Contec CONPROSYS HMI System (CHS)

Act Now10ICS-CERT ICSA-22-347-03Dec 13, 2022

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

CONPROSYS HMI System versions 3.4.5 and earlier contain multiple vulnerabilities (CWE-78 OS command injection, CWE-1392 default credentials, CWE-836 use of incorrectly resolved name, CWE-79 cross-site scripting, CWE-284 improper access control) that allow remote attackers to send specially crafted requests and extract sensitive information. No authentication is required. Contec has released version 3.5.0 as a fix.

What this means

What could happen

An attacker could send crafted network requests to the HMI system and extract sensitive information such as configuration data, credentials, or process details. This information could be used to plan further attacks or compromise plant operations.

Who's at risk

Manufacturing plants using Contec CONPROSYS HMI System for process monitoring and control. This affects organizations that rely on the HMI for operator visibility into PLC setpoints, sensor data, alarms, and historical logs. The vulnerability puts any plant using version 3.4.5 or earlier at risk of information exposure that could facilitate sabotage or theft of intellectual property.

How it could be exploited

An attacker on the network sends specially crafted HTTP/network requests to the CONPROSYS HMI System on its web interface or API. The system processes these requests without proper validation and returns sensitive data (configuration, credentials, internal state) that should not be accessible. The attacker collects this information for reconnaissance or lateral movement within the plant network.

Prerequisites

Network reachability to the CONPROSYS HMI System (typically via HTTP/HTTPS on port 80/443)
No authentication required to exploit the information disclosure
System running affected version 3.4.5 or earlier

remotely exploitableno authentication requiredlow complexity attackhigh CVSS score (10.0)affects manufacturing control systemsinformation disclosure exposes sensitive operational data

Exploitability

Moderate exploit probability (EPSS 8.8%)

Affected products (2)

2 with fix

ProductAffected VersionsFix Status

CONPROSYS HMI System (CHS): Ver.3.4.4 and prior≤ 3.4.43.5.0 or later

CONPROSYS HMI System (CHS): Ver.3.4.5 and prior≤ 3.4.53.5.0 or later

Remediation & Mitigation

0/4

Do now

0/1

WORKAROUNDRestrict network access to the HMI system using firewalls; allow only authorized engineering and operations workstations to reach the HMI web interface

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate CONPROSYS HMI System to version 3.5.0 or later

Long-term hardening

0/2

HARDENINGIsolate the HMI system and control network from business network and the Internet using a DMZ or air-gap approach

HARDENINGIf remote access to the HMI is required, use a VPN with multi-factor authentication and keep VPN software updated

CVEs (5)

CVE-2022-44456 CVE-2023-22331 CVE-2023-22334 CVE-2023-22373 CVE-2023-22339

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/56635da4-e4b0-4c5e-91cb-e93b40d66ca0