View CSAF

1. EXECUTIVE SUMMARY

CVSS v4 9.3
ATTENTION: Exploitable remotely/low attack complexity/public exploits are available
Vendor: Viessmann Climate Solutions SE
Equipment: Vitogate 300
Vulnerabilities: Use of Hard-coded Credentials, Forced Browsing, Command Injection

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to achieve remote code execution.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of Viessmann Climate Solutions SE Vitogate 300, a solution to connecting boilers and heat pumps to a building management system, are affected:

Viessmann Vitogate 300: Versions 2.1.3.0 and prior

3.2 Vulnerability Overview

3.2.1 Use of Hard-coded Credentials CWE-798

In Viessmann Vitogate 300 versions 2.1.3.0 and prior there is a vulnerability that affects the function isValidUser of the file /cgi-bin/vitogate.cgi of the component Web Management Interface. The manipulation leads to use of hard-coded password.

CVE-2023-5222 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2023-5222. A base score of 9.3 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.2 Direct Request (‘Forced Browsing’) CWE-425

In Viessmann Vitogate 300 versions 2.1.3.0 and prior there is a vulnerability in some unknown functionality of the file /cgi-bin/. The manipulation leads to direct request.

CVE-2023-5702 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.5 has been calculated; the CVSS vector string is (AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2023-5702. A base score of 7.1 has been calculated; the CVSS vector string is (CVSS4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N).

3.2.3 Improper Neutralization of Special Elements used in a Command (‘Command Injection’) CWE-77

In Viessman Vitogate 300 versions 2.1.3.0 and prior, /cgi-bin/vitogate.cgi allows an unauthenticated attacker to bypass authentication and execute arbitrary commands via shell metacharacters in the ipaddr params JSON data for the put method.

CVE-2023-45852 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2023-45852. A base score of 9.3 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Commercial Facilities
COUNTRIES/AREAS DEPLOYED: Worldwide

COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER

CISA discovered a public Proof of Concept (PoC) as authored by ByteHunter and reported it to Viessmann.

4. MITIGATIONS

Viessmann Climate Solutions SE recommends customers update to version 3.0.0.0 to fix these vulnerabilities. The software is available to download at their (website)

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY

September 10, 2024: Initial Publication

View CSAF

1. EXECUTIVE SUMMARY

CVSS v4 8.7
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Rockwell Automation
Equipment: SequenceManager
Vulnerabilities: Unquoted Search Path or Element

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could cause a denial-of-service condition.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of SequenceManager, a logix controller-based batch and sequencing solution, are affected:

SequenceManager: Versions prior to 2.0

3.2 Vulnerability Overview

3.2.1 Unquoted Search Path or Element CWE-428

An input validation vulnerability exists in the affected products which could allow a malicious user to send malformed packets to the server and cause a denial-of-service condition. If exploited, the device would become unresponsive, and a manual restart will be required for recovery. Additionally, if exploited, there could be a loss of view for the downstream equipment sequences in the controller. Users would not be able to view the status or command the equipment sequences, however the equipment sequence would continue to execute uninterrupted.

CVE-2024-4609 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

A CVSS v4 score has also been calculated for CVE-2024-4609. A base score of 8.7 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER

Rockwell Automation reported these vulnerabilities to CISA.

4. MITIGATIONS

Rockwell Automation recommends users upgrade to version 2.0 or greater.

There is no fix available for these vulnerabilities in the affected software versions prior to v2.0. Users using the affected software and who are not able to upgrade to one of the corrected versions are encouraged to apply security best practices, where possible.

Security Best Practices

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

Do not click web links or open attachments in unsolicited email messages.
Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY

September 10, 2024: Initial Publication

View CSAF

1. EXECUTIVE SUMMARY

CVSS v4 8.7
ATTENTION: Exploitable remotely/low attack complexity
Vendor: iniNet Solutions GmbH
Equipment: SpiderControl SCADA Web Server
Vulnerabilities: Unrestricted Upload of File with Dangerous Type

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to log in or execute arbitrary code.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of SpiderControl, an HMI program, are affected:

SpiderControl SCADA Web Server: Versions v2.09 and prior

3.2 Vulnerability Overview

3.2.1 Unrestricted Upload of File with Dangerous Type CWE-434

SpiderControl SCADA Web Server has a vulnerability that could allow an attacker to upload specially crafted malicious files without authentication.

CVE-2024-8232 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N).

A CVSS v4 score has also been calculated for CVE-2024-8232. A base score of 8.7 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Switzerland

3.4 RESEARCHER

elcazators ELEX FEIGONG RESEARCH INSTITUTE of Elex CyberSecurity, Inc reported this vulnerability to CERT/CC.

4. MITIGATIONS

IniNet Solutions has released a new version of SpiderControl SCADA Server, (3.2.2), to address this issue. It can be found at the following location: https://spidercontrol.net/download/download-area-2/?lang=en

IniNet Solutions reminds users that the webserver is designed to be used in a protected environment. IniNet Solutions GmbH recommends that users never connect control system software directly to the Internet. If a user must connect to the Internet, IniNet Solutions GmbH recommends using a managed infrastructure to do so.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as virtual private networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

September 10, 2024: Initial Publication

View CSAF

1. EXECUTIVE SUMMARY

CVSS v4 7.1
ATTENTION: Low attack complexity
Vendor: Hughes Network Systems
Equipment: WL3000 Fusion Software
Vulnerabilities: Insufficiently Protected Credentials, Missing Encryption of Sensitive Data

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to obtain read-only access to network configuration information and terminal configuration data.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following Hughes Network Systems work streams are affected:

WL3000 Fusion Software: Versions prior to 2.7.0.10

3.2 Vulnerability Overview

3.2.1 INSUFFICIENTLY PROTECTED CREDENTIALS CWE-522

Credentials to access device configuration information stored unencrypted in flash memory. These credentials would allow read-only access to network configuration information and terminal configuration data.

CVE-2024-39278 has been assigned to this vulnerability. A CVSS v3.1 base score of 4.2 has been calculated; the CVSS vector string is (AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2024-39278. A base score of 5.1 has been calculated; the CVSS vector string is (CVSS4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N).

3.2.2 MISSING ENCRYPTION OF SENSITIVE DATA CWE-311

Credentials to access device configuration were transmitted using an unencrypted protocol. These credentials would allow read-only access to network configuration information and terminal configuration data.

CVE-2024-42495 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.5 has been calculated; the CVSS vector string is (AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2024-42495. A base score of 7.1 has been calculated; the CVSS vector string is (CVSS4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Information Technology
COUNTRIES/AREAS DEPLOYED: United States
COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER

An anonymous researcher reported these vulnerabilities to CISA.

4. MITIGATIONS

Hughes Network Systems has patched the vulnerabilities, which requires no action by the user. Any questions or concerns should be directed to Hughes Network Systems customer support.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time. These vulnerabilities are not exploitable remotely.

5. UPDATE HISTORY

August 5, 2024: Initial Publication

View CSAF

1. EXECUTIVE SUMMARY

CVSS v4 9.3
ATTENTION: Exploitable remotely/low attack complexity/public exploits are available
Vendor: LOYTEC electronics GmbH
Equipment: LINX series
Vulnerabilities: Cleartext Transmission of Sensitive Information, Missing Authentication for Critical Function, Cleartext Storage of Sensitive Information, Improper Access Control

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to disclose sensitive information or make modifications to an affected device.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following Loytec products are affected:

LINX-151: All versions
LINX-212: All versions
LVIS-3ME12-A1: All versions
LIOB-586: All versions
LIOB-580 V2: All versions
LIOB-588: All versions
L-INX Configurator: All versions

3.2 Vulnerability Overview

3.2.1 CLEARTEXT TRANSMISSION OF SENSITIVE INFORMATION CWE-319

LOYTEC LINX-212 firmware 6.2.4, LVIS-3ME12-A1 firmware 6.2.2 and LIOB-586 firmware 6.2.3 devices send password-change requests via cleartext HTTP.

CVE-2023-46380 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2023-46380. A base score of 8.2 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N).

3.2.2 MISSING AUTHENTICATION FOR CRITICAL FUNCTION CWE-306

LOYTEC LINX-212 firmware 6.2.4, LVIS-3ME12-A1 firmware 6.2.2 and LIOB-586 firmware 6.2.3 devices lack authentication for the preinstalled version of LWEB-802 via an lweb802_pre/ URI. An unauthenticated attacker can edit any project (or create a new project) and control its GUI.

CVE-2023-46381 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.2 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L).

A CVSS v4 score has also been calculated for CVE-2023-46381 . A base score of 8.8 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N).

3.2.3 CLEARTEXT TRANSMISSION OF SENSITIVE INFORMATION CWE-319

LOYTEC LINX-212 firmware 6.2.4, LVIS-3ME12-A1 firmware 6.2.2 and LIOB-586 firmware 6.2.3 devices use cleartext HTTP for login.

CVE-2023-46382 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2023-46382. A base score of 8.7 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N).

3.2.4 CLEARTEXT TRANSMISSION OF SENSITIVE INFORMATION CWE-319

LOYTEC electronics GmbH LINX Configurator 7.4.10 uses HTTP Basic Authentication, which transmits usernames and passwords in base64-encoded cleartext and allows remote attackers to steal the password and gain full control of LOYTEC device configuration.

CVE-2023-46383 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

A CVSS v4 score has also been calculated for CVE-2023-46383. A base score of 9.3 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.5 CLEARTEXT STORAGE OF SENSITIVE INFORMATION CWE-312

LOYTEC electronics GmbH LINX Configurator 7.4.10 is vulnerable to insecure permissions. Cleartext storage of credentials allows remote attackers to disclose admin password and bypass an authentication to log in.

CVE-2023-46384 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2023-46384. A base score of 9.3 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H).

3.2.6 CLEARTEXT TRANSMISSION OF SENSITIVE INFORMATION CWE-319

LOYTEC electronics GmbH LINX Configurator 7.4.10 is vulnerable to Insecure Permissions. An admin credential is passed as a value of URL parameters without encryption, so it allows remote attackers to steal the password and gain full control of LOYTEC device configuration.

CVE-2023-46385 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2023-46385. A base score of 9.3 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H).

3.2.7 CLEARTEXT STORAGE OF SENSITIVE INFORMATION CWE-312

LOYTEC electronics GmbH LINX-212 firmware 6.2.4 and LINX-151 firmware 7.2.4 are vulnerable to insecure permissions via registry.xml file. This vulnerability allows remote attackers to disclose smtp client account credentials and bypass email authentication.

CVE-2023-46386 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2023-46386. A base score of 9.3 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H).

3.2.8 IMPROPER ACCESS CONTROL CWE-284

LOYTEC electronics GmbH LINX-212 firmware 6.2.4 and LINX-151 firmware 7.2.4 are vulnerable to incorrect access control via dpal_config.zml file. This vulnerability allows remote attackers to disclose sensitive information on LOYTEC device data point configuration.

CVE-2023-46387 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2023-46387. A base score of 8.7 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N).

3.2.9 CLEARTEXT STORAGE OF SENSITIVE INFORMATION CWE-312

LOYTEC electronics GmbH LINX-212 6.2.4 and LINX-151 7.2.4 are vulnerable to insecure permissions via dpal_config.zml file. This vulnerability allows remote attackers to disclose smtp client account credentials and bypass email authentication.

CVE-2023-46388 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2023-46388. A base score of 8.7 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:L/SI:L/SA:L).

3.2.10 IMPROPER ACCESS CONTROL CWE-284

LOYTEC electronics GmbH LINX-212 firmware 6.2.4 and LINX-151 firmware 7.2.4 are vulnerable to incorrect access control via registry.xml file. This vulnerability allows remote attackers to disclose sensitive information on LINX configuration.

CVE-2023-46389 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2023-46389. A base score of 8.7 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Austria

3.4 RESEARCHER

Chizuru Toyama of TXOne Networks reported these vulnerabilities to CISA.

4. MITIGATIONS

LOYTEC recommends users of the affected products to update to version 8.2.8. Additionally, LOYTEC recommends the following actions:

For CVE-2023-46380, CVE-2023-46382, CVE-2023-46383,CVE-2023-46385: Disable HTTP on the LOYTEC device as recomended by LOYTEC’s security hardening guide.
For CVE-2023-4638: Upgrade to latest firmware. Permissions on LWEB projects have been hardened.
For CVE-2023-46387, CVE-2023-46389: Current firmware protects registry.xml and dpal_config.zml by admin access. Upgrade to latest firmware.
For CVE-2023-46384: Patch will be published in LINX Configurator.
For CVE-2023-46386, CVE-2023-46388: LINX firmware will implement encrypted storage of SMTP credentials. Patch will be published as LINX firmware upgrade.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

Do not click web links or open attachments in unsolicited email messages.
Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY

September 3, 2024: Initial Publication

View CSAF

1. EXECUTIVE SUMMARY

CVSS v4 8.4
ATTENTION: Low attack complexity
Vendor: Delta Electronics
Equipment: DTN Soft
Vulnerability: Deserialization of Untrusted Data

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to achieve remote code execution.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of Delta Electronics DTN Soft, a temperature control, are affected:

DTN Soft: Version 2.0.1 and prior

3.2 Vulnerability Overview

3.2.1 DESERIALIZATION OF UNTRUSTED DATA CWE-502

Delta Electronics DTN Soft version 2.0.1 and prior are vulnerable to an attacker achieving remote code execution through a deserialization of untrusted data vulnerability.

CVE-2024-8255 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-8255. A base score of 8.4 has been calculated; the CVSS vector string is (CVSS4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Energy, Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Taiwan

3.4 RESEARCHER

kimiya working with Trend Micro Zero Day Initiative reported this vulnerability to CISA.

4. MITIGATIONS

Delta Electronics recommends that users update DTN Soft to DTN Soft v2.1.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

Do not click web links or open attachments in unsolicited email messages.
Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability is not exploitable remotely.

5. UPDATE HISTORY

August 29, 2024: Initial Publication

View CSAF

1. EXECUTIVE SUMMARY

CVSS v4 9.3
ATTENTION: Exploitable remotely/Low attack complexity
Vendor: Rockwell Automation
Equipment: ThinManager ThinServer
Vulnerabilities: Improper Privilege Management, Incorrect Permission Assignment for Critical Resource, Improper Input Validation

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to read arbitrary files and execute arbitrary code with system privileges.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of Rockwell Automation ThinManager ThinServer, a client management software, are affected:

ThinManager ThinServer: Versions 11.1.0 to 11.1.7
ThinManager ThinServer: Versions 11.2.0 to 11.2.8
ThinManager ThinServer: Versions 12.0.0 to 12.0.6
ThinManager ThinServer: Versions 12.1.0 to 12.1.7
ThinManager ThinServer: Versions 13.0.0 to 13.0.4
ThinManager ThinServer: Versions 13.1.0 to 13.1.2
ThinManager ThinServer: Versions 13.2.0 to 13.2.1

3.2 Vulnerability Overview

3.2.1 Improper Privilege Management CWE-269

A vulnerability exists in the affected products that allows a threat actor to disclose sensitive information. A threat actor can exploit this vulnerability by abusing the ThinServer service to read arbitrary files by creating a junction that points to the target directory.

CVE-2024-7986 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.5 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2024-7986. A base score of 6.8 has been calculated; the CVSS vector string is (CVSS4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N).

3.2.2 Incorrect Permission Assignment for Critical Resource CWE-732

A remote code execution vulnerability exists in the affected products that allows a threat actor to execute arbitrary code with System privileges. To exploit this vulnerability and a threat actor must abuse the ThinServer service by creating a junction and use it to upload arbitrary files.

CVE-2024-7987 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-7987. A base score of 8.5 has been calculated; the CVSS vector string is (CVSS4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:).

3.2.3 Improper Input Validation CWE-20

A remote code execution vulnerability exists in the affected products that allows a threat actor to execute arbitrary code with System privileges. This vulnerability exists due to the lack of proper data input validation, which allows files to be overwritten.

CVE-2024-7988 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-7988. A base score of 9.3 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER

Nicholas Zubrisky (@NZubrisky) of Trend Micro reported these vulnerabilities to Rockwell Automation .

4. MITIGATIONS

Rockwell Automation has created new software versions to address these issues. Users are encouraged to update their software to one of the following versions (or newer): 11.1.8, 11.2.9, 12.0.7, 12.1.8, 13.0.5, 13.1.3, 13.2.2

Rockwell Automation encourages users with the affected software to implement their suggested security best practices to minimize the risk of vulnerability.

Security Best Practices

For more information see the Rockwell Automation Security Advisory SD1692.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY

August 29, 2024: Initial Publication

View CSAF

1. EXECUTIVE SUMMARY

CVSS v4 8.7
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Avtec
Equipment: Outpost 0810, Outpost Uploader Utility
Vulnerability: Storage of File with Sensitive Data Under Web Root, Use of Hard-coded Cryptographic Key

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to gain administrative privileges on the affected devices.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following Avtec products are affected:

Outpost 0810: Versions prior to v5.0.0
Outpost Uploader Utility: Versions prior to v5.0.0

3.2 Vulnerability Overview

3.2.1 STORAGE OF FILE WITH SENSITIVE DATA UNDER WEB ROOT CWE-219

Avtec Outpost stores sensitive information in an insecure location without proper access controls in place.

CVE-2024-39776 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2024-39776. A base score of 8.7 has been calculated; the CVSS vector string is (CVSS4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.2 USE OF HARD-CODED CRYPTOGRAPHIC KEY CWE-321

Avtec Outpost uses a default cryptographic key that can be used to decrypt sensitive information

CVE-2024-42418 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

A CVSS v4 score has also been calculated for  CVE-2024-42418. A base score of 8.7 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Communications Sector
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER

Jonathan Fournier of Field Effect reported these vulnerabilities to CISA.

4. MITIGATIONS

Avtec recommends users update to Outpost v5.0 to resolve.

When upgrading to Outpost Version 5.0.0 or later, reset the list of users to the default. More information and instructions can be found on Avtec’s Outpost Uploader Utility User Guide for more information.
Restrict access to port 80 or disable web interface if possible.

Additionally, Avtec recommends checking devices for Scout firmware versions prior to 5.8.1, which was commonly coupled with Outpost firmware. If so, the devices may also need to be updated to the latest firmware. For more information, please visit Scout Release Notes.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY

August 22, 2024: Initial Publication

View CSAF

1. EXECUTIVE SUMMARY

CVSS v4 8.7
ATTENTION: Exploitable remotely/low attack complexity
Vendor: MOBOTIX
Equipment: P3 Cameras, Mx6 Cameras
Vulnerability: Improper Neutralization of Expression/Command Delimiters

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an authenticated attacker to achieve remote code execution.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following products of MOBOTIX are affected:

P3 D24M: MX-V4.1.4.11, MX-V4.1.4.70, MX-V4.1.6.25, MX-V4.1.6.27, MX-V4.1.9.29, MX-V4.1.10.28, MX-V4.1.10.35, MX-V4.2.1.43, MX-V4.2.1.61, MX-V4.3.0.15, MX-V4.3.2.45, MX-V4.3.2.53, MX-V4.3.2.68, MX-V4.3.2.72, MX-V4.3.2.77, MX-V4.3.4.50, MX-V4.3.4.66, MX-V4.3.4.83, MX-V4.4.0.31, MX-V4.4.0.31.r1, MX-V4.4.1.55, MX-V4.4.1.56, MX-V4.4.2.34, MX-V4.4.2.51.r1, MX-V4.4.2.69, MX-V4.4.2.73
P3 M24M: MX-V4.1.4.11, MX-V4.1.4.70, MX-V4.1.6.25, MX-V4.1.6.27, MX-V4.1.9.29, MX-V4.1.10.28, MX-V4.1.10.35, MX-V4.2.1.43, MX-V4.2.1.61, MX-V4.3.0.15, MX-V4.3.2.45, MX-V4.3.2.53, MX-V4.3.2.68, MX-V4.3.2.72, MX-V4.3.2.77, MX-V4.3.4.50, MX-V4.3.4.66, MX-V4.3.4.83, MX-V4.4.0.31, MX-V4.4.0.31.r1, MX-V4.4.1.55, MX-V4.4.1.56, MX-V4.4.2.34, MX-V4.4.2.51.r1, MX-V4.4.2.69, MX-V4.4.2.73
P3 Q24M: MX-V4.1.4.11, MX-V4.1.4.70, MX-V4.1.6.25, MX-V4.1.6.27, MX-V4.1.9.29, MX-V4.1.10.28, MX-V4.1.10.35, MX-V4.2.1.43, MX-V4.2.1.61, MX-V4.3.0.15, MX-V4.3.2.45, MX-V4.3.2.53, MX-V4.3.2.68, MX-V4.3.2.72, MX-V4.3.2.77, MX-V4.3.4.50, MX-V4.3.4.66, MX-V4.3.4.83, MX-V4.4.0.31, MX-V4.4.0.31.r1, MX-V4.4.1.55, MX-V4.4.1.56, MX-V4.4.2.34, MX-V4.4.2.51.r1, MX-V4.4.2.69, MX-V4.4.2.73
P3 T24M: MX-V4.1.4.11, MX-V4.1.4.70, MX-V4.1.6.25, MX-V4.1.6.27, MX-V4.1.9.29, MX-V4.1.10.28, MX-V4.1.10.35, MX-V4.2.1.43, MX-V4.2.1.61, MX-V4.3.0.15, MX-V4.3.2.45, MX-V4.3.2.53, MX-V4.3.2.68, MX-V4.3.2.72, MX-V4.3.2.77, MX-V4.3.4.50, MX-V4.3.4.66, MX-V4.3.4.83, MX-V4.4.0.31, MX-V4.4.0.31.r1, MX-V4.4.1.55, MX-V4.4.1.56, MX-V4.4.2.34, MX-V4.4.2.51.r1, MX-V4.4.2.69, MX-V4.4.2.73
P3 D14Di: MX-V4.1.4.11, MX-V4.1.4.70, MX-V4.1.6.25, MX-V4.1.6.27, MX-V4.1.9.29, MX-V4.1.10.28, MX-V4.1.10.35, MX-V4.2.1.43, MX-V4.2.1.61, MX-V4.3.0.15, MX-V4.3.2.45, MX-V4.3.2.53, MX-V4.3.2.68, MX-V4.3.2.72, MX-V4.3.2.77, MX-V4.3.4.50, MX-V4.3.4.66, MX-V4.3.4.83, MX-V4.4.0.31, MX-V4.4.0.31.r1, MX-V4.4.1.55, MX-V4.4.1.56, MX-V4.4.2.34, MX-V4.4.2.51.r1, MX-V4.4.2.69, MX-V4.4.2.73
P3 S14: MX-V4.1.4.11, MX-V4.1.4.70, MX-V4.1.6.25, MX-V4.1.6.27, MX-V4.1.9.29, MX-V4.1.10.28, MX-V4.1.10.35, MX-V4.2.1.43, MX-V4.2.1.61, MX-V4.3.0.15, MX-V4.3.2.45, MX-V4.3.2.53, MX-V4.3.2.68, MX-V4.3.2.72, MX-V4.3.2.77, MX-V4.3.4.50, MX-V4.3.4.66, MX-V4.3.4.83, MX-V4.4.0.31, MX-V4.4.0.31.r1, MX-V4.4.1.55, MX-V4.4.1.56, MX-V4.4.2.34, MX-V4.4.2.51.r1, MX-V4.4.2.69, MX-V4.4.2.73
P3 V14D: MX-V4.1.4.11, MX-V4.1.4.70, MX-V4.1.6.25, MX-V4.1.6.27, MX-V4.1.9.29, MX-V4.1.10.28, MX-V4.1.10.35, MX-V4.2.1.43, MX-V4.2.1.61, MX-V4.3.0.15, MX-V4.3.2.45, MX-V4.3.2.53, MX-V4.3.2.68, MX-V4.3.2.72, MX-V4.3.2.77, MX-V4.3.4.50, MX-V4.3.4.66, MX-V4.3.4.83, MX-V4.4.0.31, MX-V4.4.0.31.r1, MX-V4.4.1.55, MX-V4.4.1.56, MX-V4.4.2.34, MX-V4.4.2.51.r1, MX-V4.4.2.69, MX-V4.4.2.73
P3 i25: MX-V4.1.4.11, MX-V4.1.4.70, MX-V4.1.6.25, MX-V4.1.6.27, MX-V4.1.9.29, MX-V4.1.10.28, MX-V4.1.10.35, MX-V4.2.1.43, MX-V4.2.1.61, MX-V4.3.0.15, MX-V4.3.2.45, MX-V4.3.2.53, MX-V4.3.2.68, MX-V4.3.2.72, MX-V4.3.2.77, MX-V4.3.4.50, MX-V4.3.4.66, MX-V4.3.4.83, MX-V4.4.0.31, MX-V4.4.0.31.r1, MX-V4.4.1.55, MX-V4.4.1.56, MX-V4.4.2.34, MX-V4.4.2.51.r1, MX-V4.4.2.69, MX-V4.4.2.73
P3 c25: MX-V4.1.4.11, MX-V4.1.4.70, MX-V4.1.6.25, MX-V4.1.6.27, MX-V4.1.9.29, MX-V4.1.10.28, MX-V4.1.10.35, MX-V4.2.1.43, MX-V4.2.1.61, MX-V4.3.0.15, MX-V4.3.2.45, MX-V4.3.2.53, MX-V4.3.2.68, MX-V4.3.2.72, MX-V4.3.2.77, MX-V4.3.4.50, MX-V4.3.4.66, MX-V4.3.4.83, MX-V4.4.0.31, MX-V4.4.0.31.r1, MX-V4.4.1.55, MX-V4.4.1.56, MX-V4.4.2.34, MX-V4.4.2.51.r1, MX-V4.4.2.69, MX-V4.4.2.73
P3 p25: MX-V4.1.4.11, MX-V4.1.4.70, MX-V4.1.6.25, MX-V4.1.6.27, MX-V4.1.9.29, MX-V4.1.10.28, MX-V4.1.10.35, MX-V4.2.1.43, MX-V4.2.1.61, MX-V4.3.0.15, MX-V4.3.2.45, MX-V4.3.2.53, MX-V4.3.2.68, MX-V4.3.2.72, MX-V4.3.2.77, MX-V4.3.4.50, MX-V4.3.4.66, MX-V4.3.4.83, MX-V4.4.0.31, MX-V4.4.0.31.r1, MX-V4.4.1.55, MX-V4.4.1.56, MX-V4.4.2.34, MX-V4.4.2.51.r1, MX-V4.4.2.69, MX-V4.4.2.73
P3 v25: MX-V4.1.4.11, MX-V4.1.4.70, MX-V4.1.6.25, MX-V4.1.6.27, MX-V4.1.9.29, MX-V4.1.10.28, MX-V4.1.10.35, MX-V4.2.1.43, MX-V4.2.1.61, MX-V4.3.0.15, MX-V4.3.2.45, MX-V4.3.2.53, MX-V4.3.2.68, MX-V4.3.2.72, MX-V4.3.2.77, MX-V4.3.4.50, MX-V4.3.4.66, MX-V4.3.4.83, MX-V4.4.0.31, MX-V4.4.0.31.r1, MX-V4.4.1.55, MX-V4.4.1.56, MX-V4.4.2.34, MX-V4.4.2.51.r1, MX-V4.4.2.69, MX-V4.4.2.73
P3 D25M: MX-V4.1.4.11, MX-V4.1.4.70, MX-V4.1.6.25, MX-V4.1.6.27, MX-V4.1.9.29, MX-V4.1.10.28, MX-V4.1.10.35, MX-V4.2.1.43, MX-V4.2.1.61, MX-V4.3.0.15, MX-V4.3.2.45, MX-V4.3.2.53, MX-V4.3.2.68, MX-V4.3.2.72, MX-V4.3.2.77, MX-V4.3.4.50, MX-V4.3.4.66, MX-V4.3.4.83, MX-V4.4.0.31, MX-V4.4.0.31.r1, MX-V4.4.1.55, MX-V4.4.1.56, MX-V4.4.2.34, MX-V4.4.2.51.r1, MX-V4.4.2.69, MX-V4.4.2.73
P3 M25M: MX-V4.1.4.11, MX-V4.1.4.70, MX-V4.1.6.25, MX-V4.1.6.27, MX-V4.1.9.29, MX-V4.1.10.28, MX-V4.1.10.35, MX-V4.2.1.43, MX-V4.2.1.61, MX-V4.3.0.15, MX-V4.3.2.45, MX-V4.3.2.53, MX-V4.3.2.68, MX-V4.3.2.72, MX-V4.3.2.77, MX-V4.3.4.50, MX-V4.3.4.66, MX-V4.3.4.83, MX-V4.4.0.31, MX-V4.4.0.31.r1, MX-V4.4.1.55, MX-V4.4.1.56, MX-V4.4.2.34, MX-V4.4.2.51.r1, MX-V4.4.2.69, MX-V4.4.2.73
P3 Q25M: MX-V4.1.4.11, MX-V4.1.4.70, MX-V4.1.6.25, MX-V4.1.6.27, MX-V4.1.9.29, MX-V4.1.10.28, MX-V4.1.10.35, MX-V4.2.1.43, MX-V4.2.1.61, MX-V4.3.0.15, MX-V4.3.2.45, MX-V4.3.2.53, MX-V4.3.2.68, MX-V4.3.2.72, MX-V4.3.2.77, MX-V4.3.4.50, MX-V4.3.4.66, MX-V4.3.4.83, MX-V4.4.0.31, MX-V4.4.0.31.r1, MX-V4.4.1.55, MX-V4.4.1.56, MX-V4.4.2.34, MX-V4.4.2.51.r1, MX-V4.4.2.69, MX-V4.4.2.73
P3 T25M: MX-V4.1.4.11, MX-V4.1.4.70, MX-V4.1.6.25, MX-V4.1.6.27, MX-V4.1.9.29, MX-V4.1.10.28, MX-V4.1.10.35, MX-V4.2.1.43, MX-V4.2.1.61, MX-V4.3.0.15, MX-V4.3.2.45, MX-V4.3.2.53, MX-V4.3.2.68, MX-V4.3.2.72, MX-V4.3.2.77, MX-V4.3.4.50, MX-V4.3.4.66, MX-V4.3.4.83, MX-V4.4.0.31, MX-V4.4.0.31.r1, MX-V4.4.1.55, MX-V4.4.1.56, MX-V4.4.2.34, MX-V4.4.2.51.r1, MX-V4.4.2.69, MX-V4.4.2.73
P3 D15Di: MX-V4.1.4.11, MX-V4.1.4.70, MX-V4.1.6.25, MX-V4.1.6.27, MX-V4.1.9.29, MX-V4.1.10.28, MX-V4.1.10.35, MX-V4.2.1.43, MX-V4.2.1.61, MX-V4.3.0.15, MX-V4.3.2.45, MX-V4.3.2.53, MX-V4.3.2.68, MX-V4.3.2.72, MX-V4.3.2.77, MX-V4.3.4.50, MX-V4.3.4.66, MX-V4.3.4.83, MX-V4.4.0.31, MX-V4.4.0.31.r1, MX-V4.4.1.55, MX-V4.4.1.56, MX-V4.4.2.34, MX-V4.4.2.51.r1, MX-V4.4.2.69, MX-V4.4.2.73
P3 M15: MX-V4.1.4.11, MX-V4.1.4.70, MX-V4.1.6.25, MX-V4.1.6.27, MX-V4.1.9.29, MX-V4.1.10.28, MX-V4.1.10.35, MX-V4.2.1.43, MX-V4.2.1.61, MX-V4.3.0.15, MX-V4.3.2.45, MX-V4.3.2.53, MX-V4.3.2.68, MX-V4.3.2.72, MX-V4.3.2.77, MX-V4.3.4.50, MX-V4.3.4.66, MX-V4.3.4.83, MX-V4.4.0.31, MX-V4.4.0.31.r1, MX-V4.4.1.55, MX-V4.4.1.56, MX-V4.4.2.34, MX-V4.4.2.51.r1, MX-V4.4.2.69, MX-V4.4.2.73
P3 M15-Thermal: MX-V4.1.4.11, MX-V4.1.4.70, MX-V4.1.6.25, MX-V4.1.6.27, MX-V4.1.9.29, MX-V4.1.10.28, MX-V4.1.10.35, MX-V4.2.1.43, MX-V4.2.1.61, MX-V4.3.0.15, MX-V4.3.2.45, MX-V4.3.2.53, MX-V4.3.2.68, MX-V4.3.2.72, MX-V4.3.2.77, MX-V4.3.4.50, MX-V4.3.4.66, MX-V4.3.4.83, MX-V4.4.0.31, MX-V4.4.0.31.r1, MX-V4.4.1.55, MX-V4.4.1.56, MX-V4.4.2.34, MX-V4.4.2.51.r1, MX-V4.4.2.69, MX-V4.4.2.73
P3 S15: MX-V4.1.4.11, MX-V4.1.4.70, MX-V4.1.6.25, MX-V4.1.6.27, MX-V4.1.9.29, MX-V4.1.10.28, MX-V4.1.10.35, MX-V4.2.1.43, MX-V4.2.1.61, MX-V4.3.0.15, MX-V4.3.2.45, MX-V4.3.2.53, MX-V4.3.2.68, MX-V4.3.2.72, MX-V4.3.2.77, MX-V4.3.4.50, MX-V4.3.4.66, MX-V4.3.4.83, MX-V4.4.0.31, MX-V4.4.0.31.r1, MX-V4.4.1.55, MX-V4.4.1.56, MX-V4.4.2.34, MX-V4.4.2.51.r1, MX-V4.4.2.69, MX-V4.4.2.73
P3 V15D: MX-V4.1.4.11, MX-V4.1.4.70, MX-V4.1.6.25, MX-V4.1.6.27, MX-V4.1.9.29, MX-V4.1.10.28, MX-V4.1.10.35, MX-V4.2.1.43, MX-V4.2.1.61, MX-V4.3.0.15, MX-V4.3.2.45, MX-V4.3.2.53, MX-V4.3.2.68, MX-V4.3.2.72, MX-V4.3.2.77, MX-V4.3.4.50, MX-V4.3.4.66, MX-V4.3.4.83, MX-V4.4.0.31, MX-V4.4.0.31.r1, MX-V4.4.1.55, MX-V4.4.1.56, MX-V4.4.2.34, MX-V4.4.2.51.r1, MX-V4.4.2.69, MX-V4.4.2.73
Mx6 D16: MX-V5.0.0.127, MX-V5.0.0.130, MX-V5.0.0.133, MX-V5.0.1.53, MX-V5.0.2.14, MX-V5.1.0.99, MX-V5.1.0.99-r3, MX-V5.1.0.99-r4
Mx6 M16: MX-V5.0.0.127, MX-V5.0.0.130, MX-V5.0.0.133, MX-V5.0.1.53, MX-V5.0.2.14, MX-V5.1.0.99, MX-V5.1.0.99-r3, MX-V5.1.0.99-r4
Mx6 S16: MX-V5.0.0.127, MX-V5.0.0.130, MX-V5.0.0.133, MX-V5.0.1.53, MX-V5.0.2.14, MX-V5.1.0.99, MX-V5.1.0.99-r3, MX-V5.1.0.99-r4
Mx6 V16: MX-V5.0.0.127, MX-V5.0.0.130, MX-V5.0.0.133, MX-V5.0.1.53, MX-V5.0.2.14, MX-V5.1.0.99, MX-V5.1.0.99-r3, MX-V5.1.0.99-r4
Mx6 D26: MX-V5.0.0.127, MX-V5.0.0.130, MX-V5.0.0.133, MX-V5.0.1.53, MX-V5.0.2.14, MX-V5.1.0.99, MX-V5.1.0.99-r3, MX-V5.1.0.99-r4
Mx6 M26: MX-V5.0.0.127, MX-V5.0.0.130, MX-V5.0.0.133, MX-V5.0.1.53, MX-V5.0.2.14, MX-V5.1.0.99, MX-V5.1.0.99-r3, MX-V5.1.0.99-r4
Mx6 Q26: MX-V5.0.0.127, MX-V5.0.0.130, MX-V5.0.0.133, MX-V5.0.1.53, MX-V5.0.2.14, MX-V5.1.0.99, MX-V5.1.0.99-r3, MX-V5.1.0.99-r4
Mx6 S26: MX-V5.0.0.127, MX-V5.0.0.130, MX-V5.0.0.133, MX-V5.0.1.53, MX-V5.0.2.14, MX-V5.1.0.99, MX-V5.1.0.99-r3, MX-V5.1.0.99-r4
Mx6 T26: MX-V5.0.0.127, MX-V5.0.0.130, MX-V5.0.0.133, MX-V5.0.1.53, MX-V5.0.2.14, MX-V5.1.0.99, MX-V5.1.0.99-r3, MX-V5.1.0.99-r4
Mx6 c26: MX-V5.0.0.127, MX-V5.0.0.130, MX-V5.0.0.133, MX-V5.0.1.53, MX-V5.0.2.14, MX-V5.1.0.99, MX-V5.1.0.99-r3, MX-V5.1.0.99-r4
Mx6 i26: MX-V5.0.0.127, MX-V5.0.0.130, MX-V5.0.0.133, MX-V5.0.1.53, MX-V5.0.2.14, MX-V5.1.0.99, MX-V5.1.0.99-r3, MX-V5.1.0.99-r4
Mx6 p26: MX-V5.0.0.127, MX-V5.0.0.130, MX-V5.0.0.133, MX-V5.0.1.53, MX-V5.0.2.14, MX-V5.1.0.99, MX-V5.1.0.99-r3, MX-V5.1.0.99-r4
Mx6 v26: MX-V5.0.0.127, MX-V5.0.0.130, MX-V5.0.0.133, MX-V5.0.1.53, MX-V5.0.2.14, MX-V5.1.0.99, MX-V5.1.0.99-r3, MX-V5.1.0.99-r4

3.2 Vulnerability Overview

3.2.1 IMPROPER NEUTRALIZATION OF EXPRESSION/COMMAND DELIMITERS CWE-146

The tcpdump feature does not properly validate input, which allows authenticated users to execute code.

CVE-2023-34873 has been assigned to this vulnerability. A CVSS v3 base score of 8.8 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2023-34873. A base score of 8.7 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Commercial Facilities
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

CISA discovered a public Proof of Concept (PoC) as authored by mrgedik.

BSI reported the vulnerability to MOBOTIX and supported the coordination.

4. MITIGATIONS

MOBOTIX has identified the following specific workarounds and mitigations users can apply to reduce risk:

Update P3 cameras to firmware version MX-V4.7.2.18 or later that includes a fixed version of the vulnerability.
Update Mx6 cameras to firmware version MX-V5.2.0.61 or later that includes a fixed version of the vulnerability.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

August 22, 2024: Initial Publication

View CSAF

1. EXECUTIVE SUMMARY

CVSS v4 8.7
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Rockwell Automation
Equipment: 5015 – AENFTXT
Vulnerability: Improper Input Validation

2. RISK EVALUATION

Successful exploitation of this vulnerability could cause a denial-of-service condition.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of Rockwell Automation 5015 – AENFTXT, a part of the FLEXHA 5000 I/O Modules, are affected:

5015 – AENFTXT: Version 2.011

3.2 Vulnerability Overview

3.2.1 Improper Input Validation CWE-20

An input validation vulnerability exists in the affected products when a manipulated PTP packet is sent, causing the secondary adapter to result in a major nonrecoverable fault. If exploited, a power cycle is required to recover the product.

CVE-2024-6089 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

A CVSS v4 score has also been calculated for CVE-2024-6089. A base score of 8.7 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER

Rockwell Automation reported this vulnerability to CISA.

4. MITIGATIONS

Rockwell Automation encourages users of the affected software to apply the following risk mitigations, if possible:

Update to the corrected firmware revision, v2.012.
For information on how to mitigate Security Risks on industrial automation control systems, Rockwell Automation encourages users to implement suggested security best practices to minimize the risk of the vulnerability.

Users can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

For more information see the Rockwell Automation Security Advisory.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

August 22, 2024: Initial Publication