18T06:03:45","date_gmt":"2023-01-18T08:03:45","guid":{"rendered":"https:\/\/teknomers.com\/fr\/cisa-met-en-garde-contre-les-failles-des-systemes-de-controle-industriels-siemens-ge-digital-et-contec\/"},"modified":"2023-01-18T06:03:46","modified_gmt":"2023-01-18T08:03:46","slug":"cisa-met-en-garde-contre-les-failles-des-systemes-de-controle-industriels-siemens-ge-digital-et-contec","status":"publish","type":"post","link":"https:\/\/teknomers.com\/fr\/cisa-met-en-garde-contre-les-failles-des-systemes-de-controle-industriels-siemens-ge-digital-et-contec\/","title":{"rendered":"CISA met en garde contre les failles des syst\u00e8mes de contr\u00f4le industriels Siemens, GE Digital et Contec"},"content":{"rendered":"<p> <br \/>\n<\/p>\n<div>\n<p><span class=\"p-author\"><i class=\"icon-font icon-calendar\">\ue802<\/i><span class=\"author\">18 janvier 2023<\/span><i class=\"icon-font icon-user\">\ue804<\/i><span class=\"author\">Ravie Lakshmanan<\/span><\/span><span class=\"p-tags\">S\u00e9curit\u00e9 SCI\/SCADA<\/span><\/p>\n<\/div>\n<div id=\"articlebody\">\n<div class=\"separator\" style=\"clear: both;\"><\/div>\n<p>La Cybersecurity and Infrastructure Security Agency (CISA) des \u00c9tats-Unis a <a rel=\"nofollow noopener\" href=\"https:\/\/www.cisa.gov\/uscert\/ncas\/current-activity\/2023\/01\/17\/cisa-releases-four-industrial-control-systems-advisories\" target=\"_blank\">publi\u00e9<\/a> quatre avis sur les syst\u00e8mes de contr\u00f4le industriels (ICS), signalant plusieurs failles de s\u00e9curit\u00e9 affectant les produits de Siemens, GE Digital et Contec.<\/p>\n<p>Les probl\u00e8mes les plus critiques ont \u00e9t\u00e9 identifi\u00e9s dans Siemens SINEC INS qui pourraient conduire \u00e0 l&#8217;ex\u00e9cution de code \u00e0 distance via une faille de travers\u00e9e de chemin (<a rel=\"nofollow noopener\" href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2022-45092\" target=\"_blank\">CVE-2022-45092<\/a>score CVSS : 9,9) et injection de commandes (<a rel=\"nofollow noopener\" href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2022-2068\" target=\"_blank\">CVE-2022-2068<\/a>score CVSS : 9,8).<\/p>\n<p>Siemens a \u00e9galement corrig\u00e9 une vuln\u00e9rabilit\u00e9 de contournement d&#8217;authentification dans l&#8217;analyseur llhttp (<a rel=\"nofollow noopener\" href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2022-35256\" target=\"_blank\">CVE-2022-35256<\/a>score CVSS\u00a0: 9,8) ainsi qu&#8217;un bogue d&#8217;\u00e9criture hors limites dans la biblioth\u00e8que OpenSSL (CVE-2022-2274, score CVSS\u00a0: 9,8) qui pourrait \u00eatre exploit\u00e9 pour d\u00e9clencher l&#8217;ex\u00e9cution de code \u00e0 distance.<\/p>\n<p>L&#8217;entreprise allemande d&#8217;automatisation, en d\u00e9cembre 2022, <a rel=\"nofollow noopener\" href=\"https:\/\/support.industry.siemens.com\/cs\/document\/109815432\/sinec-ins-v1-0-service-pack-2-update-1-software-(incl-10-node-demo)-download?dti=0&amp;lc=en-WW\" target=\"_blank\">lib\u00e9r\u00e9<\/a> Logiciel Service Pack 2 Update 1 pour att\u00e9nuer les d\u00e9fauts.<\/p>\n<p>Par ailleurs, une faille critique a \u00e9galement \u00e9t\u00e9 r\u00e9v\u00e9l\u00e9e dans la solution Proficy Historian de GE Digital qui pourrait entra\u00eener l&#8217;ex\u00e9cution de code quel que soit le statut d&#8217;authentification.  Le probl\u00e8me, suivi en tant que CVE-2022-46732 (score CVSS\u00a0: 9,8), affecte les versions 7.0 et sup\u00e9rieures de Proficy Historian, et a \u00e9t\u00e9 corrig\u00e9 dans <a rel=\"nofollow noopener\" href=\"https:\/\/www.ge.com\/digital\/applications\/proficy-historian\" target=\"_blank\">Historien professionnel 2023<\/a>.<\/p>\n<p>&#8220;Un attaquant peut profiter de ce fait et contourner l&#8217;authentification de l&#8217;historien en se faisant passer pour un service local&#8221;, a d\u00e9clar\u00e9 Uri Katz, chercheur en s\u00e9curit\u00e9 \u00e0 la soci\u00e9t\u00e9 de s\u00e9curit\u00e9 industrielle Claroty. <a rel=\"nofollow noopener\" href=\"https:\/\/claroty.com\/team82\/research\/hacking-ics-historians-the-pivot-point-from-it-to-ot\" target=\"_blank\">m&#8217;a dit<\/a>.  &#8220;Cela permet aux attaquants distants de se connecter \u00e0 n&#8217;importe quel serveur GE Proficy Historian et de le forcer \u00e0 effectuer des actions non autoris\u00e9es.&#8221;<\/p>\n<p>La CISA a \u00e9galement mis \u00e0 jour un avis ICS publi\u00e9 le mois dernier, d\u00e9taillant une vuln\u00e9rabilit\u00e9 critique d&#8217;injection de commande dans le syst\u00e8me Contec CONPROSYS HMI (CVE-2022-44456, score CVSS\u00a0: 10,0) qui pourrait permettre \u00e0 un attaquant distant d&#8217;envoyer des requ\u00eates sp\u00e9cialement con\u00e7ues pour ex\u00e9cuter des commandes arbitraires. .<\/p>\n<p>Bien que cette lacune ait \u00e9t\u00e9 corrig\u00e9e par Contec dans la version 3.4.5, le logiciel s&#8217;est depuis r\u00e9v\u00e9l\u00e9 vuln\u00e9rable \u00e0 quatre d\u00e9fauts suppl\u00e9mentaires pouvant entra\u00eener la divulgation d&#8217;informations et un acc\u00e8s non autoris\u00e9.<\/p>\n<p>Il est recommand\u00e9 aux utilisateurs du syst\u00e8me CONPROSYS HMI de mettre \u00e0 jour vers la version 3.5.0 ou ult\u00e9rieure, en plus de prendre des mesures pour minimiser l&#8217;exposition du r\u00e9seau et isoler ces appareils des r\u00e9seaux d&#8217;entreprise.<\/p>\n<p>Les avis surviennent moins d&#8217;une semaine apr\u00e8s que la CISA a publi\u00e9 12 alertes de ce type avertissant de failles critiques affectant les logiciels de Sewio, InHand Networks, Sauter Controls et Siemens.<\/p>\n<p><\/p>\n<div class=\"cf note-b\">Vous avez trouv\u00e9 cet article int\u00e9ressant ?  Suivez-nous sur <a rel=\"nofollow noopener\" href=\"https:\/\/twitter.com\/thehackersnews\" target=\"_blank\">Twitter <i class=\"icon-font icon-twitter\">\uf099<\/i><\/a>  et <a rel=\"nofollow noopener\" href=\"https:\/\/www.linkedin.com\/company\/thehackernews\/\" target=\"_blank\">LinkedIn<\/a> pour lire plus de contenu exclusif que nous publions.<\/div>\n<\/div>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><br \/>\n<br \/><br \/>\n<br \/><a href=\"https:\/\/thehackernews.com\/2023\/01\/cisa-warns-of-flaws-in-siemens-ge.html\" rel=\"nofollow noopener\" target=\"_blank\">ttn-fr-57<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>\ue80218 janvier 2023\ue804Ravie LakshmananS\u00e9curit\u00e9 SCI\/SCADA La Cybersecurity and Infrastructure Security Agency (CISA) des \u00c9tats-Unis a publi\u00e9 quatre avis sur les syst\u00e8mes de contr\u00f4le industriels (ICS), signalant plusieurs failles de s\u00e9curit\u00e9 affectant les produits de Siemens, GE Digital et Contec. Les probl\u00e8mes les plus critiques ont \u00e9t\u00e9 identifi\u00e9s dans Siemens SINEC INS qui pourraient conduire \u00e0 [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":563817,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[6],"tags":[4805,4168,139825,841,3976,4158,4165,4161,133,11130,4806,525,70694,4157,4159,4171,4170,65,4167,4955,4160,4163,4162,4172,4169,9164,5046,4166,4164],"class_list":["post-563816","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-technologie","tag-cisa","tag-comment-pirater","tag-contec","tag-contre","tag-controle","tag-cyber-actualites","tag-cyber-attaques","tag-cyber-mises-a-jour","tag-des","tag-digital","tag-failles","tag-garde","tag-industriels","tag-lactualite-de-la-cybersecurite","tag-lactualite-de-la-cybersecurite-aujourdhui","tag-lactualite-des-hackers","tag-la-securite-des-informations","tag-les","tag-logiciel-malveillant-de-ransomware","tag-met","tag-mises-a-jour-de-la-cybersecurite","tag-nouvelles-de-piratage","tag-nouvelles-de-pirates","tag-securite-informatique","tag-securite-internet","tag-siemens","tag-systemes","tag-violation-de-donnees","tag-vulnerabilite-logicielle"],"_links":{"self":[{"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/posts\/563816","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/comments?post=563816"}],"version-history":[{"count":0,"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/posts\/563816\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/media\/563817"}],"wp:attachment":[{"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/media?parent=563816"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/categories?post=563816"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/tags?post=563816"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}