1. EXECUTIVE SUMMARY

​CVSS v3 8.3
​ATTENTION: Exploitable via adjacent network
​Vendor: Sensormatic Electronics, a subsidiary of Johnson Controls, Inc.
​Equipment: Illustra Pro Gen 4
​Vulnerability: Active Debug Code

2. RISK EVALUATION

​Successful exploitation of this vulnerability could allow an attacker to compromise device credentials over a long period of sustained attack.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

​The following versions of Sensormatic Electronics Illustra Pro Gen 4 are affected:

​Pro Gen 4 Dome: Up to and including Illustra.SS016.05.09.04.0006
​Pro Gen 4 PTZ: Up to and including Illustra.SS010.05.09.04.0022

3.2 VULNERABILITY OVERVIEW

3.2.1 ACTIVE DEBUG CODE CWE-489 

​Sensormatic Electronics Illustra Pro Gen 4 contains a debug feature that is incorrectly set to enabled on newly manufactured cameras. Under some circumstances, over a long period of sustained attack, this could allow compromise of device credentials.

​CVE-2023-0954 has been assigned to this vulnerability. A CVSS v3 base score of 8.3 has been calculated; the CVSS vector string is (AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H).

3.3 BACKGROUND

​CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
​COUNTRIES/AREAS DEPLOYED: Worldwide
​COMPANY HEADQUARTERS LOCATION: Ireland

3.4 RESEARCHER

​Johnson Controls, Inc. reported this vulnerability to CISA.

4. MITIGATIONS

​Sensormatic Electronics has provided the following mitigations:

​Update Illustra Pro Gen 4 Dome to version 6.00.00.
​Update Illustra Pro Gen 4 PTZ to version 6.00.00.

​The camera can be upgraded via the web GUI using firmware Illustra provides, which can be found on www.illustracameras.com. The firmware can also be upgraded using the Illustra Connect tool (Windows based) or Illustra Tools (mobile app) or victor/VideoEdge, which also provides bulk firmware upgrade capability. Refer to the respective application documents for further information.

​For additional information, refer to Johnson Controls Product Security Advisory JCI-PSA-2023-02 v1.

​CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should:

​Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet.
​Locate control system networks and remote devices behind firewalls and isolate them from business networks.
​When remote access is required, use secure methods, such as virtual private networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices.

​CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

​CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

​Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

​Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

​No known public exploits specifically target this vulnerability. This vulnerability is not exploitable remotely. This vulnerability has a high attack complexity.

1. EXECUTIVE SUMMARY

CVSS v3 6.5
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Atlas Copco
Equipment: Power Focus 6000
Vulnerabilities: Cleartext Storage of Sensitive Information, Small Space of Random Values, Cleartext Transmission of Sensitive Information

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could cause a loss of sensitive information and the takeover of a user’s active session.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of Power Focus 6000, a smart connected assembly product, are affected:

Power Focus 6000: All versions

3.2 VULNERABILITY OVERVIEW

3.2.1 CLEARTEXT STORAGE OF SENSITIVE INFORMATION CWE-312

Atlas Copco Power Focus 6000 web server does not sanitize the login information stored by the authenticated user’s browser, which could allow an attacker with access to the user’s computer to gain credential information of the controller.

CVE-2023-1897 has been assigned to this vulnerability. A CVSS v3 base score of 6.5 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N).

3.2.2 SMALL SPACE OF RANDOM VALUES CWE-334

Atlas Copco Power Focus 6000 web server uses a small amount of session Id numbers. An attacker could enter a session Id number to retrieve data for an active user’s session.

CVE-2023-1898 has been assigned to this vulnerability. A CVSS v3 base score of 6.5 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N).

3.2.3 CLEARTEXT TRANSMISSION OF SENSITIVE INFORMATION CWE-319

Atlas Copco Power Focus 6000 web server is not a secure connection by default, which could allow an attacker to gain sensitive information by monitoring network traffic between user and controller.

CVE-2023-1899 has been assigned to this vulnerability. A CVSS v3 base score of 6.5 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Sweden

3.4 RESEARCHER

Chen Porian of OTORIO reported these vulnerabilities to CISA.

4. MITIGATIONS

Atlas Copco has not responded to requests to work with CISA on mitigations for the reported vulnerabilities. Users of the affected products are encouraged to contact Atlas Copco.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. Specifically, users should:

Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet.
Locate control system networks and remote devices behind firewalls and isolate them from business networks.
When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploits specifically target these vulnerabilities. These vulnerabilities have a low attack complexity.

1. EXECUTIVE SUMMARY

CVSS v3 7.5
ATTENTION: Exploitable remotely/low attack complexity 
Vendor: Mitsubishi Electric
Equipment: MELSEC iQ-R Series/iQ-F Series EtherNet/IP Modules and EtherNet/IP Configuration tool
Vulnerabilities: Weak Password Requirements, Use of Hard-coded Password, Missing Password Field Masking, Unrestricted Upload of File with Dangerous Type

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow a remote unauthenticated attacker to connect to the module via FTP and bypass authentication to log in.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

Mitsubishi Electric reports these vulnerabilities affect the following MELSEC iQ-R Series/iQ-F Series EtherNet/IP Modules and EtherNet/IP Configuration tool: 

RJ71EIP91: All versions
SW1DNN-EIPCT-BD: All versions
FX5-ENET/IP: All versions
SW1DNN-EIPCTFX5-BD: All versions

3.2 VULNERABILITY OVERVIEW

3.2.1 WEAK PASSWORD REQUIREMENTS CWE-521

Authentication bypass vulnerability in FTP function on EtherNet/IP module due to weak password requirements could allow a remote unauthenticated attacker to access to the module via FTP by dictionary attack or password sniffing.

CVE-2023-2060 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

3.2.2 USE OF HARD-CODED PASSWORD CWE-259

Authentication bypass vulnerability in FTP function on EtherNet/IP module could allow a remote unauthenticated attacker to obtain a hard-coded password and access to the module via FTP.

CVE-2023-2061 has been assigned to this vulnerability. A CVSS v3 base score of 6.2 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

3.2.3 MISSING PASSWORD FIELD MASKING CWE-549

The EtherNet/IP configuration tool that displays unmasked passwords due to missing password field masking results in authentication bypass vulnerability, which could allow a remote unauthenticated attacker to access the module via FTP.

CVE-2023-2062 has been assigned to this vulnerability. A CVSS v3 base score of 6.2 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

3.2.4 UNRESTRICTED UPLOAD OF FILE WITH DANGEROUS TYPE CWE-434 

Information disclosure, tampering, deletion, destruction vulnerability exists in the FTP function on EtherNet/IP module via file upload/download due to unrestricted upload of file with dangerous type.

CVE-2023-2063 has been assigned to this vulnerability. A CVSS v3 base score of 6.3 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Japan

3.4 RESEARCHER

Iie Karada reported these vulnerabilities to Mitsubishi Electric.

4. MITIGATIONS

Mitsubishi Electric recommends customers take the following mitigation measures to minimize the risk of a threat actor exploiting these vulnerabilities:

Use a firewall, virtual private network (VPN), etc. to prevent unauthorized access when Internet access is required.
Use within a LAN and block access from untrusted networks and hosts through firewalls.
Restrict physical access to prevent untrusted devices LAN to which the affected product connects.
Avoid uploading/downloading files directly using FTP, and use the EtherNet/IP configuration tool. Do not open the downloaded file with anything other than the EtherNet/IP configuration tool.
For FX5-ENET/IP, use IP filter function to block access from untrusted hosts. For details on the IP filter function, please refer to the following manual: “12.1 IP Filter Function” in the MELSEC iQ-F FX5 User’s Manual (Ethernet Communication).

For specific update instructions and additional details, see the Mitsubishi Electric advisory.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploits specifically target these vulnerabilities. These vulnerabilities are exploitable remotely. These vulnerabilities have low attack complexity.

1. EXECUTIVE SUMMARY

CVSS v3 7.8
ATTENTION: Low attack complexity
Vendor: Delta Electronics
Equipment: CNCSoft-B DOPSoft
Vulnerabilities: Stack-based Buffer Overflow, Heap-based Buffer Overflow

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to exploit a buffer overflow condition and remotely execute arbitrary code.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of CNCSoft-B DOPSoft, a human machine interface (HMI), are affected:

CNCSoft-B DOPSoft: versions 1.0.0.4 and prior

3.2 VULNERABILITY OVERVIEW

3.2.1 STACK-BASED BUFFER OVERFLOW CWE-121

Delta Electronics’ CNCSoft-B DOPSoft versions 1.0.0.4 and prior are vulnerable to stack-based buffer overflow, which could allow an attacker to execute arbitrary code.

CVE-2023-25177 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been assigned; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

3.2.2 HEAP-BASED BUFFER OVERFLOW CWE-122

Delta Electronics’ CNCSoft-B DOPSoft versions 1.0.0.4 and prior are vulnerable to heap-based buffer overflow, which could allow an attacker to execute arbitrary code.

CVE-2023-24014 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been assigned; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Taiwan

3.4 RESEARCHER

Natnael Samson (@NattiSamson), working with Trend Micro’s Zero Day Initiative, reported these vulnerabilities to CISA.

4. MITIGATIONS

Delta Electronics has released and recommends users to download CNCSoft-B DOPSoft v4.0.0.82 or later.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. Specifically, users should:

Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet.
Locate control system networks and remote devices behind firewalls and isolate them from business networks.
When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies. 

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

Do not click web links or open attachments in unsolicited email messages.
Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploits specifically target these vulnerabilities. These vulnerabilities are not exploitable remotely.

1. EXECUTIVE SUMMARY

CVSS v3 7.2 
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Advantech
Equipment: WebAccess Node
Vulnerabilities: Improper Control of Generation of Code (‘Code Injection’), Unrestricted Upload of File with Dangerous Type

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to arbitrarily overwrite files resulting in remote code execution.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following Advantech products are affected:

WebAccess/SCADA versions 9.1.3 and prior

3.2 VULNERABILITY OVERVIEW

3.2.1 IMPROPER CONTROL OF GENERATION OF CODE (‘CODE INJECTION’) CWE-94

In Advantech WebAccss/SCADA v9.1.3 and prior, there is an arbitrary file overwrite vulnerability, which could allow an attacker to overwrite any file in the operating system (including system files), inject code into an XLS file, and modify the file extension, which could lead to arbitrary code execution.

CVE-2023-32540 has been assigned to this vulnerability. A CVSS v3 base score of 7.2 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).

3.2.2 UNRESTRICTED UPLOAD OF FILE WITH DANGEROUS TYPE CWE-434

In Advantech WebAccss/SCADA v9.1.3 and prior, there is an arbitrary file upload vulnerability that could allow an attacker to upload an ASP script file to a webserver when logged in as manager user, which can lead to arbitrary code execution.

CVE-2023-22450 has been assigned to this vulnerability. A CVSS v3 base score of 7.2 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).

3.2.3 UNRESTRICTED UPLOAD OF FILE WITH DANGEROUS TYPE CWE-434

In Advantech WebAccss/SCADA v9.1.3 and prior, there is an arbitrary file upload vulnerability that could allow an attacker to modify the file extension of a certificate file to ASP when uploading it, which can lead to remote code execution.

CVE-2023-32628 has been assigned to this vulnerability. A CVSS v3 base score of 7.2 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing, Energy, Water and Wastewater Systems
COUNTRIES/AREAS DEPLOYED: East Asia, Europe, United States
COMPANY HEADQUARTERS LOCATION: Tawain

3.4 RESEARCHER

YangLiu from Elex Feigong Research Institute reported these vulnerabilities to CISA.

4. MITIGATIONS

Advantech recommends WebAccess/SCADA users upgrade to v9.1.4. 

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. Specifically, users should:

Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet.
Locate control system networks and remote devices behind firewalls and isolate them from business networks.
When remote access is required, use secure methods, such as virtual private networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploits specifically target these vulnerabilities. These vulnerabilities are not exploitable remotely.

1. EXECUTIVE SUMMARY

CVSS v3 7.3 
ATTENTION: Exploitable remotely/low attack complexity
Vendor: HID Global
Equipment: SAFE
Vulnerabilities: Modification of Assumed-Immutable Data

2. RISK EVALUATION

Successful exploitation of this vulnerability could result in exposure of personal data or create a denial-of-service condition.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of HID’s SAFE, a personnel and access management software, are affected:

HID SAFE using the optional External Visitor Manager portal: Versions 5.8.0 through 5.11.3

3.2 VULNERABILITY OVERVIEW

3.2.1 MODIFICATION OF ASSUMED-IMMUTABLE DATA CWE-471 

The External Visitor Manager portal of HID’s SAFE versions 5.8.0 through 5.11.3 are vulnerable to manipulation within web fields in the application programmable interface (API). An attacker could log in using account credentials available through a request generated by an internal user and then manipulate the visitor-id within the web API to access the personal data of other users. There is no limit on the number of requests that can be made to the HID SAFE Web Server, so an attacker could also exploit this vulnerability to create a denial-of-service condition.

CVE-2023-2904 has been assigned to this vulnerability. A CVSS v3 base score of 7.3 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:H).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Government Facilities, Transportation, Commercial Facilities, Healthcare
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER

CISA internal research reported this vulnerability to HID.

4. MITIGATIONS

The External Visitor Management feature is licensed and deployed separately from the HID SAFE core software. Users not using this feature are not affected. According to HID Global, the number of affected systems is limited and all affected systems have been patched.

Please see HID’s security advisory for more information.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploits specifically target this vulnerability.

1. EXECUTIVE SUMMARY

CVSS v3 7.3
ATTENTION: Low attack complexity
Vendor: Advantech
Equipment: WebAccess/SCADA
Vulnerabilities: Insufficient Type Distinction

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker full control over the supervisory control and data acquisition (SCADA) server.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

Advantech reports this vulnerability affect the following WebAccess/SCADA product:

WebAccess/SCADA: version 8.4.5

3.2 VULNERABILITY OVERVIEW

3.2.1 INSUFFICIENT TYPE DISTINCTION CWE-351 

If an attacker can trick an authenticated user into loading a maliciously crafted .zip file onto Advantech WebAccess version 8.4.5, a web shell could be used to give the attacker full control of the SCADA server. 

CVE-2023-2866 has been assigned to this vulnerability. A CVSS v3 base score of 7.3 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H). 

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing, Energy, Water and Wastewater Systems 
COUNTRIES/AREAS DEPLOYED: East Asia, Europe, United States
COMPANY HEADQUARTERS LOCATION: Taiwan

3.4 RESEARCHER

Marlon Luis Petry reported this vulnerability to CISA.

4. MITIGATIONS

Advantech recommends users locate and delete the “WADashboardSetup.msi” file to avoid this issue.

If users wish to remedy this problem in version 8.4.5, they can uninstall “WebAccess Dashboard” from the control panel. Delete all the files:

InetpubwwwrootbroadwebWADashboard

WebAccessNodeWADashboardSetup.msi

Advantech released a new version V9.1.4 to address the problem by not including these files.

CISA recommends users take the following measures to protect themselves from social engineering attacks:

Do not click web links or open attachments in unsolicited email messages.
Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploits specifically target this vulnerability. This vulnerability is not exploitable remotely.

1. EXECUTIVE SUMMARY

CVSS v3 9.8 
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Moxa
Equipment: MXsecurity Series
Vulnerabilities: Command Injection and Use of Hard-Coded Credentials

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an unauthorized user to bypass authentication or to execute arbitrary commands on the device.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

Moxa reports these vulnerabilities affect the following MXsecurity Series:

MXsecurity Series: Software v1.0

3.2 VULNERABILITY OVERVIEW

3.2.1 COMMAND INJECTION CWE-77

A remote attacker, who has gained authorization privileges, could execute arbitrary commands on the device.

CVE-2023-33235 has been assigned to this vulnerability. A CVSS v3 base score of 7.2 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).

3.2.2 USE OF HARD-CODED CREDENTIALS CWE-798

An attacker could bypass authentication for web-based application programmable interfaces (APIs).

CVE-2023-33236 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Multiple Sectors
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Taiwan

3.4 RESEARCHER

Simon Janz, working with Trend Micro Zero Day Initiative, reported these vulnerabilities to CISA.

4. MITIGATIONS

Moxa has developed a solution to address these vulnerabilities. Users should upgrade to software v1.0.1 or higher.

Users are encouraged to visit Moxa’s security advisory MPSA-230301 for more information.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. Specifically, users should:

Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet.
Locate control system networks and remote devices behind firewalls and isolate them from business networks.
When remote access is required, use secure methods, such as virtual private networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploits specifically target these vulnerabilities. These vulnerabilities are exploitable remotely. These vulnerabilities have low attack complexity.

1. EXECUTIVE SUMMARY

CVSS v3 7.8 
ATTENTION: Low attack complexity
Vendor: Horner Automation
Equipment: Cscape, Cscape EnvisionRV
Vulnerabilities: Stack-based Buffer Overflow, Out-of-bounds Read, Use After Free, Access of Uninitialized Pointer, Improper Restriction of Operations within the Bounds of a Memory Buffer

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to disclose information and to execute arbitrary code. 

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of Horner Automation’s Cscape are affected: 

Cscape: v9.90 SP8 
Cscape EnvisionRV: v4.70 

3.2 VULNERABILITY OVERVIEW

3.2.1 STACK-BASED BUFFER OVERFLOW CWE-121 

The affected application lacks proper validation of user-supplied data when parsing project files (e.g., CSP). This could lead to a stack-based buffer overflow. An attacker could leverage this vulnerability to execute arbitrary code in the context of the current process. 

CVE-2023-29503 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H). 

3.2.2 OUT-OF-BOUNDS READ CWE-125 

The affected application lacks proper validation of user-supplied data when parsing project files (e.g., CSP). This could lead to an out-of-bounds read in the FontManager. An attacker could leverage this vulnerability to execute arbitrary code in the context of the current process. 

CVE-2023-32281 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H). 

3.2.3 OUT-OF-BOUNDS READ CWE-125 

The affected application lacks proper validation of user-supplied data when parsing project files (e.g.., CSP). This could lead to an out-of-bounds read in IO_CFG. An attacker could leverage this vulnerability to execute arbitrary code in the context of the current process. 

CVE-2023-32289 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H). 

3.2.4 OUT-OF-BOUNDS READ CWE-125 

The affected application lacks proper validation of user-supplied data when parsing project files (e.g., CSP). This could lead to an out-of-bounds read in Cscape!CANPortMigration. An attacker could leverage this vulnerability to execute arbitrary code in the context of the current process. 

CVE-2023-32545 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H). 

3.2.5 OUT-OF-BOUNDS READ CWE-125 

The affected application lacks proper validation of user-supplied data when parsing font files (e.g., FNT). This could lead to an out-of-bounds read. An attacker could leverage this vulnerability to potentially execute arbitrary code in the context of the current process. 

CVE-2023-27916 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H). 

3.2.6 USE AFTER FREE CWE-416 

The affected application lacks proper validation of user-supplied data when parsing project files (e.g., CSP). This could lead to a use-after-free vulnerability. An attacker could leverage this vulnerability to execute arbitrary code in the context of the current process. 

CVE-2023-28653 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H). 

3.2.7 ACCESS OF UNINITIALIZED POINTER CWE-824 

The affected product does not properly validate user-supplied data. If a user opens a maliciously formed CSP file, then an attacker could execute arbitrary code within the current process by accessing an uninitialized pointer. 

CVE-2023-31244 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H). 

3.2.8 IMPROPER RESTRICTION OF OPERATIONS WITHIN THE BOUNDS OF A MEMORY BUFFER CWE-119 

The affected application lacks proper validation of user-supplied data when parsing project files (e.g., HMI). This could lead to an out-of-bounds write at CScape_EnvisionRV+0x2e374b. An attacker could leverage this vulnerability to execute arbitrary code in the context of the current process. 

CVE-2023-32203 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H). 

3.2.9 IMPROPER RESTRICTION OF OPERATIONS WITHIN THE BOUNDS OF A MEMORY BUFFER CWE-119 

The affected application lacks proper validation of user-supplied data when parsing project files (e.g., HMI). This could lead to an out-of-bounds write at CScape_EnvisionRV+0x2e3c04. An attacker could leverage this vulnerability to potentially execute arbitrary code in the context of the current process. 

CVE-2023-32539 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H). 

3.2.10 IMPROPER RESTRICTION OF OPERATIONS WITHIN THE BOUNDS OF A MEMORY BUFFER CWE-119 

The affected application lacks proper validation of user-supplied data when parsing project files (e.g., HMI). This could lead to an out-of-bounds read. An attacker could leverage this vulnerability to potentially execute arbitrary code in the context of the current process. 

CVE-2023-31278 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H). 

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER

Michael Heinzl reported these vulnerabilities to CISA. 

4. MITIGATIONS

Horner Automation recommends upgrading the following software: 

Cscape: Update to v9.90 SP9 
Cscape Envision RV: Update to v4.80 

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. 

CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies. 

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies. 

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. 

CISA also recommends users take the following measures to protect themselves from social engineering attacks: 

Do not click web links or open attachments in unsolicited email messages. 
Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams. 
Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks. 

No known public exploits specifically target these vulnerabilities. These vulnerabilities are not exploitable remotely.  

1. EXECUTIVE SUMMARY

CVSS v3 8.1 
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Hitachi Energy
Equipment: AFS65x, AFS67x, AFR67x and AFF66x series products
Vulnerabilities: Use After Free

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to disclose sensitive information or lead to a Denial-of-Service (DoS).  

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of Hitachi Energy’s AFS65x, AFS67x, AFR67x and AFF66x series products, are affected: 

AFS660/665S, AFS660/665C, AFS670v2: Firmware 7.1.05 and earlier 
AFS670/675, AFR67x: Firmware 9.1.07 and earlier 
AFF660/665: Firmware 03.0.02 and earlier 
AFS65x: All versions  

3.2 VULNERABILITY OVERVIEW

3.2.1 USE AFTER FREE CWE-416 

The libexpat library is incorporated in the AFS, AFR and AFF products family. Versions of libexpat before 2.4.9 have a use-after-free in the do-Content function in xmlparse.c. Successful exploitation of this vulnerability could lead to disclosure of sensitive information, addition or modification of data, or a denial-of-service condition.  

CVE-2022-40674 has been assigned to this vulnerability. A CVSS v3 base score of 8.1 has been assigned; the CVSS vector string is (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H). 

3.2.2 USE AFTER FREE CWE-416 

The libexpat library is incorporated in the AFS, AFR and AFF products family. In versions of libexpat through 2.4.9, there is a use-after free caused by overeager destruction of a shared DTD in XML_ExternalEntityParserCreate in out-of-memory situations. Successful exploitation of this vulnerability could lead to a denial-of-service condition. 

CVE-2022-43680 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). 

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Energy
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Switzerland

3.4 RESEARCHER

Hitachi Energy reported these vulnerabilities to CISA. 

4. MITIGATIONS

Hitachi Energy has released the following mitigations/fixes:  

AFS660/665S, AFS660/665C, AFS670v2: Apply mitigation strategy as described in General Mitigation Factors Section or update to upcoming 7.1.08 when available. 
AFS670/675, AFR67x: Apply mitigation strategy as described in General Mitigation Factors Section or update to 9.1.08. 
AFS65x: EoL product – only mitigation available, no remediation expected. Apply mitigation strategy as described in General Mitigation Factors Section. 
AFF660/665: Apply mitigation strategy as described in General Mitigation Factors Section or update to upcoming release. 

Hitachi Energy also recommends general mitigations: 

Recommended security practices and firewall configurations can help protect a process control network from attacks originating from outside the network.  
Physically protect process control systems from direct access by unauthorized personnel. 
Ensure process control systems have no direct connections to the internet and are separated from other networks by a firewall system with a minimal number of exposed ports. 
Do not use process control systems for internet surfing, instant messaging, or receiving emails. 
Scan portable computers and removable storage media for malware prior connection to a control system.  

For more information, see Hitachi Energy’s Security Advisory: 8DBD000149. 

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. Specifically, users should: 

When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices. 

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. 

CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies. 

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies. 

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. 

No known public exploits specifically target these vulnerabilities.