Posts Page - CloudCentric

Mitsubishi Electric MELIPC Series MI5122-VW

Written by on July 9, 2024. Posted in CISA-Published Industrial Control System Vulnerabilities.

1. EXECUTIVE SUMMARY

CVSS v3 8.8
ATTENTION: Low attack complexity
Vendor: Mitsubishi Electric
Equipment: MI5122-VW
Vulnerability: Incorrect Default Permissions

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to tamper with, destroy, disclose, or delete information in the product, or cause a denial-of-service (DoS) condition on the product.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of Mitsubishi Electric MELIPC Series MI5122-VW, an industrial PC, are affected:

MI5122-VW: Firmware versions “05” up to and including “07”

3.2 Vulnerability Overview

3.2.1 INCORRECT DEFAULT PERMISSIONS CWE-276

In Mitsubishi Electric MELIPC Series MI5122-VWA firmware versions “05” up to and including “07”, a local attacker may execute arbitrary code by saving a malicious file to a specific folder. As a result, the attacker may disclose, tamper with, destroy or delete information in the product, or cause a denial-of-service (DoS) condition on the product.

CVE-2024-3904 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Japan

3.4 RESEARCHER

Mitsubishi Electric reported this vulnerability to CISA.

4. MITIGATIONS

Mitsubishi Electric has fixed the vulnerability in the following products:

MI5122-VW: firmware versions “08” or later

Customers using the affected product should take workarounds and mitigations in Mitsubishi Electric advisory 2024-003, because updating the product to the fixed version is not available.

Please refer to Mitsubishi Electric’s user manual for how to check the firmware version.

MELIPC MI5000 Series User’s Manual (Startup) “Appendix 17 Checking Production Information and Firmware Version”

The manuals for Mitsubishi products are available for download from Mitsubishi Electric’s website.

For more information, contact Mitsubishi Electric.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability is not exploitable remotely.

5. UPDATE HISTORY

July 09, 2024: Initial Publication

mySCADA myPRO

Written by on July 2, 2024. Posted in CISA-Published Industrial Control System Vulnerabilities.

View CSAF

1. EXECUTIVE SUMMARY

CVSS v4 9.3
ATTENTION: Exploitable remotely/low attack complexity
Vendor: mySCADA
Equipment: myPRO
Vulnerability: Use of Hard-coded Password

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to remotely execute code on the affected device.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following mySCADA products are affected:

myPRO: Versions prior to 8.31.0

3.2 Vulnerability Overview

3.2.1 USE OF HARD-CODED PASSWORD CWE-259

The affected application uses a hard-coded password which could allow an attacker to remotely execute code on the affected device.

CVE-2024-4708 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-4708. A base score of 9.3 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Czech Republic

3.4 RESEARCHER

Nassim Asrir working with Trend Micro Zero Day Initiative reported this vulnerability to CISA.

4. MITIGATIONS

mySCADA recommends updating myPRO to v8.31.0.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

July 2, 2024: Initial Publication

Johnson Controls Kantech Door Controllers

Written by on July 2, 2024. Posted in CISA-Published Industrial Control System Vulnerabilities.

View CSAF

1. EXECUTIVE SUMMARY

CVSS v3 3.1
ATTENTION: Exploitable via adjacent network
Vendor: Johnson Controls, Inc.
Equipment: Kantech KT1, KT2, KT400 Door Controllers
Vulnerability: Exposure of Sensitive Information to an Unauthorized Actor

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to gain access to sensitive information.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following products by Kantech, a subsidiary of Johnson Controls, are affected:

Kantech KT1 Door Controller Rev01: Versions 2.09.01 and prior
Kantech KT2 Door Controller Rev01: Versions 2.09.01 and prior
Kantech KT400 Door Controller Rev01: Versions 3.01.16 and prior

3.2 Vulnerability Overview

3.2.1 EXPOSURE OF SENSITIVE INFORMATION TO AN UNAUTHORIZED ACTOR CWE-200

Under certain circumstances, when the controller is in factory reset mode waiting for initial setup, it will broadcast its MAC address, serial number, and firmware version. Once configured, the controller will no longer broadcast this information.

CVE-2024-32754 has been assigned to this vulnerability. A CVSS v3.1 base score of 3.1 has been calculated; the CVSS vector string is (AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Ireland

3.4 RESEARCHER

National Computer Emergency Response Team (CERT) of India reported this vulnerability to Johnson Controls.

4. MITIGATIONS

Johnson Controls recommends users update Kantech door controllers as follows:

Update Kantech KT1 Door Controller to at least version 3.10.12
Update Kantech KT2 Door Controller to at least version 3.10.12
Update Kantech KT400 Door Controller to at least version 3.03

For more detailed mitigation instructions, see Johnson Controls Product Security Advisory JCI-PSA-2024-13 v1.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability is not exploitable remotely. This vulnerability has a high attack complexity.

5. UPDATE HISTORY

July 2, 2024: Initial Publication

ICONICS and Mitsubishi Electric Products

Written by on July 2, 2024. Posted in CISA-Published Industrial Control System Vulnerabilities.

View CSAF

1. EXECUTIVE SUMMARY

CVSS v3 7.0
ATTENTION: Exploitable remotely
Vendor: ICONICS, Mitsubishi Electric
Equipment: ICONICS Product Suite
Vulnerabilities: Allocation of Resources Without Limits or Throttling, Improper Neutralization, Uncontrolled Search Path Element, Improper Authentication, Unsafe Reflection

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could result in denial of service, improper privilege management, or potentially remote code execution.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

ICONICS reports that the following versions of ICONICS Product Suite are affected:

ICONICS Suite including GENESIS64, Hyper Historian, AnalytiX, and MobileHMI: Version 10.97.2 (CVE-2022-2650, CVE-2023-4807)
AlarmWorX Multimedia (AlarmWorX64 MMX): All versions prior to 10.97.3 (CVE-2024-1182)
MobileHMI: All versions prior to 10.97.3 (CVE-2024-1573)
ICONICS Suite including GENESIS64, Hyper Historian, AnalytiX, and MobileHMI: All versions prior to 10.97.3 (CVE-2024-1574)

3.2 Vulnerability Overview

3.2.1 Allocation of Resources Without Limits or Throttling CWE-770

A denial-of-service vulnerability due to an allocation of resources without limits or throttling.

CVE-2022-2650 has been assigned to this vulnerability. A CVSS v3.1 base score of 3.7 has been calculated; the CVSS vector string is (AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).

3.2.2 Improper Neutralization CWE-707

A bug in OpenSSL that might corrupt the internal state of the application on the Windows 64 platform when running on newer X86_64 processors supporting the AVX512-IFMA instructions.

CVE-2023-4807 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.9 has been calculated; the CVSS vector string is (AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H).

3.2.3 Uncontrolled Search Path Element CWE-427

An uncontrolled search path element in the AlarmWorX64 MMX Pager agent can provide the potential for DLL hijacking.

CVE-2024-1182 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.0 has been calculated; the CVSS vector string is (AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H).

3.2.4 Improper Authentication CWE-287

The GENESIS64 Automatic Login feature, when used with MobileHMI in a certain specific condition, can result in improper privileges being given to a non-logged-in user.

CVE-2024-1573 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.9 has been calculated; the CVSS vector string is (AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N).

3.2.5 Unsafe Reflection CWE-470

Use of externally-controlled input to select classes or code (‘Unsafe Reflection’) condition in the licensing service (used by ICONICS licensing) can result in an improper authorization condition.

CVE-2024-1574 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.7 has been calculated; the CVSS vector string is (AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: ICONICS is headquartered in the United States. Mitsubishi Electric is headquartered in Japan.

3.4 RESEARCHER

Asher Davila of Palo Alto Networks reported AlarmWorX64 MMX Pager Agent vulnerability to ICONICS.

4. MITIGATIONS

Versions 10.97.3 and later have mitigations for these vulnerabilities. ICONICS recommends that users of its products take the following mitigation steps:

Use the 10.97.3 version.
If planning to use the AlarmWorX64 MMX Pager agent, follow the guidelines provided in the ICONICS Whitepaper on Security Vulnerabilities June 2024 edition.

ICONICS and Mitsubishi Electric recommends updating the ICONICS Suite with the latest security patches as they become available. ICONICS Suite security patches may be found here (login required).

ICONICS and Mitsubishi Electric is releasing security updates as critical fixes/rollup releases. Refer to the ICONICS Whitepaper on Security Vulnerabilities, the most recent version of which can be found here, and to the Mitsubishi Electric security advisory for information on the availability of the security updates.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as virtual private networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

Do not click web links or open attachments in unsolicited email messages.
Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time. These vulnerabilities have a high attack complexity.

5. UPDATE HISTORY

July 2, 2024: Initial Publication

Johnson Controls Illustra Essentials Gen 4

Written by on June 27, 2024. Posted in CISA-Published Industrial Control System Vulnerabilities.

View CSAF

1. EXECUTIVE SUMMARY

CVSS v3 6.8
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Johnson Controls, Inc.
Equipment: Illustra Essentials Gen 4
Vulnerability: Insertion of Sensitive Information into Log File

2. RISK EVALUATION

Successful exploitation of this vulnerability may allow an attacker to gain access to Linux user credentials.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

Johnson Controls reports that the following versions of Illustra Essential Gen 4 IP cameras are affected:

Illustra Essential Gen 4: version Illustra.Ess4.01.02.10.5982 and prior

3.2 Vulnerability Overview

3.2.1 Insertion of Sensitive Information into Log File CWE-532

Under certain circumstances, unnecessary user details are provided within system logs

CVE-2024-32757 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing, Commercial Facilities, Government Facilities, Transportation Systems, Energy
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Ireland

3.4 RESEARCHER

Sam Hanson of Dragos reported this vulnerability to Johnson Controls, Inc.

4. MITIGATIONS

Johnson Controls recommends users upgrade cameras to Illustra.Ess4.01.02.13.6953. For more detailed mitigation instructions, please see Johnson Controls Product Security Advisory JCI-PSA-2024-10 v1

Johnson Controls recommends taking steps to minimize risks to all building automation systems. Further ICS security notices and product security guidance are located at the Johnson Controls product security website

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as virtual private networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

June 27, 2024: Initial Publication

Johnson Controls Illustra Essentials Gen 4

Written by on June 27, 2024. Posted in CISA-Published Industrial Control System Vulnerabilities.

View CSAF

1. EXECUTIVE SUMMARY

CVSS v3 6.8
ATTENTION: Exploitable remotely
Vendor: Johnson Controls, Inc.
Equipment: Illustra Essentials Gen 4
Vulnerability: Storing Passwords in a Recoverable Format

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an authenticated user to recover credentials for other Linux users.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

Johnson Controls reports that the following versions of Illustra Essential Gen 4, an IP camera, are affected:

Illustra Essentials Gen 4: versions up to Illustra.Ess4.01.02.10.5982

3.2 Vulnerability Overview

3.2.1 Storing Passwords in a Recoverable Format CWE-257

Under certain circumstances the Linux users credentials may be recovered by an authenticated user.

CVE-2024-32756 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N).

3.3 BACKGROUND

3.4 RESEARCHER

Sam Hanson of Dragos reported this vulnerability to Johnson Controls.

4. MITIGATIONS

Johnson Controls recommends users upgrade camera to Illustra.Ess4.01.02.13.6953
For more detailed mitigation instructions, please see Johnson Controls Product Security Advisory JCI-PSA-2024-07 v1.

Aligning with CISA recommendations, Johnson Controls recommends taking steps to minimize risks to all building automation systems.

CISA provides a section for control systems security recommended practices on the ICS web page on us-cert.gov. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

Further ICS security notices and product security guidance are located at Johnson Controls’ product security website

Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to CISA for tracking and correlation against other incidents.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability has a high attack complexity.

5. UPDATE HISTORY

June 27, 2024: Initial Publication

Yokogawa FAST/TOOLS and CI Server

Written by on June 27, 2024. Posted in CISA-Published Industrial Control System Vulnerabilities.

View CSAF

1. EXECUTIVE SUMMARY

CVSS v4 6.9
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Yokogawa
Equipment: FAST/TOOLS and CI Server
Vulnerabilities: Cross-site Scripting, Empty Password in Configuration File

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to launch a malicious script and take control of affected products.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of Yokogawa FAST/TOOLS and CI Server, SCADA software environments, are affected:

FAST/TOOLS RVSVRN Package: Versions R9.01 through R10.04
FAST/TOOLS UNSVRN Package: Versions R9.01 through R10.04
FAST/TOOLS HMIWEB Package: Versions R9.01 through R10.04
FAST/TOOLS FTEES Package: Versions R9.01 through R10.04
FAST/TOOLS HMIMOB Package: Versions R9.01 through R10.04
CI Server: Versions R1.01.00 through R1.03.00

3.2 Vulnerability Overview

3.2.1 Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) CWE-79

The affected product’s WEB HMI server’s function to process HTTP requests has a security flaw (reflected XSS) that allows the execution of malicious scripts. Therefore, if a client PC with inadequate security measures accesses a product URL containing a malicious request, the malicious script may be executed on the client PC.

CVE-2024-4105 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2024-4105. A base score of 6.9 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N).

3.2.2 Empty Password in Configuration File CWE-258

The affected products have built-in accounts with no passwords set. Therefore, if the product is operated without a password set by default, an attacker can break into the affected product.

CVE-2024-4106 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.3 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N.

A CVSS v4 score has also been calculated for CVE-2024-4106. A base score of 5.3 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing, Energy, Food and Agriculture
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Japan

3.4 RESEARCHER

Yokogawa reported these vulnerabilities to CISA.

4. MITIGATIONS

Yokogawa recommends customers using FAST/TOOLS to update to R10.04 and first apply patch software R10.04 SP3 and afterwards apply patch software I12560.

Yokogawa recommends customers using Collaborative Information Server (CI Server) to update to R1.03.00 and apply patch software R10.04 SP3.

For both platforms, if the password for the default account has not been changed, please change that password according to the documentation included with the patch software.

Yokogawa strongly recommends all customers to establish and maintain a full security program, not only for the vulnerability identified in this YSAR. Security program components are: Patch updates, Anti-virus, Backup and recovery, zoning, hardening, whitelisting, firewall, etc. Yokogawa can assist in setting up and running the security program continuously. For considering the most effective risk mitigation plan, as a starting point, Yokogawa can perform a security risk assessment.

For questions related to this report, please contact Yokogawa.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY

June 27, 2024: Initial Publication

Johnson Controls Illustra Essentials Gen 4

Written by on June 27, 2024. Posted in CISA-Published Industrial Control System Vulnerabilities.

View CSAF

1. EXECUTIVE SUMMARY

2. RISK EVALUATION

Successful exploitation of this vulnerability may allow web interface user’s credentials to be recovered by an authenticated user.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

Johnson Controls reports that the following versions of Illustra Essentials IP cameras are affected:

Illustra Essential Gen 4: versions Illustra.Ess4.01.02.10.5982 and prior

3.2 Vulnerability Overview

3.2.1 Storing Passwords in a Recoverable Format CWE-257

Under certain circumstances, the web interface users credentials may be recovered by an authenticated user.

CVE-2024-32932 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N).

3.3 BACKGROUND

3.4 RESEARCHER

Sam Hanson of Dragos reported this vulnerability to Johnson Controls, Inc.

4. MITIGATIONS

Johnson Controls recommends that users upgrade cameras to Illustra.Ess4.01.02.13.6953.

For more detailed mitigation instructions, please see Johnson Controls Product Security Advisory JCI-PSA-2024-08 v1 at the following location: https://www.johnsoncontrols.com/cyber-solutions/security-advisories

Johnson Controls recommends taking steps to minimize risks to all building automation systems. Further ICS security notices and product security guidance are located at Johnson Controls product security website: https://www.johnsoncontrols.com/cyber-solutions/security-advisories
Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to CISA for tracking and correlation against other incidents.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as virtual private networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

June 27, 2024: Initial Publication

SDG Technologies PnPSCADA

Written by on June 27, 2024. Posted in CISA-Published Industrial Control System Vulnerabilities.

View CSAF

1. EXECUTIVE SUMMARY

CVSS v4 9.3
ATTENTION: Exploitable remotely/low attack complexity
Vendor: SDG Technologies
Equipment: PnPSCADA
Vulnerability: Missing Authorization

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to attach various entities without requiring system authentication. This breach could potentially lead to unauthorized control, data manipulation, and access to sensitive information within the SCADA system.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of SDG Technologies PnPSCADA, a web-based SCADA HMI, are affected:

PnPSCADA: Versions prior to 4

3.2 Vulnerability Overview

3.2.1 MISSING AUTHORIZATION CWE-862

SDG Technologies PnPSCADA allows a remote attacker to attach various entities without requiring system authentication. This breach could potentially lead to unauthorized control, data manipulation, and access to sensitive information within the SCADA system.

CVE-2024-2882 has been assigned to this vulnerability. A CVSS v3 base score of 9.1 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N).

A CVSS v4 score has also been calculated for CVE-2024-2882 has been assigned to this vulnerability. A CVSS v4 base score of 9.3 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Energy, Water and Wastewater Systems, Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: South Africa

3.4 RESEARCHER

Momen Eldawakhly of Samurai Digital Security Ltd reported this vulnerability to CISA.

4. MITIGATIONS

SDG Technologies recommends that users use the updated PnPSCADA 4.

For more information about PnPSCADA 4 contact SDG Technologies.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

June 27, 2025: Initial Publication

TELSAT marKoni FM Transmitter

Written by on June 27, 2024. Posted in CISA-Published Industrial Control System Vulnerabilities.

View CSAF

1. EXECUTIVE SUMMARY

CVSS v4 9.3
ATTENTION: Exploitable remotely/low attack complexity/public exploits are available
Vendor: marKoni
Equipment: Markoni-D (Compact) FM Transmitters, Markoni-DH (Exciter+Amplifiers) FM Transmitters
Vulnerabilities: Command Injection, Use of Hard-coded Credentials, Use of Client-Side Authentication, Improper Access Control

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to tamper with the product to bypass authentication or perform remote code execution.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of TELSAT marKoni FM Transmitters are affected:

Markoni-D (Compact) FM Transmitters: All versions prior to 2.0.1
Markoni-DH (Exciter+Amplifiers) FM Transmitters: All versions prior to 2.0.1

3.2 Vulnerability Overview

3.2.1 IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS USED IN A COMMAND (‘COMMAND INJECTION’) CWE-77

TELSAT marKoni FM Transmitters are vulnerable to a command injection vulnerability through the manipulation of settings and could allow an attacker to gain unauthorized access to the system with administrative privileges.

CVE-2024-39373 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-39373. A base score of 9.3 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.2 USE OF HARD-CODED CREDENTIALS CWE-798

TELSAT marKoni FM Transmitters are vulnerable to an attacker exploiting a hidden admin account that can be accessed through the use of hard-coded credentials.

CVE-2024-39374 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-39374. A base score of 9.3 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.3 USE OF CLIENT-SIDE AUTHENTICATION CWE-603

TELSAT marKoni FM Transmitters are vulnerable to an attacker bypassing authentication and gaining administrator privileges.

CVE-2024-39375 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-39375. A base score of 9.3 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.4 IMPROPER ACCESS CONTROL CWE-284

TELSAT marKoni FM Transmitters are vulnerable to users gaining unauthorized access to sensitive information or performing actions beyond their designated permissions.

CVE-2024-39376 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-39376. A base score of 9.3 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Communications
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Italy

3.4 RESEARCHER

CISA discovered a public Proof of Concept (PoC) as authored by Gjoko Krstic and reported it to marKoni.

4. MITIGATIONS

Markoni has released the following version to remediate these vulnerabilities:

TELSAT marKoni FM Transmitter: Version 2.0.1.

For more information, contact Markoni.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY

June 27, 2024: Initial Publication