Posts Page - CloudCentric

Delta Electronics DIAScreen

Written by on November 7, 2024. Posted in CISA-Published Industrial Control System Vulnerabilities.

1. EXECUTIVE SUMMARY

CVSS v4 8.4
ATTENTION: Low attack complexity
Vendor: Delta Electronics
Equipment: DIAScreen
Vulnerabilities: Stack-based Buffer Overflow

2. RISK EVALUATION

Successful exploitation of this these vulnerabilities could crash the device being accessed; a buffer overflow condition may allow remote code execution.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of DIAScreen, which is a component of Delta’s DIAStudio Smart Machine Suite integrated engineering software package, are affected:

DIAScreen: versions prior to v1.5.0

3.2 Vulnerability Overview

3.2.1 Stack-based Buffer Overflow CWE-121

If an attacker tricks a valid user into running Delta Electronics DIAScreen with a file containing malicious code, a stack-based buffer overflow in BACnetObjectInfo can be exploited, allowing the attacker to remotely execute arbitrary code.

CVE-2024-47131 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-47131. A base score of 8.4 has been calculated; the CVSS vector string is (CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.2 Stack-based Buffer Overflow CWE-121

If an attacker tricks a valid user into running Delta Electronics DIAScreen with a file containing malicious code, a stack-based buffer overflow in BACnetParameter can be exploited, allowing the attacker to remotely execute arbitrary code.

CVE-2024-39605 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-39605. A base score of 8.4 has been calculated; the CVSS vector string is (CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.3 Stack-based Buffer Overflow CWE-121

If an attacker tricks a valid user into running Delta Electronics DIAScreen with a file containing malicious code, a stack-based buffer overflow in CEtherIPTagItem can be exploited, allowing the attacker to remotely execute arbitrary code.

CVE-2024-39354 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-39354. A base score of 8.4 has been calculated; the CVSS vector string is (CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Energy
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Taiwan

3.4 RESEARCHER

Natnael Samson working with Trend Micro Zero Day Initiative reported these vulnerabilities to CISA.

4. MITIGATIONS

Delta Electronics has released v1.5.0 of DIAScreen (login required) and recommends users install this update on all affected systems.

For more information, please see the Delta product cybersecurity advisory for these issues.

CISA recommends users take the following measures to protect themselves from social engineering attacks:

Do not click web links or open attachments in unsolicited email messages.
Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time. These vulnerabilities are not exploitable remotely.

5. UPDATE HISTORY

November 7, 2024: Initial Publication

Rockwell Automation FactoryTalk ThinManager

Written by on October 31, 2024. Posted in CISA-Published Industrial Control System Vulnerabilities.

View CSAF

1. EXECUTIVE SUMMARY

CVSS v4 9.3
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Rockwell Automation
Equipment: FactoryTalk ThinManager
Vulnerabilities: Missing Authentication For Critical Function, Out-of-Bounds Read

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to send crafted messages to the device resulting in database manipulation or a denial-of-service condition.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following Rockwell Automation FactoryTalk product versions are affected:

ThinManager: Versions 11.2.0 to 11.2.9
ThinManager: Versions 12.0.0 to 12.0.7
ThinManager: Versions 12.1.0 to 12.1.8
ThinManager: Versions 13.0.0 to 13.0.5
ThinManager: Versions 13.1.0 to 13.1.3
ThinManager: Versions 13.2.0 to 13.2.2
ThinManager: Version 14.0.0

3.2 Vulnerability Overview

3.2.1 MISSING AUTHENTICATION FOR CRITICAL FUNCTION CWE-306

An authentication vulnerability exists in the affected product. The vulnerability could allow a threat actor with network access to send crafted messages to the device, potentially resulting in database manipulation.

CVE-2024-10386 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-10386. A base score of 9.3 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.2 OUT-OF-BOUNDS READ CWE-125

A denial-of-service vulnerability exists in the affected product. The vulnerability could allow a threat actor with network access to send crafted messages to the device, resulting in a denial-of-service condition.

CVE-2024-10387 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

A CVSS v4 score has also been calculated for CVE-2024-10387. A base score of 8.7 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER

Tenable Network Security reported these vulnerabilities to Rockwell Automation.

4. MITIGATIONS

Rockwell Automation has provided a fix for the affected versions on the FactoryTalk ThinManager download site.

Rockwell Automation encourages users of the affected software to apply these risk mitigations if possible.

Implement network hardening for ThinManager Device(s) by limiting communications to TCP 2031 to only the devices that need connection to the ThinManager.
For information on how to mitigate security risks on industrial automation control systems, users are encouraged to implement Rockwell Automation’s suggested security best practices to minimize the risk of the vulnerability.

For more information, see Rockwell Automation’s security bulletin.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY

October 31, 2024: Initial Publication

Delta Electronics InfraSuite Device Master

Written by on October 29, 2024. Posted in CISA-Published Industrial Control System Vulnerabilities.

View CSAF

1. EXECUTIVE SUMMARY

CVSS v4 9.3
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Delta Electronics
Equipment: InfraSuite Device Master
Vulnerability: Deserialization of Untrusted Data

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an unauthenticated attacker to remotely execute arbitrary code.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of InfraSuite Device Master, a real-time device monitoring software, are affected:

InfraSuite Device Master: Versions 1.0.12 and prior

3.2 Vulnerability Overview

3.2.1 DESERIALIZATION OF UNTRUSTED DATA CWE-502

Delta Electronics InfraSuite Device Master versions prior to 1.0.12 are affected by a deserialization vulnerability that targets the Device-Gateway, which could allow deserialization of arbitrary .NET objects prior to authentication, resulting in remote code execution.

CVE-2024-10456 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-10456. A base score of 9.3 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Taiwan

3.4 RESEARCHER

Simon Humbert of Trend Micro reported this vulnerability to CISA.

4. MITIGATIONS

Delta Electronics states that this issue was fixed by version 1.0.13 released in October 2024. Delta recommends updating to version 1.0.13 or later.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

Do not click web links or open attachments in unsolicited email messages.
Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

October 29, 2024: Initial Publication

Siemens InterMesh Subscriber Devices

Written by on October 29, 2024. Posted in CISA-Published Industrial Control System Vulnerabilities.

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens’ ProductCERT Security Advisories (CERT Services | Services | Siemens Global).

View CSAF

1. EXECUTIVE SUMMARY

CVSS v4 10.0
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Siemens
Equipment: InterMesh
Vulnerabilities: OS Command Injection, Missing Authentication for Critical Function, Execution with Unnecessary Privileges, Incorrect Privilege Assignment

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to perform remote code execution, execute commands, write arbitrary files, or execute arbitrary commands.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of Siemens InterMesh Subscriber Devices, a wireless alarm reporting system, are affected:

InterMesh 7177 Hybrid 2.0 Subscriber: All versions prior to V8.2.12
InterMesh 7707 Fire Subscriber: All versions prior to V7.2.12

3.2 Vulnerability Overview

3.2.1 IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS USED IN AN OS COMMAND (‘OS COMMAND INJECTION’) CWE-78

The web server of affected devices does not sanitize the input parameters in specific GET requests that allow for code execution on operating system level. In combination with other vulnerabilities (CVE-2024-47902, CVE-2024-47903, CVE-2024-47904) this could allow an unauthenticated remote attacker to execute arbitrary code with root privileges.

CVE-2024-47901 has been assigned to this vulnerability. A CVSS v3.1 base score of 10.0 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-47901. A base score of 10.0 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H).

3.2.2 MISSING AUTHENTICATION FOR CRITICAL FUNCTION CWE-306

The web server of affected devices does not authenticate GET requests that execute specific commands (such as ping) on operating system level.

CVE-2024-47902 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.2 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N).

A CVSS v4 score has also been calculated for CVE-2024-47902. A base score of 6.9 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N).

3.2.3 EXECUTION WITH UNNECESSARY PRIVILEGES CWE-250

The web server of affected devices allows to write arbitrary files to the web server’s DocumentRoot directory.

CVE-2024-47903 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N).

A CVSS v4 score has also been calculated for CVE-2024-47903. A base score of 6.9 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N).

3.2.4 INCORRECT PRIVILEGE ASSIGNMENT CWE-266

The affected devices contain a SUID binary that could allow an authenticated local attacker to execute arbitrary commands with root privileges.

CVE-2024-47904 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-47904. A base score of 8.5 has been calculated; the CVSS vector string is (CVSS4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

AES Corporation and Jean Pereira from CYTRES reported these vulnerabilities to Siemens. Siemens reported these vulnerabilities to CISA.

4. MITIGATIONS

Siemens has identified the following specific workarounds and mitigations users can apply to reduce risk:

InterMesh 7177 Hybrid 2.0 Subscriber: Update to V8.2.12 or later version
InterMesh 7707 Fire Subscriber: Update to V7.2.12 or later version
Restrict access to the InterMesh network to trusted systems and persons only

As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens’ operational guidelines for industrial security and following recommendations in the product manuals.

Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage

For more information see the associated Siemens security advisory SSA-333468 in HTML and CSAF.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY

October 29, 2024: Initial Publication

Solar-Log Base 15

Written by on October 29, 2024. Posted in CISA-Published Industrial Control System Vulnerabilities.

View CSAF

1. EXECUTIVE SUMMARY

CVSS v4 5.1
ATTENTION: Exploitable remotely/low attack complexity/public exploits are available
Vendor: Solar-Log
Equipment: Base 15
Vulnerability: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)

2. RISK EVALUATION

Successful exploitation of this vulnerability could result in an attacker obtaining unauthorized access.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of Solar-Log Base 15 are affected:

Base 15: Firmware 6.0.1 Build 161

3.2 Vulnerability Overview

The affected product is vulnerable to a cross-site scripting attack, which may allow an attacker to bypass access controls and gain unauthorized access.

CVE-2023-46344 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.4 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N).

A CVSS v4 score has also been calculated for CVE-2023-46344. A base score of 5.1 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:L).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Energy
COUNTRIES/AREAS DEPLOYED: Multiple
COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

CISA discovered a public proof of concept (PoC) as authored by Vincent McRae and Mesut Cetin of Redteamer IT Security and reported it to Solar-Log.

4. MITIGATIONS

Solar-Log has released the following versions for users to download:

Base 15: Firmware 6.2.0-170

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

October 29, 2024: Initial Publication

VIMESA VHF/FM Transmitter Blue Plus

Written by on October 24, 2024. Posted in CISA-Published Industrial Control System Vulnerabilities.

View CSAF

1. EXECUTIVE SUMMARY

CVSS v4 6.9
ATTENTION: Exploitable remotely/low attack complexity/public exploits are available
Vendor: VIMESA
Equipment: VHF/FM Transmitter Blue Plus
Vulnerability: Improper Access Control

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to perform a Denial-of-Service.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following version of VIMESA VHF/FM Transmitter Blue Plus, a VHF/FM Transmitter, is affected:

VHF/FM Transmitter Blue Plus: Version v9.7.1

3.2 Vulnerability Overview

3.2.1 Improper Access Control CWE-284

VIMESA VHF/FM Transmitter Blue Plus is suffering from a Denial-of-Service (DoS) vulnerability. An unauthenticated attacker can issue an unauthorized HTTP GET request to the unprotected endpoint ‘doreboot’ and restart the transmitter operations.

CVE-2024-9692 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.3 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).

A CVSS v4 score has also been calculated for CVE-2024-9692. A base score of 6.9 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Communications
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Spain

3.4 RESEARCHER

CISA discovered this report authored by Gjoko Krstic.

4. MITIGATIONS

VIMESA has not responded to requests to work with CISA to mitigate these vulnerabilities. Users of the affected products are encouraged to contact VIMESA for additional information.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

October 24, 2024: Initial Publication

iniNet Solutions SpiderControl SCADA PC HMI Editor

Written by on October 24, 2024. Posted in CISA-Published Industrial Control System Vulnerabilities.

View CSAF

1. EXECUTIVE SUMMARY

CVSS v4 8.6
ATTENTION: Exploitable remotely/low attack complexity
Vendor: iniNet Solutions
Equipment: SpiderControl SCADA PC HMI Editor
Vulnerability: Path Traversal

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to gain remote control of the device.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of iniNet Solutions SpiderControl SCADA PC HMI Editor, a software management platform, are affected:

SpiderControl SCADA PC HMI Editor: Version 8.10.00.00

3.2 Vulnerability Overview

3.2.1 Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) CWE-22

iniNet Solutions SpiderControl SCADA PC HMI Editor has a path traversal vulnerability. When the software loads a malicious ‘ems’ project template file constructed by an attacker, it can write files to arbitrary directories. This can lead to overwriting system files, causing system paralysis, or writing to startup items, resulting in remote control.

CVE-2024-10313 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.0 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-10313. A base score of 8.6 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Europe
COMPANY HEADQUARTERS LOCATION: Switzerland

3.4 RESEARCHER

elcazator from ELEX FEIGONG RESEARCH INSTITUTE of Elex CyberSecurity, Inc. reported this vulnerability to CISA.

4. MITIGATIONS

iniNet Solutions recommends that users update SpiderControl SCADA PC HMI Editor to version 8.24.00.00 to mitigate this vulnerability.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

October 24, 2024: Initial Publication

Deep Sea Electronics DSE855

Written by on October 24, 2024. Posted in CISA-Published Industrial Control System Vulnerabilities.

View CSAF

1. EXECUTIVE SUMMARY

CVSS v4 7.1
ATTENTION: low attack complexity/public exploits are available
Vendor: Deep Sea Electronics
Equipment: DSE855
Vulnerability: Missing Authentication for Critical Function

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to access stored credentials.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of Deep Sea Electronics DSE855, an ethernet communications device, are affected:

DSE855: Version 1.0.26

3.2 Vulnerability Overview

3.2.1 Missing Authentication for Critical Function CWE-306

Deep Sea Electronics DSE855 is vulnerable to a configuration disclosure when direct object reference is made to the Backup.bin file using an HTTP GET request.

CVE-2024-5947 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.5 has been calculated; the CVSS vector string is (AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2024-5947. A base score of 7.1 has been calculated; the CVSS vector string is (CVSS4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Energy
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: United Kingdom

3.4 RESEARCHER

CISA discovered this vulnerability authored by Gjoko Krstic.

4. MITIGATIONS

Deep Sea Electronics recommends that users update DSE855 to version 1.2.0.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability is not exploitable remotely.

5. UPDATE HISTORY

October 24, 2024: Initial Publication

ICONICS and Mitsubishi Electric Products

Written by on October 22, 2024. Posted in CISA-Published Industrial Control System Vulnerabilities.

View CSAF

1. EXECUTIVE SUMMARY

CVSS v3 7.8
ATTENTION: Low attack complexity
Vendor: ICONICS, Mitsubishi Electric
Equipment: ICONICS Product Suite, Mitsubishi Electric MC Works64
Vulnerability: Incorrect Default Permissions

2. RISK EVALUATION

Successful exploitation of this vulnerability could result in disclosure of confidential information, data tampering, or a denial-of-service condition.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

ICONICS reports that the following versions of ICONICS and Mitsubishi Electric Products are affected:

ICONICS Suite including GENESIS64, Hyper Historian, AnalytiX, and MobileHMI: Version 10.97.3 and prior
Mitsubishi Electric MC Works64: all versions

3.2 Vulnerability Overview

3.2.1 Incorrect Default Permissions CWE-276

There is an incorrect default permissions vulnerability in ICONICS and Mitsubishi Electric products which may allow a disclosure of confidential information, data tampering, or a denial of service condition due to incorrect default permissions.

CVE-2024-7587 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: ICONICS is headquartered in the United States. Mitsubishi Electric is headquartered in Japan.

3.4 RESEARCHER

Asher Davila and Malav Vyas of Palo Alto Networks reported this vulnerability to ICONICS.

4. MITIGATIONS

Version 10.97.3 CFR1 and later is not vulnerable to this issue. ICONICS recommends that users of its products take the following mitigation steps:

For new systems, use the 10.97.3 CFR1 or later version of the ICONICS products.
If planning to use GENESIS64 v10.97.3 or earlier on a new freshly installed system, do not install the included GenBroker32. Instead, download the latest GenBroker32 from ICONICS and install this version if needed.
For systems that already have v10.97.3 or an earlier version, or MC Works64 installed, verify the permissions on the c:ProgramDataICONICS folder do not include “Everyone”. If this folder is set to provide access to “Everyone”, remove this access by performing the following steps:

Right click C:ProgramDataICONICS folder and open the Properties display
Open the Security tab
Click Advanced
Click Change Permissions
Select “Everyone” and check the “Replace all object permissions entries with inheritable permission entries from this project” checkbox
Click Remove

ICONICS and Mitsubishi Electric recommends users update the ICONICS Suite with the latest security patches as they become available. ICONICS Suite security patches may be found here(login required).

ICONICS and Mitsubishi Electric is releasing security updates as critical fixes/rollup releases. Refer to the [ICONICS Whitepaper on Security Vulnerabilities])https://iconics.com/About/Security/CERT), and to the for information on the availability of the security updates.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability is not exploitable remotely.

5. UPDATE HISTORY

October 22, 2024: Initial Publication

Kieback&Peter DDC4000 Series

Written by on October 17, 2024. Posted in CISA-Published Industrial Control System Vulnerabilities.

View CSAF

1. EXECUTIVE SUMMARY

CVSS v4 9.3
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Kieback&Peter
Equipment: DDC4000 Series
Vulnerabilities: Path Traversal, Insufficiently Protected Credentials, Use of Weak Credentials

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an unauthenticated attacker to gain full administrator rights on the system.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following Kieback&Peter DDC4000 series products are affected:

DDC4002 : Versions 1.12.14 and prior
DDC4100 : Versions 1.7.4 and prior
DDC4200 : Versions 1.12.14 and prior
DDC4200-L : Versions 1.12.14 and prior
DDC4400 : Versions 1.12.14 and prior
DDC4002e : Versions 1.17.6 and prior
DDC4200e : Versions 1.17.6 and prior
DDC4400e : Versions 1.17.6 and prior
DDC4020e : Versions 1.17.6 and prior
DDC4040e : Versions 1.17.6 and prior

3.2 Vulnerability Overview

3.2.1 IMPROPER LIMITATION OF A PATHNAME TO A RESTRICTED DIRECTORY (‘PATH TRAVERSAL’) CWE-22

The affected product is vulnerable to a path traversal vulnerability, which may allow an unauthenticated attacker to read files on the system.

CVE-2024-41717 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-41717. A base score of 9.3 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.2 INSUFFICIENTLY PROTECTED CREDENTIALS CWE-522

The affected product has an insufficiently protected credentials vulnerability, which may allow an unauthenticated attacker with access to /etc/passwd to read the password hashes of all users on the system.

CVE-2024-43812 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.4 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-43812. A base score of 8.6 has been calculated; the CVSS vector string is (CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.3 USE OF WEAK CREDENTIALS CWE-1391

The affected product uses weak credentials, which may allow an unauthenticated attacker to get full admin rights on the system.

CVE-2024-43698 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-43698. A base score of 9.3 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing Sector, Commercial Facilities Sector, Communications Sector, Financial Services Sector, Food and Agriculture Sector, Government Services and Facilities Sector, Healthcare and Public Health Sector, Information Technology Sector
COUNTRIES/AREAS DEPLOYED: Europe, the Middle East and Asia.
COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

Raphael Ruf of terreActive AG reported these vulnerabilities to CISA.

4. MITIGATIONS

Kieback&Peter DDC4002, DDC4100, DDC4200, DDC4200-L and DDC4400 controllers are considered End-of-Life (EOL) and are no longer supported. Users operating these controllers should ensure they are operated in a strictly separate OT environment and consider updating to a supported controller.

Kieback&Peter recommends users update to DDC4002e, DDC4200e, DDC4400e, DDC4020e and DDC4040e controllers.

Kieback&Peter recommends all affected users contact their local Kieback&Peter office to update the firmware of the supported DDC systems to v1.21.0 or later.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY

October 17, 2024: Initial Publication