Posts Page - CloudCentric

Delta Electronics CNCSoft-G2 DOPSoft

Written by on April 30, 2024. Posted in CISA-Published Industrial Control System Vulnerabilities.

1. EXECUTIVE SUMMARY

CVSS v4 8.5
ATTENTION: Low attack complexity
Vendor: Delta Electronics
Equipment: CNCSoft-G2 DOPSoft
Vulnerability: Stack-based Buffer Overflow

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of Delta Electronics CNCSoft-G2, a Human-Machine Interface (HMI) software, are affected:

CNCSoft-G2: Versions 2.0.0.5 (with DOPSoft v5.0.0.93) and prior

3.2 Vulnerability Overview

3.2.1 STACK-BASED BUFFER OVERFLOW CWE-121

Delta Electronics CNCSoft-G2 lacks proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current process.

CVE-2024-4192 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H ).

A CVSS v4 score has also been calculated for CVE-2024-4192. A base score of 8.5 has been calculated; the CVSS vector string is (CVSS4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Energy, Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Taiwan

3.4 RESEARCHER

Natnael Samson working with Trend Micro Zero Day Initiative reported this vulnerability to CISA.

4. MITIGATIONS

Delta Electronics recommends users update to CNCSoft-G2 v2.1.0.4 or later.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

Do not click web links or open attachments in unsolicited email messages.
Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability is not exploitable remotely.

5. UPDATE HISTORY

April 30, 2024: Initial Publication

Honeywell Experion PKS, Experion LX, PlantCruise by Experion, Safety Manager, Safety Manager SC

Written by on April 25, 2024. Posted in CISA-Published Industrial Control System Vulnerabilities.

View CSAF

1. EXECUTIVE SUMMARY

CVSS v3 9.1
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Honeywell
Equipment: Experion PKS, Experion LX, PlantCruise by Experion, Safety Manager, Safety Manager SC
Vulnerabilities: Exposed Dangerous Method or Function, Absolute Path Traversal, Stack-based Buffer Overflow, Debug Messages Revealing Unnecessary Information, Out-of-bounds Write, Heap-based Buffer Overflow, Binding to an Unrestricted IP Address, Improper Input Validation, Buffer Access with Incorrect Length Value, Improper Restriction of Operations within the Bounds of a Memory Buffer, Improper Handling of Length Parameter Inconsistency

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could disclose sensitive information, allow privilege escalation, or allow remote code execution.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

Honeywell reports these vulnerabilities affect the following versions of Experion PKS, LX, PlantCruise, Safety Manager, and Safety Manager SC:

Experion PKS: All releases prior to R510.2 HF14
Experion PKS: All releases prior to R511.5 TCU4 HF4
Experion PKS: All releases prior to R520.1 TCU5
Experion PKS: All releases prior to R520.2 TCU4 HF2
Experion LX: All releases prior to R511.5 TCU4 HF4
Experion LX: All releases prior to R520.1 TCU5
Experion LX: All releases prior to R520.2 TCU4 HF2
PlantCruise by Experion: All releases prior to R511.5 TCU4 HF4
PlantCruise by Experion: All releases prior to R520.1 TCU5
PlantCruise by Experion: All releases prior to R520.2 TCU4 HF2
Safety Manager: R15x, R16x up to and including R162.10
Safety Manager SC: R210.X, R211.1, R211.2, R212.1

3.2 Vulnerability Overview

3.2.1 Exposed Dangerous Method or Function CWE-749

Successful exploitation of this vulnerability could allow an attacker to modify files on Experion controllers or SMSC S300. This exploit could be used to write a file that may result in unexpected behavior based on configuration changes or updating of files that could result in subsequent execution of a malicious application if triggered.

CVE-2023-5389 has been assigned to this vulnerability. A CVSS v3 base score of 9.1 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2023-5389. A base score of 8.8 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.2 Absolute Path Traversal CWE-36

Successful exploitation of this vulnerability could allow an attacker to read from the Experion controllers or SMSC S300. This exploit could be used to read files from the controller that may expose limited information from the device.

CVE-2023-5390 has been assigned to this vulnerability. A CVSS v3 base score of 5.3 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2023-5390. A base score of 6.9 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N).

3.2.3 Stack-based Buffer Overflow CWE-121

Successful exploitation of this vulnerability against the Experion controller, ControlEdge PLC, Safety Manager or SMSC S300 could allow an attacker to cause a denial-of-service condition or perform a remote code execution over the network using specially crafted messages.

CVE-2023-5407 has been assigned to this vulnerability. A CVSS v3 base score of 7.4 has been calculated; the CVSS vector string is (AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2023-5407. A base score of 8.3 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.4 Debug Messages Revealing Unnecessary Information CWE-1295

Successful exploitation of this vulnerability against the Experion controller, ControlEdge PLC, Safety Manager or SMSC S300 could allow an attacker to extract more information from memory over the network than is required.

CVE-2023-5392 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2023-5392. A base score of 8.7 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N).

3.2.5 Out-of-bounds Write CWE-787

Successful exploitation of this vulnerability against the Experion Servers or Stations by manipulation messages from a controller could allow an attacker to cause a denial-of-service condition or perform a remote code execution over the network using specially crafted messages.

CVE-2023-5406 has been assigned to this vulnerability. A CVSS v3 base score of 5.9 has been calculated; the CVSS vector string is (AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H).

A CVSS v4 score has also been calculated for CVE-2023-5406. A base score of 8.2 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N).

3.2.6 Out-of-bounds Write CWE-787

Successful exploitation of this vulnerability against the Experion Servers or Stations could result in an information leak when an error is generated.

CVE-2023-5405 has been assigned to this vulnerability. A CVSS v3 base score of 5.9 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2023-5405. A base score of 6.9 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N).

3.2.7 Heap-based Buffer Overflow CWE-122

Successful exploitation of these vulnerabilities against the Experion Servers or Stations could allow an attacker to cause a denial-of-service condition or perform a remote code execution over the network using specially crafted messages.

CVE-2023-5400 and CVE-2023-5404 have been assigned to these vulnerabilities. A CVSS v3 base score of 8.1 has been calculated; the CVSS vector string is (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2023-5400 and CVE-2023-5404. A base score of 9.2 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.8 Stack-based Buffer Overflow CWE-121

CVE-2023-5395, CVE-2023-5401 and CVE-2023-5403 have been assigned to these vulnerabilities. A CVSS v3 base score of 8.1 has been calculated; the CVSS vector string is (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2023-5395, CVE-2023-5401 and CVE-2023-5403. A base score of 9.2 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.9 Binding to an Unrestricted IP Address CWE-1327

Successful exploitation of this vulnerability against the Experion Servers or Stations could allow an attacker to cause a denial-of-service condition over the network using specially crafted messages.

CVE-2023-5398 has been assigned to this vulnerability. A CVSS v3 base score of 5.9 has been calculated; the CVSS vector string is (AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H).

A CVSS v4 score has also been calculated for CVE-2023-5398. A base score of 8.2 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N).

3.2.10 Improper Input Validation CWE-20

Successful exploitation of this vulnerability against the Experion Servers or Stations could allow an attacker to cause a denial-of-service condition or perform a remote code execution over the network using specially crafted messages.

CVE-2023-5397 has been assigned to this vulnerability. A CVSS v3 base score of 8.1 has been calculated; the CVSS vector string is (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2023-5397. A base score of 9.2 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.11 Buffer Access with Incorrect Length Value CWE-805

CVE-2023-5396 has been assigned to this vulnerability. A CVSS v3 base score of 7.4 has been calculated; the CVSS vector string is (AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2023-5396. A base score of 8.3 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.12 Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-119

CVE-2023-5394 has been assigned to this vulnerability. A CVSS v3 base score of 7.4 has been calculated; the CVSS vector string is (AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2023-5394. A base score of 8.3 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.13 Improper Handling of Length Parameter Inconsistency CWE-130

CVE-2023-5393 has been assigned to this vulnerability. A CVSS v3 base score of 8.1 has been calculated; the CVSS vector string is (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2023-5393. A base score of 9.2 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Chemical, Critical Manufacturing, Energy, Water and Wastewater Systems
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER

Claroty and Armis reported these vulnerabilities to Honeywell.

4. MITIGATIONS

Honeywell fixed the reported issues and advises users to upgrade to version referenced in the Security Notice or CVE record.
CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. Specifically, users should:

Ensure the least-privilege user principle is followed.
Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet.
Locate control system networks and remote devices behind firewalls and isolate them from business networks.
When remote access is required, use secure methods, such as virtual private networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY

April 25, 2024: Initial Publication

Siemens RUGGEDCOM APE1808 Devices Configured with Palo Alto Networks Virtual NGFW

Written by on April 25, 2024. Posted in CISA-Published Industrial Control System Vulnerabilities.

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens’ ProductCERT Security Advisories (CERT Services | Services | Siemens Global).
View CSAF

1. EXECUTIVE SUMMARY

CVSS v4 10.0
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Siemens
Equipment: RUGGEDCOM APE1808
Vulnerability: Command Injection

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code with root privileges.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of Siemens RUGGEDCOM APE1808, an application hosting platform, are affected:

RUGGEDCOM APE1808: All versions with Palo Alto Networks Virtual NGFW configured with GlobalProtect gateway or GlobalProtect portal (or both).

3.2 Vulnerability Overview

3.2.1 IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS USED IN A COMMAND (‘COMMAND INJECTION’) CWE-77

A command injection as a result of arbitrary file creation vulnerability in the GlobalProtect feature of Palo Alto Networks PAN-OS software for specific PAN-OS versions and distinct feature configurations may enable an unauthenticated attacker to execute arbitrary code with root privileges on the firewall.

CVE-2024-3400 has been assigned to this vulnerability. A CVSS v3.1 base score of 10.0 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-3400. A base score of 10.0 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

Siemens reported this vulnerability to CISA.

4. MITIGATIONS

Siemens has identified the following specific workarounds and mitigations users can apply to reduce risk:

RUGGEDCOM APE1808:

Contact customer support to receive patch and update information.
Disable GlobalProtect gateway and GlobalProtect portal; note that these features are disabled by default in RUGGEDCOM APE1808 deployments.
Customers with a Threat Prevention subscription can block attacks for this vulnerability using Threat IDs 95187, 95189, and 95191 (available in Applications and Threats content version 8836-8695 and later). For further instruction see Palo Alto Network’s upstream notification (https://security.paloaltonetworks.com/CVE-2024-3400).

As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens’ operational guidelines for industrial security and following recommendations in the product manuals.

Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage.

For more information see the associated Siemens security advisory SSA-750274 in HTML and CSAF.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

April 25, 2024: Initial Publication

Hitachi Energy MACH SCM

Written by on April 25, 2024. Posted in CISA-Published Industrial Control System Vulnerabilities.

View CSAF

1. EXECUTIVE SUMMARY

CVSS v4 8.9
ATTENTION: Exploitable remotely
Vendor: Hitachi Energy
Equipment: MACH SCM
Vulnerabilities: Improper Control of Generation of Code, Improper Neutralization of Directives in Dynamically Evaluated Code

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could result in an execution of arbitrary code.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of MACH SCM, are affected:

MACH SCM: Versions 4.0 to 4.5.x
MACH SCM: Versions 4.6 to 4.38

3.2 Vulnerability Overview

3.2.1 IMPROPER CONTROL OF GENERATION OF CODE CWE-94

SCM Software is a client and server application. An Authenticated System manager client can execute LINQ query in the SCM server, for customized filtering. An Authenticated malicious client can send a specially crafted code to skip the validation and execute arbitrary code (RCE) on the SCM Server remotely. Malicious clients can execute any command by using this RCE vulnerability.

CVE-2024-0400 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-0400. A base score of 8.9 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:L).

3.2.2 IMPROPER NEUTRILIZATION OF DIRECTIVES IN DYNAMICALLY EVALUATED CODE CWE-95

Authenticated List control client can execute the LINQ query in SCM Server to present event as list for operator. An authenticated malicious client can send special LINQ query to execute arbitrary code remotely (RCE) on the SCM Server that an attacker otherwise does not have authorization to do.

CVE-2024-2097 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H ).

A CVSS v4 score has also been calculated for CVE-2024-2097. A base score of 8.8 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:H/SA:L).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Energy
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Switzerland

3.4 RESEARCHER

Hitachi Energy reported these vulnerabilities to CISA.

4. MITIGATIONS

Hitachi Energy has released the following mitigation for CVE-2024-2097:

MACH SCM: Versions 4.6 to 4.38: Upgrade to MACH SCM Version 4.38.1

Until the updates are made available, Hitachi Energy recommends the following general mitigation factors/workarounds for the products with MACH SCM Versions 4.0 to 4.5.x to address the vulnerability CVE-2024-0400:

Recommended security practices and firewall configurations can help protect a process control network from attacks originating from outside the network including:

Physically protect process control systems from direct access by unauthorized personnel.
Do not allow process control systems direct connections to the Internet.
Separate process control systems from other networks by means of a firewall system that has a minimal number of ports exposed.
Process control systems should not be used for Internet surfing, instant messaging, or receiving emails.
Portable computers and removable storage media should be carefully scanned for viruses before they are connected to a control system.

For more information, see Hitachi Energy’s Security Advisories:

RCE Vulnerabilities in Hitachi Energy’s MACH SCM Product

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time. These vulnerabilities have a high attack complexity.

5. PUBLICATION HISTORY

April 25, 2024: Initial Publication

Multiple Vulnerabilities in Hitachi Energy RTU500 Series

Written by on April 25, 2024. Posted in CISA-Published Industrial Control System Vulnerabilities.

View CSAF

1. EXECUTIVE SUMMARY

CVSS v4 7.0
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Hitachi Energy
Equipment: RTU500 Series
Vulnerabilities: Unrestricted Upload of File with Dangerous Type

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow the attacker to upload or transfer files of dangerous types that can be automatically processed within the product’s environment.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of Hitachi’s RTU500 series CMU Firmware are affected:

RTU500 series CMU Firmware: Version 12.0.1 – 12.0.14
RTU500 series CMU Firmware: Version 12.2.1 – 12.2.11
RTU500 series CMU Firmware: Version 12.4.1 – 12.4.11
RTU500 series CMU Firmware: Version 12.6.1 – 12.6.9
RTU500 series CMU Firmware: Version 12.7.1 – 12.7.6
RTU500 series CMU Firmware: Version 13.2.1 – 13.2.6
RTU500 series CMU Firmware: Version 13.4.1 – 13.4.4
RTU500 series CMU Firmware: Version 13.5.1 – 13.5.3

3.2 Vulnerability Overview

3.2.1 UNRESTRICTED UPLOAD OF FILE WITH DANGEROUS TYPE CWE-434

A vulnerability exists in the stb-language file handling that affects the RTU500 series product versions listed below. A malicious actor could print random memory content in the RTU500 system log, if an authorized user uploads a specially crafted stb-language file.

CVE-2024-1531 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.2 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:H).

A CVSS v4 score has also been calculated for CVE-2024-1531. A base score of 7.0 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N).

3.2.2 UNRESTRICTED UPLOAD OF FILE WITH DANGEROUS TYPE CWE-434

A vulnerability exists in the stb-language file handling that affects the RTU500 series product versions listed below. A malicious actor could enforce diagnostic texts being displayed as empty strings, if an authorized user uploads a specially crafted stb-language file.

CVE-2024-1532 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H).

A CVSS v4 score has also been calculated for CVE-2024-1532. A base score of 6.9 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Energy
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Switzerland

3.4 RESEARCHER

Hitachi Energy reported these vulnerabilities to CISA.

4. MITIGATIONS

Hitachi Energy has released the following mitigations for CVE-2024-1531 and CVE-2024-1532:

RTU500 series CMU Firmware Version 12.7.1 – 12.7.6: Update to CMU Firmware Version 12.7.7
RTU500 series CMU Firmware Version 13.2.1 – 13.2.6: Update to CMU Firmware Version 13.2.7

Until the updates are made available, Hitachi Energy recommends the following general mitigation factors/workarounds for the products with RTU500 series CMU firmware Versions 12.0.1 – 12.0.14, 12.2.1 – 12.2.11, 12.4.1 – 12.4.11, 12.6.1 – 12.6.9, 13.4.1 – 13.4.4, and 13.5.1 – 13.5.3 to address the vulnerabilities CVE-2024-1531 and CVE-2024-1532:

Recommended security practices and firewall configurations can help protect a process control network from attacks originating from outside the network including.
Physically protect process control systems from direct access by unauthorized personnel.
Do not allow process control systems direct connections to the Internet.
Separate process control systems from other networks by means of a firewall system that has a minimal number of ports exposed.
Process control systems should not be used for Internet surfing, instant messaging, or receiving emails.
Portable computers and removable storage media should be carefully scanned for viruses before they are connected to a control system.

For more information, see Hitachi Energy’s Security Advisories:

Cybersecurity Advisory Multiple Vulnerabilities in Hitachi Energy’s RTU500 series Product

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

5. PUBLICATION HISTORY

April 25, 2024: Initial Publication

Unitronics Vision Series PLCs

Written by on April 18, 2024. Posted in CISA-Published Industrial Control System Vulnerabilities.

View CSAF

1. EXECUTIVE SUMMARY

CVSS v4 8.7
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Unitronics
Equipment: Vision series PLCs
Vulnerability: Storing Passwords in a Recoverable Format

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to log in to the Remote HMI feature, where the PLC may be factory reset, stopped, and restarted.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of Unitronics Vision 230 PLCs are affected:

Vision 230: All versions
Vision 280: All versions
Vision 290: All versions
Vision 530: All versions
Vision 120: All versions

3.2 Vulnerability Overview

3.2.1 Storing Passwords in a Recoverable Format CWE-257

Unitronics Vision Standard PLCs allow a remote, unauthenticated individual to retrieve the ‘Information Mode’ password in plaintext.

CVE-2024-1480 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2024-1480. A base score of 8.7 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Water and Wastewater
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Israel

3.4 RESEARCHER

Reid Wightman of Dragos reported this vulnerability to CISA.

4. MITIGATIONS

Dragos recommends users to restrict access to the PLC on TCP/20256 by either changing the default programmer port, or apply a multi-factor VPN to protect the service from remote access.

Unitronics has not responded to requests to work with CISA to mitigate this vulnerability. Please contact Unitronics customer support for more information.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as virtual private networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY

April 18, 2024: Initial Publication

RoboDK RoboDK

Written by on April 16, 2024. Posted in CISA-Published Industrial Control System Vulnerabilities.

View CSAF

1. EXECUTIVE SUMMARY

CVSS v3 3.3
ATTENTION: Low attack complexity
Vendor: RoboDK
Equipment: RoboDK
Vulnerability: Heap-based Buffer Overflow

2. RISK EVALUATION

Successful exploitation of this vulnerability could result in an attacker crashing the program through heap-based buffer overflow.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of RoboDK, a robotics development software, are affected:

RoboDK: RoboDK v5.5.4 (Windows 64 bit)

3.2 Vulnerability Overview

3.2.1 HEAP-BASED BUFFER OVERFLOW CWE-122

The affected product is vulnerable to heap-based buffer overflow while processing a specific project file. The resulting memory corruption may crash the application.

CVE-2024-0257 has been assigned to this vulnerability. A CVSS v3 base score of 3.3 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Canada

3.4 RESEARCHER

Hank Chen, while working with TXOne Networks, reported this vulnerability to CISA.

4. MITIGATIONS

RoboDK did not respond to CISA’s attempts at coordination. Users of RoboDK are encouraged to contact RoboDK and keep their systems up to date.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability is not exploitable remotely.

5. UPDATE HISTORY

April 16, 2024: Initial Publication

Electrolink FM/DAB/TV Transmitter

Written by on April 16, 2024. Posted in CISA-Published Industrial Control System Vulnerabilities.

View CSAF

1. EXECUTIVE SUMMARY

CVSS v3 8.8
ATTENTION: Exploitable remotely/low attack complexity/public exploits are available
Vendor: Electrolink
Equipment: FM/DAB/TV Transmitter
Vulnerabilities: Authentication Bypass by Assumed-Immutable Data, Reliance on Cookies without Validation and Integrity Checking, Missing Authentication for Critical Function, Cleartext Storage of Sensitive Information

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to obtain full system access, keep the device from transmitting, escalate privileges, change credentials, and execute arbitrary code.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following Electrolink transmitters are affected:

10W, 100W, 250W, Compact DAB Transmitter
500W, 1kW, 2kW Medium DAB Transmitter
2.5kW, 3kW, 4kW, 5kW High Power DAB Transmitter
100W, 500W, 1kW, 2kW Compact FM Transmitter
3kW, 5kW, 10kW, 15kW, 20kW, 30kW Modular FM Transmitter
15W – 40kW Digital FM Transmitter
BI, BIII VHF TV Transmitter
10W – 5kW UHF TV Transmitter

3.2 Vulnerability Overview

3.2.1 Authentication Bypass by Assumed-Immutable Data CWE-302

Electrolink transmitters are vulnerable to an authentication bypass vulnerability affecting the login cookie. An attacker can set an arbitrary value except ‘NO’ to the login cookie and have full system access.

CVE-2024-3741 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N).

A CVSS v4 score has been calculated for CVE-2024-3741. A base score of 8.7 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N).

3.2.2 Authentication Bypass by Assumed-Immutable Data CWE-302

The application is vulnerable to an unauthenticated parameter manipulation that allows an attacker to set the credentials to blank giving her access to the admin panel. Also vulnerable to account takeover and arbitrary password change.

CVE-2024-22179 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N).

A CVSS v4 score has been calculated for CVE-2024-22179. A base score of 8.7 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N).

3.2.3 Reliance on Cookies without Validation and Integrity Checking CWE-565

The application suffers from a privilege escalation vulnerability. An attacker logged in as guest can escalate his privileges by poisoning the cookie to become administrator.

CVE-2024-22186 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has been calculated for CVE-2024-22186. A base score of 8.7 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.4 Reliance on Cookies without Validation and Integrity Checking CWE-565

The device allows an unauthenticated attacker to bypass authentication and modify the cookie to reveal hidden pages that allows more critical operations to the transmitter.

CVE-2024-21872 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

A CVSS v4 score has been calculated for CVE-2024-21872. A base score of 8.7 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N).

3.2.5 Missing Authentication for Critical Function CWE-306

An unauthenticated attacker can reset the board and stop transmitter operations by sending a specially-crafted GET request to the command.cgi gateway, resulting in a denial-of-service scenario.

CVE-2024-21846 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.3 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).

A CVSS v4 score has been calculated for CVE-2024-21846. A base score of 6.9 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N).

3.2.6 Missing Authentication for Critical Function CWE-306

The devices allow access to an unprotected endpoint that allows MPFS file system binary image upload without authentication. The MPFS2 file system module provides a light-weight read-only file system that can be stored in external EEPROM, external serial flash, or internal flash program memory. This file system serves as the basis for the HTTP2 web server module, but is also used by the SNMP module and is available to other applications that require basic read-only storage capabilities. This can be exploited to overwrite the flash program memory that holds the web server’s main interfaces and execute arbitrary code.

CVE-2024-1491 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N).

A CVSS v4 score has been calculated for CVE-2024-1491. A base score of 8.7 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N).

3.2.7 Cleartext Storage of Sensitive Information CWE-312

Electrolink transmitters store credentials in clear-text. Use of these credentials could allow an attacker to access the system.

CVE-2024-3742 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

A CVSS v4 score has been calculated for CVE-2024-3742. A base score of 8.7 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Communications Sector
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Italy

3.4 RESEARCHER

Gjoko Krstic publicly reported these vulnerabilities on the internet after an unsuccessful attempt to contact Electrolink directly.

4. MITIGATIONS

Electrolink has not responded to requests to work with CISA to mitigate these vulnerabilities. Users of the affected products are encouraged to contact Electrolink for additional information.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as virtual private networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY

April 16, 2024: Initial Publication

Measuresoft ScadaPro

Written by on April 16, 2024. Posted in CISA-Published Industrial Control System Vulnerabilities.

View CSAF

1. EXECUTIVE SUMMARY

CVSS v4 6.8
ATTENTION: Low attack complexity
Vendor: Measuresoft
Equipment: ScadaPro
Vulnerability: Improper Access Control

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to escalate their privileges from unprivileged to SYSTEM privileges.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of ScadaPro, a supervisory control and data acquisition (SCADA) system, are affected:

ScadaPro: version 6.9.0.0

3.2 Vulnerability Overview

3.2.1 IMPROPER ACCESS CONTROL CWE-284

The entire parent directory – C:ScadaPro and its sub-directories and files are configured by default to allow user, including unprivileged users, to write or overwrite files.

CVE-2024-3746 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.5 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N).

A CVSS v4 score has also been calculated for CVE-2024-3746. A base score of 6.8 has been calculated; the CVSS vector string is (CVSS4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Energy, Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Ireland

3.4 RESEARCHER

Claroty Team82 reported this vulnerability to CISA.

4. MITIGATIONS

Measuresoft recommends that users manually reconfigure the vulnerable directories so that they are not writable by everyone.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

Exercise principles of least privilege.
Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as virtual private networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

This vulnerability is not exploitable remotely. No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY

April 16, 2024: Initial Publication

Rockwell Automation ControlLogix and GuardLogix

Written by on April 16, 2024. Posted in CISA-Published Industrial Control System Vulnerabilities.

View CSAF

1. EXECUTIVE SUMMARY

CVSS v4 9.2
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Rockwell Automation
Equipment: ControlLogix 5580, GuardLogix 5580, CompactLogix 5380, 1756-EN4TR
Vulnerability: Improper Input Validation

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to cause a major nonrecoverable fault (MNRF) resulting in the product to become unavailable.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of Rockwell Automation ControlLogix and GuardLogix, programmable logic controllers, are affected:

ControlLogix 5580: Version V35.011
GuardLogix 5580: Version V35.011
CompactLogix 5380: Version V35.011
1756-EN4TR: Version V5.001

3.2 Vulnerability Overview

3.2.1 IMPROPER INPUT VALIDATION CWE-20

A specific malformed fragmented packet type (fragmented packets may be generated automatically by devices that send large amounts of data) can cause a major nonrecoverable fault (MNRF). If exploited, the affected product will become unavailable and require a manual restart to recover it. Additionally, a MNRF could result in a loss of view and/or control of connected devices.

CVE-2024-3493 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.6 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H).

A CVSS v4 score has also been calculated for CVE-2024-3493. A base score of 9.2 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER

Rockwell Automation reported this vulnerability to CISA.

4. MITIGATIONS

Rockwell Automation has released product updates addressing this vulnerability:

ControlLogix 5580: Update to version V35.013 or V36.011
GuardLogix 5580: Update to version V35.013 or V36.011
CompactLogix 5380: Update to version V35.013 or V36.011
1756-EN4TR: Update to version V6.001

For more information, see Rockwell Automation’s security advisory (Login required).

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

April 16, 2024: Initial Publication