Skip to main content
(844) 422-7000

Hitachi Energy TropOS Devices Series 1400/2400/6400

Written by on . Posted in CISA-Published Industrial Control System Vulnerabilities.

View CSAF

1. EXECUTIVE SUMMARY

  • CVSS v3 5.3
  • ATTENTION: Exploitable remotely/low attack complexity
  • Vendor: Hitachi Energy
  • Equipment: TropOS Devices Series 1400/2400/6400
  • Vulnerability: Improper Input Validation

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to cause a denial-of-service condition.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following products of Hitachi Energy are affected:

  • TropOS devices series 1400/2400/6400: All versions prior to 8.9.6

3.2 Vulnerability Overview

3.2.1 IMPROPER INPUT VALIDATION CWE-20

The monlist feature in ntp_request.c in ntpd in NTP before 4.2.7p26 allows remote attackers to cause a denial of service (traffic amplification) via forged (1) REQ_MON_GETLIST or (2) REQ_MON_GETLIST_1 requests, as exploited in the wild in December 2013.

CVE-2013-5211 has been assigned to this vulnerability. A CVSS v3 base score of 5.3 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).

3.3 BACKGROUND

  • CRITICAL INFRASTRUCTURE SECTORS: Energy
  • COUNTRIES/AREAS DEPLOYED: Worldwide
  • COMPANY HEADQUARTERS LOCATION: Switzerland

3.4 RESEARCHER

Hitachi Energy PSIRT reported this vulnerability to CISA.

4. MITIGATIONS

Hitachi Energy has identified the following specific workarounds and mitigations users can apply to reduce risk:

  • Update to Version 8.9.6 or later when available
  • Hitachi Energy recommends users implement countermeasures for DoS with proper firewall rule sets and filters, as well as to apply mitigation as described in the Mitigation Factors/Workarounds
    Section.

Hitachi Energy recommends users follow recommended security practices and firewall configurations, which can help protect a process control network from attacks that originate from outside the network. Such practices include that process control systems are physically protected from direct access by unauthorized personnel, have no direct connections to the Internet, and are separated from other networks by means of a firewall system that has a minimal number of ports exposed, and others that have to be evaluated case by case. Process control systems should not be used for Internet surfing, instant messaging, or receiving e-mails. Portable computers and removable storage media should be carefully scanned for viruses before they are connected to a control system.

For more information, see Hitachi Energy Cybersecurity Advisory “DoS Vulnerability in Hitachi Energy’s TropOS core routers and edge nodes.”

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

  • Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the Internet.
  • Locate control system networks and remote devices behind firewalls and isolating them from business networks.
  • When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

  • December 17, 2024: Initial Publication

Rockwell Automation PowerMonitor 1000 Remote

Written by on . Posted in CISA-Published Industrial Control System Vulnerabilities.

View CSAF

1. EXECUTIVE SUMMARY

  • CVSS v4 9.3
  • ATTENTION: Exploitable remotely/low attack complexity
  • Vendor: Rockwell Automation
  • Equipment: PowerMonitor 1000 Remote
  • Vulnerabilities: Unprotected Alternate Channel, Heap-based Buffer Overflow, Classic Buffer Overflow

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to perform edit operations, create admin users, perform factory reset, execute arbitrary code, or cause a denial-of-service condition.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

Rockwell Automation reports the following versions of PowerMonitor 1000 Remote are affected:

  • PM1k 1408-BC3A-485: Versions prior to 4.020
  • PM1k 1408-BC3A-ENT: Versions prior to 4.020
  • PM1k 1408-TS3A-485: Versions prior to 4.020
  • PM1k 1408-TS3A-ENT: Versions prior to 4.020
  • PM1k 1408-EM3A-485: Versions prior to 4.020
  • PM1k 1408-EM3A-ENT: Versions prior to 4.020
  • PM1k 1408-TR1A-485: Versions prior to 4.020
  • PM1k 1408-TR2A-485: Versions prior to 4.020
  • PM1k 1408-EM1A-485: Versions prior to 4.020
  • PM1k 1408-EM2A-485: Versions prior to 4.020
  • PM1k 1408-TR1A-ENT: Versions prior to 4.020
  • PM1k 1408-TR2A-ENT: Versions prior to 4.020
  • PM1k 1408-EM1A-ENT: Versions prior to 4.020
  • PM1k 1408-EM2A-ENT: Versions prior to 4.020

3.2 Vulnerability Overview

3.2.1 UNPROTECTED ALTERNATE CHANNEL CWE-420

A device takeover vulnerability exists in the affected product. This vulnerability allows configuration of a new Policyholder user without any authentication via API. Policyholder user is the most privileged user that can perform edit operations, creating admin users and performing factory reset.

CVE-2024-12371 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-12371. A base score of 9.3 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.2 HEAP-BASED BUFFER OVERFLOW CWE-122

A denial-of-service and possible remote code execution vulnerability exists in the affected product. The vulnerability results in the corruption of the heap memory, which may compromise the integrity of the system, potentially allowing for remote code execution or a denial-of-service attack.

CVE-2024-12372 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-12372. A base score of 9.3 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.3 BUFFER COPY WITHOUT CHECKING SIZE OF INPUT (‘CLASSIC BUFFER OVERFLOW’) CWE-120

A denial-of-service vulnerability exists in the affected product. The vulnerability results in a buffer overflow, potentially causing denial-of-service condition.

CVE-2024-12373 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-12373. A base score of 9.3 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

  • CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
  • COUNTRIES/AREAS DEPLOYED: Worldwide
  • COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER

Vera Mens of Claroty Research – Team82 reported these vulnerabilities to Rockwell Automation.

4. MITIGATIONS

Rockwell Automation has corrected these problems in firmware revision 4.020 and recommends users upgrade to the latest version available.

Rockwell Automation encourages users of the affected software who are not able to upgrade to one of the corrected versions to apply security best practices, where possible.

For more information, see Rockwell Automation’s security advisory.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

  • Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
  • Locate control system networks and remote devices behind firewalls and isolating them from business networks.
  • When remote access is required, use more secure methods, such as virtual private networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY

  • December 17, 2024: Initial Publication

Hitachi Energy RTU500 series CMU

Written by on . Posted in CISA-Published Industrial Control System Vulnerabilities.

View CSAF

1. EXECUTIVE SUMMARY

  • CVSS v3 5.9
  • ATTENTION: Exploitable remotely
  • Vendor: Hitachi Energy
  • Equipment: RTU500 series CMU
  • Vulnerability: Buffer Copy without Checking Size of Input (‘Classic Buffer Overflow’)

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to cause a denial-of-service condition.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following Hitachi Energy products are affected:

  • RTU500 series CMU Firmware: Versions 12.0.1 through 12.0.14
  • RTU500 series CMU Firmware: Versions 12.2.1 through 12.2.11
  • RTU500 series CMU Firmware: Versions 12.4.1 through 12.4.11
  • RTU500 series CMU Firmware: Versions 12.6.1 through 12.6.9
  • RTU500 series CMU Firmware: Versions 12.7.1 through 12.7.6
  • RTU500 series CMU Firmware: Versions 13.2.1 through 13.2.6
  • RTU500 series CMU Firmware: Versions 13.4.1 through 13.4.3
  • RTU500 series CMU Firmware: Version 13.5.1

3.2 Vulnerability Overview

3.2.1 Buffer Copy without Checking Size of Input (‘Classic Buffer Overflow’) CWE-120

A vulnerability exists in SCI IEC 60870-5-104 and HCI IEC 60870-5-104 that affects the RTU500 series product. Specially crafted messages sent to the mentioned components are not validated properly and can result in buffer overflow and as final consequence to a reboot of an RTU500 CMU.

CVE-2023-6711 has been assigned to this vulnerability. A CVSS v3 base score of 5.9 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H).

3.3 BACKGROUND

  • CRITICAL INFRASTRUCTURE SECTORS: Energy
  • COUNTRIES/AREAS DEPLOYED: Worldwide
  • COMPANY HEADQUARTERS LOCATION: Switzerland

3.4 RESEARCHER

Toralf Gimpel from GAI NetConsult GmbH reported this vulnerability to Hitachi Energy.

4. MITIGATIONS

Hitachi Energy recommends that users update to the respective series CMU firmware version as below.

  • Hitachi Energy RTU500 series CMU Firmware 12.0.15
  • Hitachi Energy RTU500 series CMU Firmware 12.2.12
  • Hitachi Energy RTU500 series CMU Firmware 12.4.12
  • Hitachi Energy RTU500 series CMU Firmware 12.6.10
  • Hitachi Energy RTU500 series CMU Firmware 12.7.7
  • Hitachi Energy RTU500 series CMU Firmware 13.2.7
  • Hitachi Energy RTU500 series CMU Firmware 13.4.4
  • Hitachi Energy RTU500 series CMU Firmware 13.5.2

Hitachi Energy recommends that users follow the “Remote Terminal Units Security Deployment Guideline” as well to apply mitigation as described below.

Hitachi Energy recommends users implementing recommended security practices and firewall configurations to help protect the process control network from attacks originating from outside the network. Process control systems should be physically protected from direct access by unauthorized personnel, have no direct connections to the Internet, and be separated from other networks by means of a firewall system with a minimal number of ports exposed. Process control systems should not be used for Internet surfing, instant messaging, or receiving e-mails. Portable computers and removable storage media should be carefully scanned for viruses before they are connected to a control system.

For more information, see Hitachi Energy Cybersecurity Advisory “DoS Vulnerability in Hitachi Energy’s RTU500 series products”.

For additional information and support please contact your product provider or Hitachi Energy service organization at https://www.hitachienergy.com/contact-us/.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability has a high attack complexity.

5. UPDATE HISTORY

  • December 19, 2024: Initial Publication

Schneider Electric Modicon

Written by on . Posted in CISA-Published Industrial Control System Vulnerabilities.

View CSAF

1. EXECUTIVE SUMMARY

  • CVSS v4 9.3
  • ATTENTION: Exploitable remotely/low attack complexity
  • Vendor: Schneider Electric
  • Equipment: Modicon M241 / M251 / M258 / LMC058
  • Vulnerability: Improper Input Validation

2. RISK EVALUATION

Successful exploitation of this vulnerability could lead to a denial-of-service and a loss of confidentiality and integrity in the controller.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

Schneider Electric reports that following Modicon PLCs are affected:

  • Modicon Controllers M241: All versions
  • Modicon Controllers M251: All versions
  • Modicon Controllers M258: All versions
  • Modicon Controllers LMC058: All versions

3.2 Vulnerability Overview

3.2.1 IMPROPER INPUT VALIDATION CWE-20

An improper input validation vulnerability exists that could lead to a denial-of-service and a loss of confidentiality and integrity in the controller when an unauthenticated crafted Modbus packet is sent to the device.

CVE-2024-11737 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-11737. A base score of 9.3 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

  • CRITICAL INFRASTRUCTURE SECTORS: Commercial Facilities, Critical Manufacturing, Energy
  • COUNTRIES/AREAS DEPLOYED: Worldwide
  • COMPANY HEADQUARTERS LOCATION: France

3.4 RESEARCHER

Wooyeon Jo and Irfan Ahmed of Virginia Commonwealth University reported this vulnerability to Schneider Electric.

4. MITIGATIONS

Schneider Electric is establishing a remediation plan for all future versions of Modicon M241/M251/M258/LMC058 that will include a fix for this vulnerability. They will update SEVD-2024-345-03 when the remediation is available. Until then, users should immediately apply the following mitigations to reduce the risk of exploit:

To ensure users are informed of all updates, including details on affected products and remediation plans, Schneider Electric recommends subscription to their security notification service.

Schneider Electric strongly recommends the following industry cybersecurity best practices:

  • Locate control and safety system networks and remote devices behind firewalls and isolate them from the business network.
  • Install physical controls so no unauthorized personnel can access your industrial control and safety systems, components, peripheral equipment, and networks.
  • Place all controllers in locked cabinets and never leave them in the “Program” mode.
  • Never connect programming software to any network other than the network intended for that device.
  • Scan all methods of mobile data exchange with the isolated network such as CDs, USB drives, etc. before use in the terminals or any node connected to these networks.
  • Never allow mobile devices that have connected to any other network besides the intended network to connect to the safety or control networks without proper sanitation.
  • Minimize network exposure for all control system devices and systems and ensure that they are not accessible from the Internet.
  • When remote access is required, use secure methods, such as virtual private networks (VPNs). Recognize that VPNs may have vulnerabilities and should be updated to the most current version available. Also, understand that VPNs are only as secure as the connected devices.

For more information refer to the Schneider Electric recommended cybersecurity best practices document.

For more information, see Schneider Electric security notification “SEVD-2024-345-03 Modicon M241 / M251 / M258 / LMC058”

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

  • December 17, 2024: Initial Publication

Hitachi Energy SDM600

Written by on . Posted in CISA-Published Industrial Control System Vulnerabilities.

View CSAF

1. EXECUTIVE SUMMARY

  • CVSS v3 8.0
  • ATTENTION: Exploitable from adjacent network
  • Vendor: Hitachi Energy
  • Equipment: SDM600
  • Vulnerabilities: Origin Validation Error, Incorrect Authorization

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to escalate privileges and access sensitive information.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

Hitachi Energy reports that the following products are affected:

  • Hitachi Energy SDM600: Versions prior to 1.3.4

3.2 Vulnerability Overview

3.2.1 ORIGIN VALIDATION ERROR CWE-346

A vulnerability exists in the too permissive HTTP response header web server settings of the SDM600. An attacker can take advantage of this and possibly carry out privileged actions and access sensitive information.

CVE-2024-2377 has been assigned to this vulnerability. A CVSS v3 base score of 7.6 has been assigned; the CVSS vector string is (CVSS:3.1/AV:A/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H).

3.2.2 INCORRECT AUTHORIZATION CWE-863

A vulnerability exists in the web-authentication component of the SDM600. If exploited an attacker could escalate privileges on affected installations.

CVE-2024-2378 has been assigned to this vulnerability. A CVSS v3 base score of 8.0 has been assigned; the CVSS vector string is (CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H).

3.3 BACKGROUND

  • CRITICAL INFRASTRUCTURE SECTORS: Energy
  • COUNTRIES/AREAS DEPLOYED: Worldwide
  • COMPANY HEADQUARTERS LOCATION: Switzerland

3.4 RESEARCHER

Hitachi Energy PSIRT reported these vulnerabilities to CISA.

4. MITIGATIONS

Hitachi Energy has identified the following specific workarounds and mitigations users can apply to reduce risk:

  • SDM600 versions below 1.3.4: Update to version 1.3.4 (Build Number 1.3.4.574).

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

  • Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
  • Locate control system networks and remote devices behind firewalls and isolating them from business networks.
  • When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time. These vulnerabilities are not exploitable remotely. These vulnerabilities have a high attack complexity.

5. UPDATE HISTORY

  • December 19, 2024: Initial Publication

Delta Electronics DTM Soft

Written by on . Posted in CISA-Published Industrial Control System Vulnerabilities.

View CSAF

1. EXECUTIVE SUMMARY

  • CVSS v4 8.5
  • ATTENTION: Low attack complexity
  • Vendor: Delta Electronics
  • Equipment: DTM Soft
  • Vulnerability: Deserialization of Untrusted Data

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following Delta Electronics products are affected:

  • DTM Soft: Versions 1.30 and prior

3.2 Vulnerability Overview

3.2.1 DESERIALIZATION OF UNTRUSTED DATA CWE-502

The affected product deserializes objects, which could allow an attacker to execute arbitrary code.

CVE-2024-12677 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-12677. A base score of 8.5 has been calculated; the CVSS vector string is (CVSS4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

  • CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
  • COUNTRIES/AREAS DEPLOYED: Worldwide
  • COMPANY HEADQUARTERS LOCATION: Taiwan

3.4 RESEARCHER

kimiya working with Trend Micro Zero Day Initiative reported this vulnerability to CISA.

4. MITIGATIONS

Delta Electronics recommends users update DTM Soft to version 1.60.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

  • Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
  • Locate control system networks and remote devices behind firewalls and isolating them from business networks.
  • When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability is not exploitable remotely.

5. UPDATE HISTORY

  • December 19, 2024: Initial Publication

Siemens User Management Component

Written by on . Posted in CISA-Published Industrial Control System Vulnerabilities.

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, see Siemens’ ProductCERT Security Advisories (CERT Services | Services | Siemens Global).

View CSAF

1. EXECUTIVE SUMMARY

  • CVSS v4 9.3
  • ATTENTION: Exploitable remotely/low attack complexity
  • Vendor: Siemens
  • Equipment: User Management Component (UMC)
  • Vulnerability: Heap-based Buffer Overflow

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an unauthenticated remote attacker arbitrary code execution.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

Siemens reports the following products are affected:

  • Opcenter Execution Foundation: All versions
  • Opcenter Intelligence: All versions
  • Opcenter Quality: All versions
  • Opcenter RDL: All versions
  • SIMATIC PCS neo V4.0: All versions
  • SIMATIC PCS neo V4.1: All versions
  • SIMATIC PCS neo V5.0: All versions prior to V5.0 Update 1
  • SINEC NMS: All versions
  • Totally Integrated Automation Portal (TIA Portal) V16: All versions
  • Totally Integrated Automation Portal (TIA Portal) V17: All versions
  • Totally Integrated Automation Portal (TIA Portal) V18: All versions
  • Totally Integrated Automation Portal (TIA Portal) V19: All versions

3.2 Vulnerability Overview

3.2.1 HEAP-BASED BUFFER OVERFLOW CWE-122

Affected products contain a heap-based buffer overflow vulnerability in the integrated UMC component. This could allow an unauthenticated remote attacker to execute arbitrary code.

CVE-2024-49775 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-49775. A base score of 9.3 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

  • CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
  • COUNTRIES/AREAS DEPLOYED: Worldwide
  • COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

Tenable reported this vulnerability to Siemens.

4. MITIGATIONS

Siemens has released new versions for several affected products and recommends updating to the latest versions. Siemens is preparing further fix versions and recommends countermeasures for products where fixes are not, or are not yet, available.

Siemens has identified the following specific workarounds and mitigations users can apply to reduce risk:

  • Filter the Ports 4002 and 4004 to only accept connections to/from the IP addresses of machines that run UMC and are part of the UMC network e.g. with an external firewall
  • In addition if no RT server machines are used, Port 4004 can be blocked completely.

As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens’ operational guidelines for industrial security and following recommendations in the product manuals.

Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage.

For more information see the associated Siemens security advisory SSA-928984 in HTML and CSAF.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

  • December 19, 2024: Initial Publication

Tibbo AggreGate Network Manager

Written by on . Posted in CISA-Published Industrial Control System Vulnerabilities.

View CSAF

1. EXECUTIVE SUMMARY

  • CVSS v4 8.7
  • ATTENTION: Exploitable remotely/low attack complexity
  • Vendor: Tibbo
  • Equipment: AggreGate Network Manager
  • Vulnerability: Unrestricted Upload of File with Dangerous Type

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to achieve code execution on the affected device.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following Tibbo products are affected:

  • Aggregate Network Manager: Versions 6.34.02 and prior

3.2 Vulnerability Overview

3.2.1 Unrestricted Upload of File with Dangerous Type CWE-434

There is an unrestricted file upload vulnerability where it is possible for an authenticated user (low privileged) to upload an jsp shell and execute code with the privileges of user running the web server.

CVE-2024-12700 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-12700. A base score of 8.7 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

  • CRITICAL INFRASTRUCTURE SECTORS: Communications, Critical Manufacturing
  • COUNTRIES/AREAS DEPLOYED: Worldwide
  • COMPANY HEADQUARTERS LOCATION: Taiwan

3.4 RESEARCHER

Vu Khanh Trinh (@Sonicrr) of VNPT Cyber Immunity working with Trend Micro Zero Day Initiative reported this vulnerability to CISA.

4. MITIGATIONS

Tibbo recommends users update to Versions 6.40.02, 6.34.03, or latest version.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

  • Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the Internet.
  • Locate control system networks and remote devices behind firewalls and isolating them from business networks.
  • When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

  • December 19, 2024: Initial Publication

Schneider Electric Accutech Manager

Written by on . Posted in CISA-Published Industrial Control System Vulnerabilities.

View CSAF

1. EXECUTIVE SUMMARY

  • CVSS v3 7.5
  • ATTENTION: Exploitable remotely/low attack complexity
  • Vendor: Schneider Electric
  • Equipment: Accutech Manager

  • Vulnerability: Classic Buffer Overflow

    2. RISK EVALUATION

Successful exploitation could allow an attacker to cause a crash of the Accutech Manager when receiving a specially crafted request over port 2536/TCP.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

Schneider Electric reports that the following products are affected:

  • Schneider Electric Accutech Manager: Versions 2.08.01 and prior

3.2 Vulnerability Overview

3.2.1 BUFFER COPY WITHOUT CHECKING SIZE OF INPUT (‘CLASSIC BUFFER OVERFLOW’) CWE-120

A Classic Buffer Overflow vulnerability exists that could cause a crash of the Accutech Manager when receiving a specially crafted request over port 2536/TCP.

CVE-2024-6918 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

3.3 BACKGROUND

  • CRITICAL INFRASTRUCTURE SECTORS: Energy, Water and Wastewater, Critical Manufacturing
  • COUNTRIES/AREAS DEPLOYED: Worldwide
  • COMPANY HEADQUARTERS LOCATION: France

3.4 RESEARCHER

Schneider Electric reported this vulnerability to CISA.

4. MITIGATIONS

Schneider Electric has identified the following specific workarounds and mitigations users can apply to reduce risk:

  • Update Schneider Electric Accutech Manager to version 2.10.0.
  • Instructions are provided with the software installation package on how to verify software revision.

For more information refer to the Schneider Electric Recommended Cybersecurity Best Practices document and the associated Schneider Electric Security Notification SEVD-2024-226-01 in PDF and CSAF.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

  • Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
  • Locate control system networks and remote devices behind firewalls and isolating them from business networks.
  • When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

  • December 19, 2024: Initial Publication

Schneider Electric Modicon Controllers

Written by on . Posted in CISA-Published Industrial Control System Vulnerabilities.

View CSAF

1. EXECUTIVE SUMMARY

  • CVSS v3 5.4
  • ATTENTION: Exploitable remotely/low attack complexity
  • Vendor: Schneider Electric
  • Equipment: Modicon Controllers
  • Vulnerability: Cross-site Scripting

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to cause a victim’s browser to run arbitrary JavaScript when visiting a page containing injected payload.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

Schneider Electric reports that the following products are affected:

  • Schneider Electric Modicon Controllers M258 / LMC058: All versions
  • Schneider Electric Modicon Controllers M262: Versions prior to 5.2.8.26
  • Schneider Electric Modicon Controllers M251: Versions prior to 5.2.11.24
  • Schneider Electric Modicon Controllers M241: Versions prior to 5.2.11.24

3.2 Vulnerability Overview

3.2.1 IMPROPER NEUTRALIZATION OF INPUT DURING WEB PAGE GENERATION (‘CROSS-SITE SCRIPTING’) CWE-79

A Cross-site Scripting  vulnerability exists  where an attacker could cause a victim’s browser run arbitrary JavaScript when they visit a page containing the injected payload.

CVE-2024-6528 has been assigned to this vulnerability. A CVSS v3 base score of 5.4 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N).

3.3 BACKGROUND

  • CRITICAL INFRASTRUCTURE SECTORS: Commercial Facilities, Critical Manufacturing, and Energy
  • COUNTRIES/AREAS DEPLOYED: Worldwide
  • COMPANY HEADQUARTERS LOCATION: France

3.4 RESEARCHER

Schneider Electric CPCERT reported this vulnerability to CISA.

4. MITIGATIONS

Schneider Electric has identified the following specific workarounds and mitigations users can apply to reduce risk:

  • Schneider Electric Modicon Controllers Version prior to v5.2.11.24: Modicon Controller M241 Firmware version 5.2.11.24 delivered with EcoStruxure Machine Expert v2.2.2 includes a fix for this vulnerability and can be updated through the Schneider Electric Software Update (SESU) application. https://www.se.com/ww/en/product-range/2226-ecostruxure-machine-expert-software/ On the engineering workstation, update to v2.2.2 of EcoStruxure Machine Expert. Update Modicon Controller M241 to the latest Firmware and perform reboot
  • Schneider Electric Modicon Controllers Version prior to v5.2.11.24: Modicon Controller M251 Firmware version 5.2.11.24 delivered with EcoStruxure Machine Expert v2.2.2 includes a fix for this vulnerability and can be updated through the Schneider Electric Software Update (SESU) application. https://www.se.com/ww/en/product-range/2226-ecostruxure-machine-expert-software/ On the engineering workstation, update to v2.2.2 of EcoStruxure Machine Expert. Update Modicon Controller M251 to the latest Firmware and perform reboot
  • Schneider Electric Modicon Controllers M262 Versions prior to v5.2.8.26: Modicon Controller M262 Firmware version 5.2.8.26 delivered with EcoStruxure Machine Expert v2.2.2 includes a fix for this vulnerability and can be updated through the Schneider Electric Software Update (SESU) application.https://www.se.com/ww/en/product-range/2226-ecostruxure-machine-expert-software/ On the engineering workstation, update to v2.2.2 of EcoStruxure Machine Expert. Update Modicon Controller M262 to the latest Firmware and perform reboot
  • Schneider Electric Modicon Controllers Version prior to v5.2.11.24, Schneider Electric Modicon Controllers M258 / LMC058 All versions , Schneider Electric Modicon Controllers M262 Versions prior to v5.2.8.26, Schneider Electric Modicon Controllers Version prior to v5.2.11.24: Users should immediately apply the following mitigations to reduce the risk of exploit: Use controllers and devices only in a protected environment to minimize network exposure and ensure that they are not accessible from public internet or untrusted networks. Ensure usage of user management and password features. User rights are enabled by default and forced to create a strong password at first use. Deactivate the Webserver after use when not needed. Use encrypted communication links. Setup network segmentation and implement a firewall to block all unauthorized access to port 80/HTTP and 443/HTTPS. Use VPN (Virtual Private Networks) tunnels if remote access is required. The “Cybersecurity Guidelines for EcoStruxure Machine Expert, Modicon and PacDrive Controllers and Associated Equipment” provide product specific chapters to ensure you are informed of all updates, including details on affected products and remediation plans, subscribe to Schneider Electric’s security notification service here

For more information refer to the Schneider Electric Recommended Cybersecurity Best Practices document and the associated Schneider Electric Security Notification SEVD-2024-191-04 in PDF and CSAF.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

  • Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
  • Locate control system networks and remote devices behind firewalls and isolating them from business networks.
  • When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

  • December 19, 2024: Initial Publication