View CSAF

1. EXECUTIVE SUMMARY

CVSS v3 7.5
ATTENTION: Exploitable remotely/Low attack complexity
Vendor: Subnet Solutions Inc.
Equipment: PowerSYSTEM Center
Vulnerabilities: Server-Side Request Forgery (SSRF), Inefficient Regular Expression Complexity, Cross-Site Request Forgery (CSRF)

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could result in an attacker bypassing a proxy, creating a denial-of-service condition, or viewing sensitive information.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of PowerSYSTEM Center are affected:

PowerSYSTEM Center: PSC 2020 v5.21.x and prior

3.2 Vulnerability Overview

3.2.1 SERVER-SIDE REQUEST FORGERY (SSRF) CWE-918

Vulnerable versions of PowerSYSTEM Center utilize Axios NPM package 0.21.0, which contains a Server-Side Request Forgery (SSRF) vulnerability where an attacker is able to bypass a proxy by providing a URL that responds with a redirect to a restricted host or IP address.

CVE-2020-28168 has been assigned to this vulnerability. A CVSS v3 base score of 5.9 has been calculated; the CVSS vector string is (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N).

3.2.2 INEFFICIENT REGULAR EXPRESSION COMPLEXITY CWE-1333

Vulnerable versions of PowerSYSTEM Center utilize Axios, which is vulnerable to Inefficient Regular Expression Complexity.

CVE-2021-3749 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

3.2.3 CROSS-SITE REQUEST FORGERY (CSRF) CWE-352

Vulnerable versions of PowerSYSTEM Center utilize Axios 1.5.1, which can inadvertently reveal the confidential XSRF-TOKEN stored in cookies by including it in the HTTP header X-XSRF-TOKEN for every request made to any host, allowing attackers to view sensitive information.

CVE-2023-45857 has been assigned to this vulnerability. A CVSS v3 base score of 6.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing, Energy
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Canada

3.4 RESEARCHER

Subnet Solutions Inc. reported this vulnerability to CISA.

4. MITIGATIONS

Subnet Solutions Inc. recommends users update to PowerSYSTEM Center 2020 Update 22, which can be located in the PowerSYSTEM Center by accessing Settings > Overview > Version. Users may also contact Subnet Solution’s Customer Service.

Subnet Solutions Inc. strongly recommends users update to the latest version. If this is not possible, the following paragraphs describe the security control compensation(s), mitigation(s), or workaround(s) available for identified vulnerabilities:

For all vulnerabilities, users can disable usage of previous UI extensions.
For CVE-2020-28168 and CVE-2023-45857, users can limit outbound connection requests from the PowerSYSTEM Center security zone to external websites.
For CVE-2023-45857 and CVE-2021-3749, users can disable PowerSYSTEM Center Client Access Server user’s ability to access the browser’s F12 Developer Tools to limit user ability to see HTTP headers and corresponding XSRF-TOKEN, and to manipulate requests to the PowerSYSTEM Center website.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

Do not click web links or open attachments in unsolicited email messages.
Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY

October 3, 2024: Initial Publication

View CSAF

1. EXECUTIVE SUMMARY

CVSS v4 9.3
ATTENTION: Exploitable remotely/low attack complexity/public exploits are available
Vendor: TEM
Equipment: Opera Plus FM Family Transmitter
Vulnerabilities: Missing Authentication for Critical Function, Cross-Site Request Forgery (CSRF)

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to perform remote code execution.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of TEM Opera Plus FM Family Transmitter, a FM Transmitter, are affected:

Opera Plus FM Family Transmitter: Version 35.45

3.2 Vulnerability Overview

3.2.1 Missing Authentication for Critical Function CWE-306

TEM Opera Plus FM Family Transmitter allows access to an unprotected endpoint that allows MPFS File System binary image upload without authentication. This file system serves as the basis for the HTTP2 web server module but is also used by the SNMP module and is available to other applications that require basic read-only storage capabilities. This can be exploited to overwrite the flash program memory that holds the web server’s main interfaces and execute arbitrary code.

CVE-2024-41988 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-41988. A base score of 9.3 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.2 Cross-Site Request Forgery (CSRF) CWE-352

The TEM Opera Plus FM Family Transmitter application interface allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to perform certain actions with administrative privileges if a logged-in user visits a malicious web site.

CVE-2024-41987 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.6 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-41987. A base score of 8.6 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Communications
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Italy

3.4 RESEARCHER

CISA discovered a public Proof of Concept (PoC) as authored by Gjoko Krstic and reported it to TEM.

4. MITIGATIONS

TEM has not responded to requests to work with CISA to mitigate these vulnerabilities. Users of the affected products are encouraged to contact TEM for additional information.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

Do not click web links or open attachments in unsolicited email messages.
Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY

October 03, 2024: Initial Publication

View CSAF

1. EXECUTIVE SUMMARY

CVSS v4 9.3
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Delta Electronics
Equipment: DIAEnergie
Vulnerabilities: SQL Injection

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to retrieve records or cause a denial of service.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of Delta Electronics DIAEnergie, an industrial energy management system, are affected:

DIAEnergie: Versions v1.10.01.008 and prior.

3.2 Vulnerability Overview

3.2.1 SQL Injection CWE-89

Delta Electronics DIAEnergie is vulnerable to an SQL injection in the script AM_RegReport.aspx. An unauthenticated attacker may be able to exploit this issue to obtain records contained in the targeted product.

CVE-2024-43699 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-43699. A base score of 9.3 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.2 SQL Injection CWE-89

Delta Electronics DIAEnergie is vulnerable to an SQL injection in the script Handler_CFG.ashx. An authenticated attacker may be able to exploit this issue to cause delay in the targeted product.

CVE-2024-42417 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-42417. A base score of 8.7 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Taiwan

3.4 RESEARCHER

Michael Heinzl reported these vulnerabilities to CISA.

4. MITIGATIONS

Delta recommends users update to DIAEnergie v1.10.01.009. Users can request this version of DIAEnergie from Delta Electronics’ regional sales or agents.

For more information on this issue, please see the Delta product cybersecurity advisory.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as virtual private networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY

October 3, 2024: Initial Publication

View CSAF

1. EXECUTIVE SUMMARY

CVSS v4 9.3
ATTENTION: Exploitable remotely/Low attack complexity
Vendor: Optigo Networks
Equipment: ONS-S8 – Spectra Aggregation Switch
Vulnerabilities: Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’), Weak Authentication

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to achieve remote code execution, arbitrary file upload, or bypass authentication.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of ONS-S8 – Spectra Aggregation Switch, an OT network management device, are affected:

ONS-S8 – Spectra Aggregation Switch: 1.3.7 and prior

3.2 Vulnerability Overview

3.2.1 IMPROPER CONTROL OF FILENAME FOR INCLUDE/REQUIRE STATEMENT IN PHP PROGRAM (‘PHP REMOTE FILE INCLUSION’) CWE-98

The web service for ONS-S8 – Spectra Aggregation Switch includes functions which do not properly validate user input, allowing an attacker to traverse directories, bypass authentication, and execute remote code.

CVE-2024-41925 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-41925. A base score of 9.3 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.2 WEAK AUTHENTICATION CWE-1390

The web server for ONS-S8 – Spectra Aggregation Switch includes an incomplete authentication process, which can lead to an attacker authenticating without a password.

CVE-2024-45367 has been assigned to this vulnerability. A CVSS v3 base score of 9.1 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N).

A CVSS v4 score has also been calculated for CVE-2024-45367. A base score of 9.3 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Canada

3.4 RESEARCHER

Claroty Team82 reported this vulnerability to CISA.

4. MITIGATIONS

Optigo Networks recommends users always use a unique management VLAN for the port on the ONS-S8 that is used to connect to OneView.

Optigo Networks also recommends users implement at least one of the following additional mitigations:

Use a dedicated NIC on the BMS computer and exclusively this computer for connecting to OneView to manage your OT network configuration.
Set up a router firewall with a white list for the devices permitted to access OneView.
Connect to OneView via secure VPN.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY

October 1, 2024: Initial Publication

View CSAF

1. EXECUTIVE SUMMARY

CVSS v3 7.5
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Mitsubishi Electric
Equipment: MELSEC iQ-F FX5-OPC
Vulnerability: NULL Pointer Dereference

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow a remote attacker to cause a Denial-of-Service (DoS) condition on the product by getting a legitimate user to import a specially crafted PKCS#12 format certificate.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following Mitsubishi Electric products are affected:

MELSEC iQ-F FX5-OPC: All versions

3.2 Vulnerability Overview

3.2.1 NULL POINTER DEREFERENCE CWE-476

A Denial-of-Service (DoS) vulnerability due to NULL Pointer Dereference when processing PKCS#12 format certificate exists in OpenSSL installed on MELSEC iQ-F OPC UA Unit. Because OpenSSL does not correctly check if a certain field in the PKCS#12 format certificate is NULL, a NULL pointer dereference occurs when the field is NULL, causing the product to enter a Denial-of-Service condition.

CVE-2024-0727 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Japan

3.4 RESEARCHER

Mitsubishi Electric reported this vulnerability to CISA.

4. MITIGATIONS

Mitsubishi Electric recommends users take the following mitigations to minimize the risk of exploiting this vulnerability:

Use within a LAN and block access from untrusted networks and hosts through firewalls.
Restrict physical access to the product, as well as to computers and network devices located within the same network as the product.
Use a firewall or virtual private network (VPN), etc. to prevent unauthorized access when Internet access is required.
Use IP filter function to block access from untrusted hosts. For details on the IP filter function, please refer to the following manual. MELSEC iQ-F FX5 OPC UA Module User’s Manual “4.4 IP Filter”
Do not import untrusted certificates.

For additional details, see Mitsubishi Electric advisory.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

October 1, 2024: Initial Publication

View CSAF

1. EXECUTIVE SUMMARY

CVSS v4 9.3
ATTENTION: Exploitable remotely/low attack complexity/public exploits are available
Vendor: Atelmo
Equipment: Atemio AM 520 HD Full HD Satellite Receiver
Vulnerability: OS Command Injection

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an unauthorized attacker to execute system commands with elevated privileges.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of Atelmo Atemio AM 520 HD, a satellite receiver, are affected:

Atemio AM 520 HD: TitanNit 2.01 and prior

3.2 Vulnerability Overview

3.2.1 IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS USED IN AN OS COMMAND (‘OS COMMAND INJECTION’) CWE-78

The device enables an unauthorized attacker to execute system commands with elevated privileges. This exploit is facilitated through the use of the ‘getcommand’ query within the application, allowing the attacker to gain root access.

CVE-2024-9166 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-9166. A base score of 9.3 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Communications, Commercial Facilities
COUNTRIES/AREAS DEPLOYED: Germany
COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

CISA discovered a public Proof of Concept (PoC) as authored by Gjoko Krstic and reported it to Atelmo.

4. MITIGATIONS

Atelmo has stated that this product has been discontinued. There are no service or support addresses that can be contacted.

For more information, contact Atelmo.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

September 26, 2024: Initial Publication

View CSAF

1. EXECUTIVE SUMMARY

CVSS v4 7.1
ATTENTION: Low attack complexity
Vendor: goTenna
Equipment: Pro ATAK Plugin
Vulnerabilities: Weak Password Requirements, Insecure Storage of Sensitive Information, Missing Support for Integrity Check, Cleartext Transmission of Sensitive Information, Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG), Weak Authentication, Insertion of Sensitive Information Into Sent Data, Observable Response Discrepancy, Insertion of Sensitive Information Into Sent Data

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to compromise the confidentiality and integrity of the communications between the affected devices.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of goTenna Pro ATAK Plugin, a mesh networking device, are affected:

goTenna Pro ATAK Plugin: Versions 1.9.12 and prior

3.2 Vulnerability Overview

3.2.1 Weak Password Requirements CWE-521

The goTenna Pro ATAK Plugin uses a weak password for the QR broadcast message. If the QR broadcast message is captured over RF it is possible to decrypt it and use it to decrypt all future and past messages sent via encrypted broadcast.

CVE-2024-45374 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.3 has been calculated; the CVSS vector string is (AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2024-45374. A base score of 6.0 has been calculated; the CVSS vector string is (CVSS4.0/AV:A/AC:H/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N).

3.2.2 Insecure Storage of Sensitive Information CWE-922

In the goTenna Pro ATAK Plugin application, the encryption keys are stored along with a static IV on the device. This allows for complete decryption of keys stored on the device. This allows an attacker to decrypt all encrypted broadcast communications based on broadcast keys stored on the device.

CVE-2024-43694 has been assigned to this vulnerability. A CVSS v3.1 base score of 4.3 has been calculated; the CVSS vector string is (AV:P/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2024-43694. A base score of 5.1 has been calculated; the CVSS vector string is (CVSS4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N).

3.2.3 Missing Support for Integrity Check CWE-353

The goTenna Pro ATAK Plugin use AES CTR mode for short, encrypted messages without any additional integrity checking mechanisms. This leaves messages malleable to any attacker that can access the message.

CVE-2024-43108 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.3 has been calculated; the CVSS vector string is (AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N)).

A CVSS v4 score has also been calculated for CVE-2024-43108. A base score of 6.0 has been calculated; the CVSS vector string is (CVSS4.0/AV:A/AC:H/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N).

3.2.4 Cleartext Transmission of Sensitive Information CWE-319

The goTenna Pro ATAK Plugin does not encrypt the callsigns of its users. These callsigns reveal information about the users and can also be leveraged for other vulnerabilities.

CVE-2024-45838 has been assigned to this vulnerability. A CVSS v3.1 base score of 4.3 has been calculated; the CVSS vector string is (AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2024-45838. A base score of 2.3 has been calculated; the CVSS vector string is (CVSS4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N).

3.2.5 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) CWE-338

The goTenna Pro ATAK Plugin does not use SecureRandom when generating its cryptographic keys. The random function in use is not suitable for cryptographic use.

CVE-2024-45723 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.5 has been calculated; the CVSS vector string is (AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2024-45723. A base score of 7.1 has been calculated; the CVSS vector string is (CVSS4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N).

3.2.6 Weak Authentication CWE-1390

In the goTenna Pro ATAK Plugin there is a vulnerability that makes it possible to inject any custom message with any GID and Callsign using a software defined radio in existing gotenna mesh networks. This vulnerability can be exploited if the device is being used in a unencrypted environment or if the cryptography has already been compromised.

CVE-2024-41722 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.5 has been calculated; the CVSS vector string is (AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2024-41722. A base score of 6.0 has been calculated; the CVSS vector string is (CVSS4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N).

3.2.7 Insertion of Sensitive Information Into Sent Data CWE-201

The goTenna Pro ATAK Plugin broadcast key name is always sent unencrypted and could reveal the location of operation.

CVE-2024-41931 has been assigned to this vulnerability. A CVSS v3.1 base score of 4.3 has been calculated; the CVSS vector string is (AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2024-41931. A base score of 5.3 has been calculated; the CVSS vector string is (CVSS4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N).

3.2.8 Observable Response Discrepancy CWE-204

The goTenna Pro ATAK Plugin has a payload length vulnerability that makes it possible to tell the length of the payload regardless of the encryption used.

CVE-2024-41715 has been assigned to this vulnerability. A CVSS v3.1 base score of 4.3 has been calculated; the CVSS vector string is (AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2024-41715. A base score of 5.3 has been calculated; the CVSS vector string is (CVSS4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N).

3.2.9 Insertion of Sensitive Information Into Sent Data CWE-201

goTenna Pro ATAK Plugin by default enables frequent unencrypted Position, Location and Information (PLI) transmission. This transmission is done without user’s knowledge, revealing the exact location transmitted in unencrypted form.

CVE-2024-43814 has been assigned to this vulnerability. A CVSS v3.1 base score of 4.3 has been calculated; the CVSS vector string is (AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2024-43814. A base score of 5.3 has been calculated; the CVSS vector string is (CVSS4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Communications, Government Services and Facilities
COUNTRIES/AREAS DEPLOYED: United States
COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER

Erwin Karincic, Clayton Smith, and Dale Wooden reported this these vulnerabilities to CISA.

4. MITIGATIONS

goTenna recommends that users mitigate these vulnerabilities by performing the following updates:

ATAK Plugin: v2.0.7 or greater

goTenna recommends that users follow these mitigations:

General Mitigations for All Users/Clients

Use Discreet Callsigns and Key Names: Choose callsigns and key names that do not disclose sensitive information, such as your location, team size, or team name. Avoid using any identifiers that could inadvertently reveal your location or the composition of your team.
Secure End-User Devices: Implement strong security measures on all end-user devices, including the use of encryption and ensuring regular software updates.
Follow Key Rotation Best Practices: Regularly rotate encryption keys according to industry best practices to maintain ongoing security.

Pro-Specific Mitigations

Share Encryption Keys via QR Code: Utilize QR codes, similar to ATAK, for the secure exchange of encryption keys.
Secure Broadcasting: When broadcasting, ensure you are in a secured area and transmit the key at a reduced power of 0.5 Watts to limit exposure.
Leverage Layered Encryption: Implement layered encryption keys to securely manage communications, whether interacting with individuals or teams.

If you have any questions please contact prosupport@gotenna.com

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time. These vulnerabilities are not exploitable remotely.

5. UPDATE HISTORY

September 26, 2024: Initial Publication

View CSAF

1. EXECUTIVE SUMMARY

CVSS v4 8.7
ATTENTION: Low attack complexity
Vendor: goTenna
Equipment: Pro series
Vulnerabilities: Weak Password Requirements, Insecure Storage of Sensitive Information, Missing Support for Integrity Check, Cleartext Transmission of Sensitive Information, Improper Restriction of Communication Channel to Intended Endpoints, Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG), Weak Authentication, Insertion of Sensitive Information Into Sent Data, Observable Response Discrepancy, Missing Authentication for Critical Function

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to compromise the confidentiality and integrity of the communications between the affected devices.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of goTenna Pro series, mesh networking device, are affected:

goTenna Pro App: versions 1.6.1 and prior

3.2 Vulnerability Overview

3.2.1 Weak Password Requirements CWE-521

The goTenna Pro series uses a weak password for the QR broadcast message. If the QR broadcast message is captured over RF it is possible to decrypt it and use it to decrypt all future and past messages sent via encrypted broadcast.

CVE-2024-47121 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.3 has been calculated; the CVSS vector string is (AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2024-47121. A base score of 6.0 has been calculated; the CVSS vector string is (CVSS4.0/AV:A/AC:H/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N).

3.2.2 Insecure Storage of Sensitive Information CWE-922

In the goTenna Pro application, the encryption keys are stored along with a static IV on the device. This allows for complete decryption of keys stored on the device. This allows an attacker to decrypt all encrypted communications that include P2P, Group, and broadcast messages that use these keys.

CVE-2024-47122 has been assigned to this vulnerability. A CVSS v3.1 base score of 4.3 has been calculated; the CVSS vector string is (AV:P/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2024-47122. A base score of 5.1 has been calculated; the CVSS vector string is (CVSS4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N).

3.2.3 Missing Support for Integrity Check CWE-353

The goTenna Pro series use AES CTR mode for short, encrypted messages without any additional integrity checking mechanisms. This leaves messages malleable to any attacker that can access the message.

CVE-2024-47123 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.3 has been calculated; the CVSS vector string is (AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N)).

A CVSS v4 score has also been calculated for CVE-2024-47123. A base score of 6.0 has been calculated; the CVSS vector string is (CVSS4.0/AV:A/AC:H/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N).

3.2.4 Cleartext Transmission of Sensitive Information CWE-319

The goTenna pro series does not encrypt the callsigns of its users. These callsigns reveal information about the users and can also be leveraged for other vulnerabilities.

CVE-2024-47124 has been assigned to this vulnerability. A CVSS v3.1 base score of 4.3 has been calculated; the CVSS vector string is (AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2024-47124. A base score of 2.3 has been calculated; the CVSS vector string is (CVSS4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N).

3.2.5 Improper Restriction of Communication Channel to Intended Endpoints CWE-923

The goTenna Pro series does not authenticate public keys which allows an unauthenticated attacker to intercept and manipulate messages.

CVE-2024-47125 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.1 has been calculated; the CVSS vector string is (AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N).

A CVSS v4 score has also been calculated for CVE-2024-47125. A base score of 7.6 has been calculated; the CVSS vector string is (CVSS4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N).

3.2.6 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) CWE-338

The goTenna Pro series does not use SecureRandom when generating its cryptographic keys. The random function in use is not suitable for cryptographic use.

CVE-2024-47126 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.5 has been calculated; the CVSS vector string is (AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2024-47126. A base score of 7.1 has been calculated; the CVSS vector string is (CVSS4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N).

3.2.7 Weak Authentication CWE-1390

In the goTenna Pro there is a vulnerability that makes it possible to inject any custom message with any GID and Callsign using a software defined radio in existing gotenna mesh networks. This vulnerability can be exploited if the device is being used in a unencrypted environment or if the cryptography has already been compromised.

CVE-2024-47127 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.5 has been calculated; the CVSS vector string is (AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2024-47127. A base score of 6.0 has been calculated; the CVSS vector string is (CVSS4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N).

3.2.8 Insertion of Sensitive Information Into Sent Data CWE-201

The goTenna Pro broadcast key name is always sent unencrypted and could reveal the location of operation.

CVE-2024-47128 has been assigned to this vulnerability. A CVSS v3.1 base score of 4.3 has been calculated; the CVSS vector string is (AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2024-47128. A base score of 5.3 has been calculated; the CVSS vector string is (CVSS4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N).

3.2.9 Observable Response Discrepancy CWE-204

The goTenna Pro has a payload length vulnerability that makes it possible to tell the length of the payload regardless of the encryption used.

CVE-2024-47129 has been assigned to this vulnerability. A CVSS v3.1 base score of 4.3 has been calculated; the CVSS vector string is (AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2024-47129. A base score of 5.3 has been calculated; the CVSS vector string is (CVSS4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N).

3.2.10 Missing Authentication for Critical Function CWE-306

The goTenna Pro series allows unauthenticated attackers to remotely update the local public keys used for P2P and Group messages.

CVE-2024-47130 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.6 has been calculated; the CVSS vector string is (AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-47130. A base score of 8.7 has been calculated; the CVSS vector string is (CVSS4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Communications, Government Services, and Facilities
COUNTRIES/AREAS DEPLOYED: United States
COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER

Erwin Karincic, Clayton Smith, and Dale Wooden reported this these vulnerabilities to CISA.

4. MITIGATIONS

goTenna recommends that users mitigate these vulnerabilities by performing the following updates:

Android Pro: v2.0.3 or greater
iOS Pro users please contact goTenna so they can push this update directly to users.

goTenna recommends that users follow these mitigations:

General Mitigations for All Users/Clients

Use Discreet Callsigns and Key Names: Choose callsigns and key names that do not disclose sensitive information, such as your location, team size, or team name. Avoid using any identifiers that could inadvertently reveal your location or the composition of your team.
Secure End-User Devices: Implement strong security measures on all end-user devices, including the use of encryption and ensuring regular software updates.
Follow Key Rotation Best Practices: Regularly rotate encryption keys according to industry best practices to maintain ongoing security.

Pro-Specific Mitigations

Share Encryption Keys via QR Code: Utilize QR codes, similar to ATAK, for the secure exchange of encryption keys.
Secure Broadcasting: When broadcasting, ensure you are in a secured area and transmit the key at a reduced power of 0.5 Watts to limit exposure.
Leverage Layered Encryption: Implement layered encryption keys to securely manage communications, whether interacting with individuals or teams.

If you have any questions please contact prosupport@gotenna.com.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time. These vulnerabilities are not exploitable remotely.

5. UPDATE HISTORY

September 26, 2024: Initial Publication

View CSAF

1. EXECUTIVE SUMMARY

CVSS v4 8.5
ATTENTION: Low attack complexity
Vendor: Advantech
Equipment: ADAM-5630
Vulnerabilities: Use of Persistent Cookies Containing Sensitive Information

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to hijack a legitimate user’s session, perform cross-site request forgery, or cause a denial-of-service condition.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of Advantech’s ADAM are affected:

Advantech ADAM-5630: versions prior to v2.5.2

3.2 Vulnerability Overview

3.2.1 USE OF PERSISTENT COOKIES CONTAINING SENSITIVE INFORMATION CWE-539

Cookies of authenticated users remain as active valid cookies when a session is closed. Forging requests with a legitimate cookie, even if the session was terminated, allows an unauthorized attacker to act with the same level of privileges of the legitimate user.

CVE-2024-39275 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.0 has been calculated; the CVSS vector string is (AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-39275. A base score of 8.5 has been calculated; the CVSS vector string is (CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.2 CROSS-SITE REQUEST FORGERY (CSRF) CWE-352

Cross-site request forgery (CSRF) is a web security vulnerability that allows an attacker to induce users to perform actions that they do not intend to perform. It allows an attacker to partly circumvent the same origin policy, which is designed to prevent different websites from interfering with each other.

CVE-2024-28948 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.0 has been calculated; the CVSS vector string is (AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-28948. A base score of 8.5 has been calculated; the CVSS vector string is (CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.3 WEAK ENCODING FOR PASSWORD CWE-261

User credentials are shared in plain text, between the device and the user source device, during the login process.

CVE-2024-34542 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.7 has been calculated; the CVSS vector string is (AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2024-34542. A base score of 6.9 has been calculated; the CVSS vector string is (CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N).

3.2.4 MISSING AUTHENTICATION FOR CRITICAL FUNCTION CWE-306

The device has built-in commands that can be executed without authenticating the user. These commands allow for restarting the operating system, rebooting the hardware, and stopping the execution. The commands can be sent to a simple HTTP request and are executed by the device automatically, without discrimination of origin or level of privileges of the user sending the commands.

CVE-2024-39364 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.3 has been calculated; the CVSS vector string is (AV:A/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H).

A CVSS v4 score has also been calculated for CVE-2024-39364. A base score of 8.3 has been calculated; the CVSS vector string is (CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:H/SC:N/SI:N/SA:H).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Energy, Water and Wastewater Systems
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Taiwan

3.4 RESEARCHER

Aarón Flecha Menéndez and Luis Villalba Pérez of S21sec reported these vulnerabilities to CISA.

4. MITIGATIONS

Advantech recommends users upgrade their ADAM-5630 devices to version 2.5.2.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the Internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

Do not click web links or open attachments in unsolicited email messages.
Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time. These vulnerabilities are not exploitable remotely.

5. UPDATE HISTORY

September 26, 2024: Initial Publication

View CSAF

1. EXECUTIVE SUMMARY

CVSS v4 8.7
ATTENTION: Low attack complexity
Vendor: Advantech
Equipment: ADAM-5550
Vulnerabilities: Weak Encoding for Password, Cross-site Scripting

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow a remote attacker to intercept the easily decodable credentials of a legitimate user to gain full access to the device and could plant malicious code on the web page of the device.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of Advantech’s ADAM, are affected:

Advantech ADAM 5550: All versions

3.2 Vulnerability Overview

3.2.1 WEAK ENCODING FOR PASSWORD CWE-261

User credentials are shared with a low level of encryption, consisting of base 64 encoding.

CVE-2024-37187 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.7 has been calculated; the CVSS vector string is (AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2024-37187. A base score of 6.8 has been calculated; the CVSS vector string is (CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N).

3.2.2 IMPROPER NEUTRALIZATION OF INPUT DURING WEB PAGE GENERATION (‘CROSS-SITE SCRIPTING’) CWE-79

Advantech ADAM 5550’s web application includes a “logs” page where all the HTTP requests received are displayed to the user. The device doesn’t correctly neutralize malicious code when parsing HTTP requests to generate page output.

CVE-2024-38308 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.8 has been calculated; the CVSS vector string is (AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-38308. A base score of 8.7 has been calculated; the CVSS vector string is (CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Energy, Water and Wastewater Systems
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Taiwan

3.4 RESEARCHER

Aarón Flecha Menéndez and Luis Villalba Pérez of S21sec reported these vulnerabilities to CISA.

4. MITIGATIONS

ADAM-5550 is currently being phased out, and Advantech strongly recommends all ADAM-5550 users upgrade to ADAM-5630 firmware version 2.5.2 or higher.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the Internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

Do not click web links or open attachments in unsolicited email messages.
Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time. These vulnerabilities are not exploitable remotely.

5. UPDATE HISTORY

September 26, 2024: Initial Publication