LS ELECTRIC PLC and XG5000 (Update A)

Plan Patch7.5ICS-CERT ICSA-22-228-02Aug 16, 2022

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

LS ELECTRIC PLC and XG5000 software contain a weak cryptography vulnerability (CWE-326) that allows attackers to decrypt stored credentials. Successful exploitation grants full access to the affected programmable logic controller, enabling modification of control logic, process parameters, and operational commands. Affected products include XGK-CPUU/H/A/S/E firmware versions below 3.50, XGI-CPUU/UD/H/S/E below 3.20, XGR-CPUH below 1.80, XGB-XBMS below 3.00, XGB-XBCH below 1.90, XGB-XECH below 1.30, and XG5000 below version 4.0.

What this means

What could happen

An attacker who gains network access to an affected LS ELECTRIC PLC or XG5000 can decrypt stored credentials, allowing them to access the device and modify control logic, process parameters, or stop critical industrial processes.

Who's at risk

This affects water utilities and power plants running LS ELECTRIC programmable logic controllers (PLCs) in their industrial control systems, particularly those using XGK, XGI, XGR, or XGB series controllers, or the XG5000 engineering software. Organizations in energy and manufacturing sectors that rely on these devices for process automation are at risk.

How it could be exploited

An attacker on the same network as an LS ELECTRIC PLC or XG5000 engineering workstation can intercept or extract encrypted credentials stored in memory or configuration files. With decrypted credentials, they can log in remotely and issue commands to alter PLC logic or process setpoints.

Prerequisites

Network access to the PLC or XG5000 device or engineering workstation on the control network
Ability to extract or intercept encrypted credential material from the device or workstation

remotely exploitableno authentication required (to intercept/extract credentials)affects safety systemsno patch available for most PLC models

Exploitability

Low exploit probability (EPSS 0.1%)

Affected products (7)

1 with fix6 EOL

ProductAffected VersionsFix Status

XGK-CPUU/H/A/S/E: <V3.50<V3.50No fix (EOL)

XGI-CPUU/UD/H/S/E: <V3.20<V3.20No fix (EOL)

XGR-CPUH: <V1.80<V1.80No fix (EOL)

XGB-XBMS: <V3.00<V3.00No fix (EOL)

XG5000: <V4.0<V4.04.0

XGB-XECH: <V1.30<V1.30No fix (EOL)

XGB-XBCH: <V1.90<V1.90No fix (EOL)

Remediation & Mitigation

0/5

Do now

0/1

WORKAROUNDDeploy firewall rules to restrict network access to PLC management ports to authorized engineering workstations only

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpdate XG5000 to version 4.0 or later via LS ELECTRIC Download Center

HOTFIXFor LS ELECTRIC PLC models (XGK, XGI, XGR, XGB series), contact LS ELECTRIC Technical Center to obtain and apply firmware upgrade

Mitigations - no patch available

0/2

The following products have reached End of Life with no planned fix: XGK-CPUU/H/A/S/E: <V3.50, XGI-CPUU/UD/H/S/E: <V3.20, XGR-CPUH: <V1.80, XGB-XBMS: <V3.00, XGB-XECH: <V1.30, XGB-XBCH: <V1.90. Apply the following compensating controls:

HARDENINGIsolate PLC and engineering workstations on a separate network segment with restricted access from business networks and the Internet

HARDENINGIf remote access is required, use a VPN with current security updates and strong authentication

CVEs (1)

CVE-2022-2758

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/71ccfca2-1622-4d23-aaa4-5ef5186417e0