Skip to main content
(844) 422-7000

Author: Admin @CloudCentric

Schneider Electric PowerChute Serial Shutdown

View CSAF

1. EXECUTIVE SUMMARY

  • CVSS v4 6.3
  • ATTENTION: Exploitable remotely/low attack complexity
  • Vendor: Schneider Electric
  • Equipment: PowerChute Serial Shutdown
  • Vulnerability: Improper Authentication

2. RISK EVALUATION

Successful exploitation of this vulnerability could cause a denial of access to the web interface when someone on the local network repeatedly requests the /accessdenied URL.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

Schneider Electric reports the following versions of PowerChute Serial Shutdown are affected:

  • PowerChute Serial Shutdown: Versions 1.2.0.301 and prior

3.2 Vulnerability Overview

3.2.1 IMPROPER AUTHENTICATION CWE-287

An improper authentication vulnerability exists that could cause a denial of access to the web interface when someone on the local network repeatedly requests the /accessdenied URL.

CVE-2024-10511 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.3 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).

A CVSS v4 score has also been calculated for CVE-2024-10511. A base score of 6.3 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N).

3.3 BACKGROUND

  • CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
  • COUNTRIES/AREAS DEPLOYED: Worldwide
  • COMPANY HEADQUARTERS LOCATION: France

3.4 RESEARCHER

Schneider Electric reported this vulnerability to CISA.

4. MITIGATIONS

Schneider Electric recommends the following mitigations for the affected product:

For users to be informed of all updates, including details on affected products and remediation plans, subscribe to Schneider Electric’s security notification service here:
https://www.se.com/ww/en/work/support/cybersecurity/notification-contact.jsp

Schneider Electric strongly recommend the following industry cybersecurity best practices:

  • Locate control and safety system networks and remote devices behind firewalls and isolate them from the business network.
  • Install physical controls so no unauthorized personnel can access your industrial control and safety systems, components, peripheral equipment, and networks.
  • Place all controllers in locked cabinets and never leave them in the “Program” mode.
  • Never connect programming software to any network other than the network intended for that device.
  • Scan all methods of mobile data exchange with the isolated network such as CDs, USB drives, etc. before use in the terminals or any node connected to these networks.
  • Never allow mobile devices that have connected to any other network besides the intended network to connect to the safety or control networks without proper sanitation.
  • Minimize network exposure for all control system devices and systems and ensure that they are not accessible from the Internet.
  • When remote access is required, use secure methods, such as Virtual Private Networks (VPNs). Recognize that VPNs may have vulnerabilities and should be updated to the most current version available. Also, understand that VPNs are only as secure as the connected devices.

For more information refer to the Schneider Electric Recommended Cybersecurity Best Practices document and the associated Schneider Electric Security Notification SEVD-2024-345-01 in PDF and CSAF.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

  • January 10, 2025: Initial Publication

Schneider Electric Harmony HMI and Pro-face HMI Products

View CSAF

1. EXECUTIVE SUMMARY

  • CVSS v4 8.7
  • ATTENTION: Exploitable remotely/low attack complexity
  • Vendor: Schneider Electric
  • Equipment: Harmony HMI and Pro-face HMI Products
  • Vulnerability: Use of Unmaintained Third-Party Components

2. RISK EVALUATION

Successful exploitation of this vulnerability could cause complete control of the device when an authenticated user installs malicious code into HMI product

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

Schneider Electric reports the following versions of Harmony HMI and Pro-face HMI are affected:

  • Harmony HMIST6: All versions
  • Harmony HMISTM6: All versions
  • Harmony HMIG3U: All versions
  • Harmony HMIG3X: All versions
  • Harmony HMISTO7 series with Ecostruxure Operator Terminal Expert runtime: All versions
  • PFXST6000: All versions
  • PFXSTM6000: All versions
  • PFXSP5000: All versions
  • PFXGP4100 series with Pro-face BLUE runtime: All versions

3.2 Vulnerability Overview

3.2.1 USE OF UNMAINTAINED THIRD-PARTY COMPONENTS CWE-1104

The affected product is vulnerable to a use of an unmaintained third-party component vulnerability that could cause complete control of the device when an authenticated user installs malicious code into HMI product.

CVE-2024-11999 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-11999. A base score of 8.7 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

  • CRITICAL INFRASTRUCTURE SECTORS: Chemical, Critical Manufacturing, Energy, Water and Wastewater Systems
  • COUNTRIES/AREAS DEPLOYED: Worldwide
  • COMPANY HEADQUARTERS LOCATION: France

3.4 RESEARCHER

Schneider Electric reported this vulnerability to CISA.

4. MITIGATIONS

Schneider Electric recommends for users to immediately apply the following mitigations to reduce the risk of exploit:

  • Use HMI only in a protected environment to minimize network exposure and ensure that they are not accessible from public Internet or untrusted networks.
  • Setup network segmentation and implement a firewall to block all unauthorized access.
  • Restrict usage of unverifiable portable media.
  • Restricting the application access to limit the transfer of Firmware to HMIScanning of software/files for rootkits before usage and verifying the digital signature.
  • When exchanging files over the network, use secure communication protocols.

For users to be informed of all updates, including details on affected products and remediation plans, subscribe to Schneider Electric’s security notification service here:
https://www.se.com/ww/en/work/support/cybersecurity/notification-contact.jsp

Schneider Electric strongly recommend the following industry cybersecurity best practices:

  • Locate control and safety system networks and remote devices behind firewalls and isolate them from the business network.
  • Install physical controls so no unauthorized personnel can access your industrial control and safety systems, components, peripheral equipment, and networks.
  • Place all controllers in locked cabinets and never leave them in the “Program” mode.
  • Never connect programming software to any network other than the network intended for that device.
  • Scan all methods of mobile data exchange with the isolated network such as CDs, USB drives, etc. before use in the terminals or any node connected to these networks.
  • Never allow mobile devices that have connected to any other network besides the intended network to connect to the safety or control networks without proper sanitation.
  • Minimize network exposure for all control system devices and systems and ensure that they are not accessible from the Internet.
  • When remote access is required, use secure methods, such as Virtual Private Networks (VPNs). Recognize that VPNs may have vulnerabilities and should be updated to the most current version available. Also, understand that VPNs are only as secure as the connected devices.

For more information refer to the Schneider Electric Recommended Cybersecurity Best Practices document and the associated Schneider Electric Security Notification SEVD-2024-345-02 in PDF and CSAF.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

  • January 10, 2025: Initial Publication

Delta Electronics DRASimuCAD

View CSAF

1. EXECUTIVE SUMMARY

  • CVSS v4 8.4
  • ATTENTION: Low attack complexity
  • Vendor: Delta Electronics
  • Equipment: DRASimuCAD
  • Vulnerabilities: Out-of-bounds Write, Type Confusion

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could crash the device or potentially allow remote code execution.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of DRASimuCAD, a robotic simulation platform, are affected:

  • DRASimuCAD : Version 1.02

3.2 Vulnerability Overview

3.2.1 Access of Resource Using Incompatible Type (‘Type Confusion’) CWE-843

Delta Electronics DRASimuCAD expects a specific data type when it opens files, but the program will accept data of the wrong type from specially crafted files.

CVE-2024-12834 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-12834. A base score of 8.4 has been calculated; the CVSS vector string is (CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.2 Out-of-bounds Write CWE-787

When a specially crafted file is opened with Delta Electronics DRASimuCAD, the program can be forced to write data outside of the intended buffer.

CVE-2024-12835 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-12835. A base score of 8.4 has been calculated; the CVSS vector string is (CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.1 Access of Resource Using Incompatible Type (‘Type Confusion’) CWE-843

Delta Electronics DRASimuCAD expects a specific data type when it opens files, but the program will accept data of the wrong type from specially crafted files.

CVE-2024-12836 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-12836. A base score of 8.4 has been calculated; the CVSS vector string is (CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

  • CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
  • COUNTRIES/AREAS DEPLOYED: Worldwide
  • COMPANY HEADQUARTERS LOCATION: Taiwan

3.4 RESEARCHER

rgod working with Trend Micro Zero Day Initiative reported these vulnerabilities to CISA.

4. MITIGATIONS

Delta Electronics will release a new version of DRASimuCAD in January 2025 to address these issues and recommends users install this update on all affected systems.

For more information, please see the Delta product cybersecurity advisory for these issues.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time. These vulnerabilities are not exploitable remotely.

5. UPDATE HISTORY

  • January 10, 2025: Initial Publication

ThreatQuotient ThreatQ Platform

View CSAF

1. EXECUTIVE SUMMARY

  • CVSS v4 8.7
  • ATTENTION: Exploitable remotely/low attack complexity
  • Vendor: ThreatQuotient Inc.
  • Equipment: ThreatQ Platform
  • Vulnerability: Command Injection

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to perform remote code execution.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of ThreatQuotient ThreatQ Platform, are affected:

  • ThreatQ Platform: Versions prior to 5.29.3

3.2 Vulnerability Overview

3.2.1 IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS USED IN A COMMAND (‘COMMAND INJECTION’) CWE-77

In ThreatQuotient ThreatQ Platform versions prior to 5.29.3, a command injection vulnerability exists within the api endpoint that could allow an attacker to perform remote code execution.

CVE-2024-39703 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-39703. A base score of 8.7 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

  • CRITICAL INFRASTRUCTURE SECTORS: Information Technology
  • COUNTRIES/AREAS DEPLOYED: Worldwide
  • COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER

Dawid Golak reported this vulnerability to CISA.

4. MITIGATIONS

ThreatQuotient has released the following for users to implement:

  • ThreatQ Platform: Version 5.29.3

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

  • Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
  • Locate control system networks and remote devices behind firewalls and isolating them from business networks.
  • When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

  • December 17, 2024: Initial Publication

ABB ASPECT-Enterprise, NEXUS, and MATRIX Series Products

View CSAF

1. EXECUTIVE SUMMARY

  • CVSS v3 10.0
  • ATTENTION: Exploitable remotely/low attack complexity
  • Vendor: ABB
  • Equipment: ASPECT-Enterprise, NEXUS, and MATRIX series
  • Vulnerabilities: Files or Directories Accessible to External Parties, Improper Validation of Specified Type of Input, Cleartext Transmission of Sensitive Information, Cross-site Scripting, Server-Side Request Forgery (SSRF), Improper Neutralization of Special Elements in Data Query Logic, Allocation of Resources Without Limits or Throttling, Weak Password Requirements, Cross-Site Request Forgery (CSRF), Use of Weak Hash, Code Injection, PHP Remote File Inclusion, External Control of System or Configuration Setting, Insufficiently Protected Credentials, Unrestricted Upload of File with Dangerous Type, Absolute Path Traversal, Use of Default Credentials, Off-by-one Error, Use of Default Password, Session Fixation

2. RISK EVALUATION

Multiple vulnerabilities in ABB ASPECT-Enterprise, NEXUS, and MATRIX series products have been reported, which could enable an attacker to disrupt operations or execute remote code.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

ABB reports the following products are affected:

  • ABB NEXUS Series: NEXUS-3-x <=3.08.02 (CVE-2024-6515, CVE-2024-6516, CVE-2024-6784, CVE-2024-48843, CVE-2024-48844, CVE-2024-48846, CVE-2024-48839, CVE-2024-48840, CVE-2024-51541, CVE-2024-51542, CVE-2024-51543, CVE-2024-51544, CVE-2024-51545, CVE-2024-51546, CVE-2024-51548, CVE-2024-51549, CVE-2024-51550, CVE-2024-51554, CVE-2024-11316, CVE-2024-11317)
  • ABB NEXUS Series: NEX-2x <=3.07.02 (CVE-2024-48845, CVE-2024-51551, CVE-2024-51555)
  • ABB NEXUS Series: NEX-2x <=3.08.02 (CVE-2024-6515, CVE-2024-6516, CVE-2024-6784, CVE-2024-48843, CVE-2024-48844, CVE-2024-48846, CVE-2024-48839, CVE-2024-48840, CVE-2024-51541, CVE-2024-51542, CVE-2024-51543, CVE-2024-51544, CVE-2024-51545, CVE-2024-51546, CVE-2024-51548, CVE-2024-51549, CVE-2024-51550, CVE-2024-51554, CVE-2024-11316, CVE-2024-11317)
  • ABB NEXUS Series: NEXUS-3-x <=3.08.01 (CVE-2024-6209, CVE-2024-6298, CVE-2024-48847)
  • ABB ASPECT-Enterprise: ASP-ENT-x <=3.08.02 (CVE-2024-6515, CVE-2024-6516, CVE-2024-6784, CVE-2024-48843, CVE-2024-48844, CVE-2024-48846, CVE-2024-48839, CVE-2024-48840, CVE-2024-51541, CVE-2024-51542, CVE-2024-51543, CVE-2024-51544, CVE-2024-51545, CVE-2024-51546, CVE-2024-51548, CVE-2024-51549, CVE-2024-51550, CVE-2024-51554, CVE-2024-11316, CVE-2024-11317)
  • ABB MATRIX Series: MAT-x <=3.08.02 (CVE-2024-6515, CVE-2024-6516, CVE-2024-6784, CVE-2024-48843, CVE-2024-48844, CVE-2024-48846, CVE-2024-48839, CVE-2024-48840, CVE-2024-51541, CVE-2024-51542, CVE-2024-51543, CVE-2024-51544, CVE-2024-51545, CVE-2024-51546, CVE-2024-51548, CVE-2024-51549, CVE-2024-51550, CVE-2024-51554, CVE-2024-11316, CVE-2024-11317)
  • ABB MATRIX Series: MAT-x <=3.08.01 (CVE-2024-6209, CVE-2024-6298, CVE-2024-48847)
  • ABB MATRIX Series: MAT-x <=3.07.02 (CVE-2024-48845, CVE-2024-51551, CVE-2024-51555)
  • ABB ASPECT-Enterprise: ASP-ENT-x <=3.08.01 (CVE-2024-6209, CVE-2024-6298, CVE-2024-48847)
  • ABB ASPECT-Enterprise: ASP-ENT-x <=3.07.02 (CVE-2024-48845, CVE-2024-51551, CVE-2024-51555)
  • ABB NEXUS Series: NEX-2x <=3.08.01 (CVE-2024-6209, CVE-2024-6298, CVE-2024-48847)
  • ABB NEXUS Series: NEXUS-3-x <=3.07.02 (CVE-2024-48845, CVE-2024-51551, CVE-2024-51555)

3.2 VULNERABILITY OVERVIEW

3.2.1 FILES OR DIRECTORIES ACCESSIBLE TO EXTERNAL PARTIES CWE-552

Unauthorized file access in WEB Server in ASPECT versions 3.08.01 and prior allow an attacker to access files unauthorized.

CVE-2024-6209 has been assigned to this vulnerability. A CVSS v3 base score of 10.0 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).

3.2.2 IMPROPER VALIDATION OF SPECIFIED TYPE OF INPUT CWE-1287

An improper input validation vulnerability in ASPECT allows remote code inclusion.

CVE-2024-6298 has been assigned to this vulnerability. A CVSS v3 base score of 10.0 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).

3.2.3 CLEARTEXT TRANSMISSION OF SENSITIVE INFORMATION CWE-319

Web browser interface may manipulate application username/password in clear text or Base64 encoding in ABB ASPECT providing a higher probability of unintended credentials exposure.

CVE-2024-6515 has been assigned to this vulnerability. A CVSS v3 base score of 9.6 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N).

3.2.4 IMPROPER NEUTRALIZATION OF INPUT DURING WEB PAGE GENERATION (‘CROSS-SITE SCRIPTING’) CWE-79

A cross-site scripting vulnerability was found in ABB ASPECT providing a potential for malicious scripts to be injected into a client browser.

CVE-2024-6516 has been assigned to this vulnerability. A CVSS v3 base score of 9.0 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:L).

3.2.5 SERVER-SIDE REQUEST FORGERY (SSRF) CWE-918

A server-side request forgery vulnerability was found in ASPECT providing a potential for access to unauthorized resources and unintended information disclosure.

CVE-2024-6784 has been assigned to this vulnerability. A CVSS v3 base score of 9.9 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).

3.2.6 IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS IN DATA QUERY LOGIC CWE-943

A SQL injection vulnerability was found in ASPECT providing a potential for unintended information disclosure.

CVE-2024-48843 has been assigned to this vulnerability. A CVSS v3 base score of 8.2 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N).

3.2.7 ALLOCATION OF RESOURCES WITHOUT LIMITS OR THROTTLING CWE-770

A denial of service vulnerability was found in ASPECT providing a potential for device service disruptions.

CVE-2024-48844 has been assigned to this vulnerability. A CVSS v3 base score of 7.7 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:H).

3.2.8 WEAK PASSWORD REQUIREMENTS CWE-521

A weak password reset rules vulnerability was found in ASPECT providing a potential for the storage of weak passwords that could facilitate unauthorized admin/application access.

CVE-2024-48845 has been assigned to this vulnerability. A CVSS v3 base score of 9.4 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L).

3.2.9 CROSS-SITE REQUEST FORGERY (CSRF) CWE-352

A cross site request forgery vulnerability was found in ASPECT providing a potential for exposing sensitive information or changing system settings.

CVE-2024-48846 has been assigned to this vulnerability. A CVSS v3 base score of 7.1 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N).

3.2.10.0 USE OF WEAK HASH CWE-328

A MD5 checksum bypass vulnerability was found in ASPECT exploiting a weakness in the way an application dependency calculates or validates MD5 checksum hashes.

CVE-2024-48847 has been assigned to this vulnerability. A CVSS v3 base score of 8.2 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N).

3.2.11 IMPROPER CONTROL OF GENERATION OF CODE (‘CODE INJECTION’) CWE-94

An improper input validation vulnerability in ASPECT allows remote code execution.

CVE-2024-48839 has been assigned to this vulnerability. A CVSS v3 base score of 10.0 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L).

3.2.12 IMPROPER CONTROL OF GENERATION OF CODE (‘CODE INJECTION’) CWE-94

An unauthorized access vulnerability in ASPECT allows remote code execution.

CVE-2024-48840 has been assigned to this vulnerability. A CVSS v3 base score of 10.0 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L).

3.2.13 IMPROPER CONTROL OF FILENAME FOR INCLUDE/REQUIRE STATEMENT IN PHP PROGRAM (‘PHP REMOTE FILE INCLUSION’) CWE-98

A local file inclusion vulnerability in ASPECT allows access to sensitive system information.

CVE-2024-51541 has been assigned to this vulnerability. A CVSS v3 base score of 8.2 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N).

3.2.14 FILES OR DIRECTORIES ACCESSIBLE TO EXTERNAL PARTIES CWE-552

A configuration download vulnerability in ASPECT allows access to dependency configuration information.

CVE-2024-51542 has been assigned to this vulnerability. A CVSS v3 base score of 8.2 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N).

3.2.15 EXTERNAL CONTROL OF SYSTEM OR CONFIGURATION SETTING CWE-15

An information disclosure vulnerability in ASPECT allows access to application configuration information.

CVE-2024-51543 has been assigned to this vulnerability. A CVSS v3 base score of 8.2 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N).

3.2.16 EXTERNAL CONTROL OF SYSTEM OR CONFIGURATION SETTING CWE-15

A service control vulnerability in ASPECT allows access to service restart requests and vm configuration settings.

CVE-2024-51544 has been assigned to this vulnerability. A CVSS v3 base score of 8.2 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H).

3.2.17 INSUFFICIENTLY PROTECTED CREDENTIALS CWE-522

An username enumeration vulnerability in ASPECT allows access to application level username add, delete, modify and list functions.

CVE-2024-51545 has been assigned to this vulnerability. A CVSS v3 base score of 10.0 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).

3.2.18 IMPROPER VALIDATION OF SPECIFIED TYPE OF INPUT CWE-1287

A credentials disclosure vulnerability in ASPECT allow access to on board project backup bundles.

CVE-2024-51546 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

3.2.19 UNRESTRICTED UPLOAD OF FILE WITH DANGEROUS TYPE CWE-434

A dangerous file upload vulnerability in ASPECT allows upload of malicious scripts.

CVE-2024-51548 has been assigned to this vulnerability. A CVSS v3 base score of 9.9 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).

3.2.20 ABSOLUTE PATH TRAVERSAL CWE-36

An absolute file traversal vulnerability in ASPECT allows access and modification of unintended resources.

CVE-2024-51549 has been assigned to this vulnerability. A CVSS v3 base score of 10.0 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L).

3.2.21 IMPROPER VALIDATION OF SPECIFIED TYPE OF INPUT CWE-1287

A data validation / data sanitization vulnerability in ASPECT Linux allows unvalidated and unsanitized data to be injected in an ASPECT device.

CVE-2024-51550 has been assigned to this vulnerability. A CVSS v3 base score of 10.0 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L).

3.2.22 USE OF DEFAULT CREDENTIALS CWE-1392

A default credential vulnerability in ASPECT on Linux allows access to an ASPECT device using publicly available default credentials.

CVE-2024-51551 has been assigned to this vulnerability. A CVSS v3 base score of 10.0 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).

3.2.23 OFF-BY-ONE ERROR CWE-193

An off by one error vulnerability in ASPECT allow an array out of bounds condition in a log script.

CVE-2024-51554 has been assigned to this vulnerability. A CVSS v3 base score of 9.1 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L).

3.2.24 USE OF DEFAULT PASSWORD CWE-1393

Default credential vulnerability in ASPECT allows access to an ASPECT device using publicly available default credentials, since the system does not require the installer to change default credentials.

CVE-2024-51555 has been assigned to this vulnerability. A CVSS v3 base score of 10.0 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).

3.2.25 ALLOCATION OF RESOURCES WITHOUT LIMITS OR THROTTLING CWE-770

A filesize check vulnerability in ASPECT allow a malicious user to bypass size limits or overload an ASPECT device.

CVE-2024-11316 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

3.2.26 SESSION FIXATION CWE-384

Session fixation vulnerability in ASPECT allow an attacker to fix a user’s session identifier before login providing an opportunity for session takeover on an ASPECT device.

CVE-2024-11317 has been assigned to this vulnerability. A CVSS v3 base score of 10.0 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N).

3.3 BACKGROUND

  • CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
  • COUNTRIES/AREAS DEPLOYED: Worldwide
  • COMPANY HEADQUARTERS LOCATION: Switzerland

3.4 RESEARCHER

Gjoko Krstikj of Zero Science Lab reported these vulnerabilities to CISA.

4. MITIGATIONS

ABB has identified the following specific workarounds and mitigations users can apply to reduce risk:

  • (CVE-2024-6209, CVE-2024-6298, CVE-2024-48847) ASP-ENT-x <=3.08.01, NEX-2x <=3.08.01, MAT-x <=3.08.01, NEXUS-3-x <=3.08.01: The vulnerabilities have been resolved in product versions 3.08.02 and later.
  • (CVE-2024-6515, CVE-2024-6516, CVE-2024-6784, CVE-2024-48843, CVE-2024-48844, CVE-2024-48846, CVE-2024-48839, CVE-2024-48840, CVE-2024-51541, CVE-2024-51542, CVE-2024-51543, CVE-2024-51544, CVE-2024-51545, CVE-2024-51546, CVE-2024-51548, CVE-2024-51549, CVE-2024-51550, CVE-2024-51554, CVE-2024-11316, CVE-2024-11317) ASP-ENT-x <=3.08.02, NEX-2x <=3.08.02, NEXUS-3-x <=3.08.02, MAT-x <=3.08.02: The vulnerabilities have been resolved in product versions 3.08.03 and later.
  • (CVE-2024-48845) ASP-ENT-x <=3.07.02, NEXUS-3-x <=3.07.02, NEX-2x <=3.07.02, MAT-x <=3.07.02: The vulnerabilities have been resolved in product versions 3.08.00 and later.
  • (CVE-2024-51551, CVE-2024-51555) ASP-ENT-x <=3.07.02, NEXUS-3-x <=3.07.02, NEX-2x <=3.07.02, MAT-x <=3.07.02: The vulnerabilities have been resolved in product versions 3.08.00 and later.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

  • Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the Internet.
  • Locate control system networks and remote devices behind firewalls and isolating them from business networks.
  • When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY

  • January 7, 2025: Initial Publication

Nedap Librix Ecoreader

View CSAF

1. EXECUTIVE SUMMARY

  • CVSS v4 9.3
  • ATTENTION: Exploitable remotely/Low attack complexity
  • Vendor: Nedap Librix
  • Equipment: Ecoreader
  • Vulnerability: Missing Authentication for Critical Function

2. RISK EVALUATION

Successful exploitation of this vulnerability could result in remote code execution.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of Ecoreader are affected:

  • Ecoreader: All versions

3.2 VULNERABILITY OVERVIEW

3.2.1 MISSING AUTHENTICATION FOR CRITICAL FUNCTION CWE-306

The affected product is missing authentication for critical functions that could allow an unauthenticated attacker to potentially execute malicious code.

CVE-2024-12757 has been assigned to this vulnerability. A CVSS v3 base score of 8.6 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L).

A CVSS v4 score has also been calculated for CVE-2024-12757. A base score of 9.3 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

  • CRITICAL INFRASTRUCTURE SECTORS: Commercial Facilities
  • COUNTRIES/AREAS DEPLOYED: Worldwide
  • COMPANY HEADQUARTERS LOCATION: Netherlands

3.4 RESEARCHER

Prajitesh Singh of Cyble reported this vulnerability to CISA.

4. MITIGATIONS

Nedap Librix did not respond to our attempts to coordinate with them.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

  • Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the Internet.
  • Locate control system networks and remote devices behind firewalls and isolating them from business networks.
  • When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

  • January 07, 2025: Initial Publication

CVE-2021-44223

WordPress before 5.8 lacks support for the Update URI plugin header. This makes it easier for remote attackers to execute arbitrary code via a supply-chain attack against WordPress installations that use any plugin for which the slug satisfies the naming constraints of the WordPress.org Plugin Directory but is not yet present in that directory. (CVSS:7.5) (Last Update:2021-11-30)

CVE-2022-3590

WordPress is affected by an unauthenticated blind SSRF in the pingback feature. Because of a TOCTOU race condition between the validation checks and the HTTP request, attackers can reach internal hosts that are explicitly forbidden. (CVSS:0.0) (Last Update:2022-12-20)

CVE-2022-21661

WordPress is a free and open-source content management system written in PHP and paired with a MariaDB database. Due to improper sanitization in WP_Query, there can be cases where SQL injection is possible through plugins or themes that use it in a certain way. This has been patched in WordPress version 5.8.3. Older affected versions are also fixed via security release, that go back till 3.7.37. We strongly recommend that you keep auto-updates enabled. There are no known workarounds for this vulnerability. (CVSS:5.0) (Last Update:2022-04-12)

CVE-2022-21662

WordPress is a free and open-source content management system written in PHP and paired with a MariaDB database. Low-privileged authenticated users (like author) in WordPress core are able to execute JavaScript/perform stored XSS attack, which can affect high-privileged users. This has been patched in WordPress version 5.8.3. Older affected versions are also fixed via security release, that go back till 3.7.37. We strongly recommend that you keep auto-updates enabled. There are no known workarounds for this issue. (CVSS:3.5) (Last Update:2022-04-12)