Skip to main content
(844) 422-7000

Siemens ST7 ScadaConnect

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens’ ProductCERT Security Advisories (CERT Services | Services | Siemens Global). 

View CSAF

1. EXECUTIVE SUMMARY

CVSS v3 8.2
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Siemens
Equipment: ST7 ScadaConnect
Vulnerabilities: Integer Overflow or Wraparound, Double Free, Improper Certificate Validation, Inefficient Regular Expression Complexity, Improper Check for Unusual or Exceptional Conditions, Improper Input Validation, NULL Pointer Dereference, Missing Encryption of Sensitive Data, Improper Restriction of Operations within the Bounds of a Memory Buffer, Uncontrolled Resource Consumption

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to disclose information, cause a denial-of-service (DoS) condition, or execute arbitrary code.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following Siemens products, are affected:

Siemens ST7 ScadaConnect (6NH7997-5DA10-0AA0): Versions prior to 1.1

3.2 Vulnerability Overview

3.2.1 INTEGER OVERFLOW OR WRAPAROUND CWE-190

An issue was discovered in libxml2 before 2.10.3. When parsing a multi-gigabyte XML document with the XML_PARSE_HUGE parser option enabled, several integer counters can overflow. This results in an attempt to access an array at a negative 2GB offset, typically leading to a segmentation fault.

CVE-2022-40303 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

3.2.2 DOUBLE FREE CWE-415

An issue was discovered in libxml2 before 2.10.3. Certain invalid XML entity definitions can corrupt a hash table key, potentially leading to subsequent logic errors. In one case, a double-free can be provoked.

CVE-2022-40304 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been assigned; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

3.2.3 IMPROPER CERTIFICATE VALIDATION CWE-295

A security vulnerability has been identified in all supported versions of OpenSSL related to the verification of X.509 certificate chains that include policy constraints. Attackers may be able to exploit this vulnerability by creating a malicious certificate chain that triggers exponential use of computational resources, leading to a denial-of-service (DoS) attack on affected systems. Policy processing is disabled by default but can be enabled by passing the -policy argument to the command line utilities or by calling the X509_VERIFY_PARAM_set1_policies() function.

CVE-2023-0464 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

3.2.4 IMPROPER CERTIFICATE VALIDATION CWE-295

Applications that use a non-default option when verifying certificates may be vulnerable to an attack from a malicious CA to circumvent certain checks. Invalid certificate policies in leaf certificates are silently ignored by OpenSSL and other certificate policy checks are skipped for that certificate. A malicious CA could use this to deliberately assert invalid certificate policies in order to circumvent policy checking on the certificate altogether. Policy processing is disabled by default but can be enabled by passing the -policy argument to the command line utilities or by calling the X509_VERIFY_PARAM_set1_policies() function.

CVE-2023-0465 has been assigned to this vulnerability. A CVSS v3 base score of 5.3 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N).

3.2.5 IMPROPER CERTIFICATE VALIDATION CWE-295

The function X509_VERIFY_PARAM_add0_policy() is documented to implicitly enable the certificate policy check when doing certificate verification. However the implementation of the function does not enable the check which allows certificates with invalid or incorrect policies to pass the certificate verification.As suddenly enabling the policy check could break existing deployments it was decided to keep the existing behavior of the X509_VERIFY_PARAM_add0_policy()function.Instead the applications that require OpenSSL to perform certificate policy check need to use X509_VERIFY_PARAM_set1_policies() or explicitly enable the policy check by calling X509_VERIFY_PARAM_set_flags() with the X509_V_FLAG_POLICY_CHECK flag argument.Certificate policy checks are disabled by default in OpenSSL and are not commonly used by applications.

CVE-2023-0466 has been assigned to this vulnerability. A CVSS v3 base score of 5.3 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N).

3.2.6 INEFFICIENT REGULAR EXPRESSION COMPLEXITY CWE-1333

Issue summary: Checking excessively long DH keys or parameters may be very slow. Impact summary: Applications that use the functions DH_check(), DH_check_ex() or EVP_PKEY_param_check() to check a DH key or DH parameters may experience long delays. Where the key or parameters that are being checked have been obtained from an untrusted source this may lead to a Denial-of-Service. The function DH_check() performs various checks on DH parameters. One of those checks confirms that the modulus (‘p’ parameter) is not too large. Trying to use a very large modulus is slow and OpenSSL will not normally use a modulus which is over 10,000 bits in length. However the DH_check() function checks numerous aspects of the key or parameters that have been supplied. Some of those checks use the supplied modulus value even if it has already been found to be too large. An application that calls DH_check() and supplies a key or parameters obtained from an untrusted source could be vulnerable to a Denial-of-Service attack. The function DH_check() is itself called by a number of other OpenSSL functions. An application calling any of those other functions may similarly be affected. The other functions affected by this are DH_check_ex() and EVP_PKEY_param_check(). Also vulnerable are the OpenSSL dhparam and pkeyparam command line applications when using the ‘-check’ option. The OpenSSL SSL/TLS implementation is not affected by this issue. The OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.

CVE-2023-3446 has been assigned to this vulnerability. A CVSS v3 base score of 5.3 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).

3.2.7 IMPROPER CHECK FOR UNUSUAL OR EXCEPTIONAL CONDITIONS CWE-754

Issue summary: Generating excessively long X9.42 DH keys or checking excessively long X9.42 DH keys or parameters may be very slow. Impact summary: Applications that use the functions DH_generate_key() to generate an X9.42 DH key may experience long delays. Likewise, applications that use DH_check_pub_key(), DH_check_pub_key_ex() or EVP_PKEY_public_check() to check an X9.42 DH key or X9.42 DH parameters may experience long delays. Where the key or parameters that are being checked have been obtained from an untrusted source this may lead to a Denial-of-Service. While DH_check() performs all the necessary checks (as of CVE-2023-3817), DH_check_pub_key() doesn’t make any of these checks, and is therefore vulnerable for excessively large P and Q parameters. Likewise, while DH_generate_key() performs a check for an excessively large P, it doesn’t check for an excessively large Q. An application that calls DH_generate_key() or DH_check_pub_key() and supplies a key or parameters obtained from an untrusted source could be vulnerable to a Denial-of-Service attack. DH_generate_key() and DH_check_pub_key() are also called by a number of other OpenSSL functions. An application calling any of those other functions may similarly be affected. The other functions affected by this are DH_check_pub_key_ex(), EVP_PKEY_public_check(), and EVP_PKEY_generate(). Also vulnerable are the OpenSSL pkey command line application when using the “-pubcheck” option, as well as the OpenSSL genpkey command line application. The OpenSSL SSL/TLS implementation is not affected by this issue. The OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.

CVE-2023-5678 has been assigned to this vulnerability. A CVSS v3 base score of 5.3 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).

3.2.8 IMPROPER INPUT VALIDATION CWE-20

.NET and Visual Studio Remote Code Execution Vulnerability

CVE-2023-21808 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been assigned; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

3.2.9 IMPROPER INPUT VALIDATION CWE-20

.NET, .NET Framework, and Visual Studio Remote Code Execution Vulnerability

CVE-2023-24895 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been assigned; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

3.2.10 IMPROPER INPUT VALIDATION CWE-20

.NET, .NET Framework, and Visual Studio Remote Code Execution Vulnerability

CVE-2023-24897 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been assigned; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

3.2.11 IMPROPER INPUT VALIDATION CWE-20

.NET, .NET Framework, and Visual Studio Elevation of Privilege Vulnerability

CVE-2023-24936 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H).

3.2.12 IMPROPER INPUT VALIDATION CWE-20

.NET DLL Hijacking Remote Code Execution Vulnerability

CVE-2023-28260 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been assigned; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

3.2.13 NULL POINTER DEREFERENCE CWE-476

In libxml2 before 2.10.4, parsing of certain invalid XSD schemas can lead to a NULL pointer dereference and subsequently a segfault. This occurs in xmlSchemaFixupComplexType in xmlschemas.c.

CVE-2023-28484 has been assigned to this vulnerability. A CVSS v3 base score of 6.5 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H).

3.2.14 IMPROPER INPUT VALIDATION CWE-20

.NET, .NET Framework, and Visual Studio Denial-of-Service Vulnerability

CVE-2023-29331 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

3.2.15 DOUBLE FREE CWE-415

An issue was discovered in libxml2 before 2.10.4. When hashing empty dict strings in a crafted XML document, xmlDictComputeFastKey in dict.c can produce non-deterministic values, leading to various logic and memory errors, such as a double free. This behavior occurs because there is an attempt to use the first byte of an empty string, and any value is possible (not solely the ” value).

CVE-2023-29469 has been assigned to this vulnerability. A CVSS v3 base score of 6.5 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H).

3.2.16 IMPROPER INPUT VALIDATION CWE-20

.NET and Visual Studio Elevation of Privilege Vulnerability

CVE-2023-32032 has been assigned to this vulnerability. A CVSS v3 base score of 6.5 has been assigned; the CVSS vector string is (CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:H).

3.2.17 IMPROPER INPUT VALIDATION CWE-20

.NET and Visual Studio Remote Code Execution Vulnerability

CVE-2023-33126 has been assigned to this vulnerability. A CVSS v3 base score of 7.3 has been assigned; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H).

3.2.18 IMPROPER INPUT VALIDATION CWE-20

.NET and Visual Studio Elevation of Privilege Vulnerability

CVE-2023-33127 has been assigned to this vulnerability. A CVSS v3 base score of 8.1 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).

3.2.19 IMPROPER INPUT VALIDATION CWE-20

.NET and Visual Studio Remote Code Execution Vulnerability

CVE-2023-33128 has been assigned to this vulnerability. A CVSS v3 base score of 7.3 has been assigned; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H).

3.2.20 IMPROPER INPUT VALIDATION CWE-20

.NET and Visual Studio Elevation of Privilege Vulnerability

CVE-2023-33135 has been assigned to this vulnerability. A CVSS v3 base score of 7.3 has been assigned; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H).

3.2.21 IMPROPER INPUT VALIDATION CWE-20

ASP.NET and Visual Studio Security Feature Bypass Vulnerability

CVE-2023-33170 has been assigned to this vulnerability. A CVSS v3 base score of 8.1 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).

3.2.22 IMPROPER INPUT VALIDATION CWE-20

.NET and Visual Studio Remote Code Execution Vulnerability

CVE-2023-35390 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been assigned; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

3.2.23 IMPROPER INPUT VALIDATION CWE-20

ASP.NET Core SignalR and Visual Studio Information Disclosure Vulnerability

CVE-2023-35391 has been assigned to this vulnerability. A CVSS v3 base score of 6.2 has been assigned; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

3.2.24 IMPROPER INPUT VALIDATION CWE-20

ASP.NET Core Denial-of-Service Vulnerability

CVE-2023-36038 has been assigned to this vulnerability. A CVSS v3 base score of 8.2 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H).

3.2.25 IMPROPER INPUT VALIDATION CWE-20

.NET, .NET Framework, and Visual Studio Elevation of Privilege Vulnerability

CVE-2023-36049 has been assigned to this vulnerability. A CVSS v3 base score of 7.6 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L).

3.2.26 IMPROPER INPUT VALIDATION CWE-20

Microsoft QUIC Denial-of-Service Vulnerability

CVE-2023-36435 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

3.2.27 IMPROPER INPUT VALIDATION CWE-20

ASP.NET Core – Security Feature Bypass Vulnerability

CVE-2023-36558 has been assigned to this vulnerability. A CVSS v3 base score of 6.2 has been assigned; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

3.2.28 MISSING ENCRYPTION OF SENSITIVE DATA CWE-311

Visual Studio Remote Code Execution Vulnerability

CVE-2023-36792 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been assigned; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

3.2.29 MISSING ENCRYPTION OF SENSITIVE DATA CWE-311

Visual Studio Remote Code Execution Vulnerability

CVE-2023-36793 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been assigned; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

3.2.30 MISSING ENCRYPTION OF SENSITIVE DATA CWE-311

Visual Studio Remote Code Execution Vulnerability

CVE-2023-36794 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been assigned; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

3.2.31 MISSING ENCRYPTION OF SENSITIVE DATA CWE-311

Visual Studio Remote Code Execution Vulnerability

CVE-2023-36796 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been assigned; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

3.2.32 IMPROPER INPUT VALIDATION CWE-20

.NET Core and Visual Studio Denial-of-Service Vulnerability

CVE-2023-36799 has been assigned to this vulnerability. A CVSS v3 base score of 6.5 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H).

3.2.33 IMPROPER INPUT VALIDATION CWE-20

Microsoft QUIC Denial-of-Service Vulnerability

CVE-2023-38171 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

3.2.34 IMPROPER INPUT VALIDATION CWE-20

.NET Core and Visual Studio Denial-of-Service Vulnerability

CVE-2023-38178 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

3.2.35 IMPROPER INPUT VALIDATION CWE-20

.NET and Visual Studio Denial-of-Service Vulnerability

CVE-2023-38180 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

3.2.36 IMPROPER RESTRICTION OF OPERATIONS WITHIN THE BOUNDS OF A MEMORY BUFFER CWE-119

Xmlsoft Libxml2 v2.11.0 was discovered to contain an out-of-bounds read via the xmlSAX2StartElement() function at /libxml2/SAX2.c. This vulnerability allows attackers to cause a Denial-of-Service (DoS) via supplying a crafted XML file. NOTE: the vendor’s position is that the product does not support the legacy SAX1 interface with custom callbacks; there is a crash even without crafted input.

CVE-2023-39615 has been assigned to this vulnerability. A CVSS v3 base score of 6.5 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H).

3.2.37 UNCONTROLLED RESOURCE CONSUMPTION CWE-400

The HTTP/2 protocol allows a denial-of-service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.

CVE-2023-44487 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Commercial Facilities, Energy, Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

Siemens reported these vulnerabilities to CISA.

4. MITIGATIONS

Siemens has identified the following specific workarounds and mitigations users can apply to reduce risk:

ST7 ScadaConnect (6NH7997-5DA10-0AA0): Update to V1.1 or later version.

As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens’ operational guidelines for industrial security and following recommendations in the product manuals.

Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage

For more information see the associated Siemens security advisory SSA-341067 in HTML and CSAF.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

Do not click web links or open attachments in unsolicited email messages.
Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY

June 13, 2024: Initial Publication

Intrado 911 Emergency Gateway

View CSAF

1. EXECUTIVE SUMMARY

CVSS v4 10.0
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Intrado
Equipment: 911 Emergency Gateway (EGW)
Vulnerability: SQL Injection

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to execute malicious code, exfiltrate data, or manipulate the database.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of Intrado’s 911 Emergency Gateway are affected:

911 Emergency Gateway (EGW): All versions

3.2 Vulnerability Overview

3.2.1 IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS USED IN AN SQL COMMAND (‘SQL INJECTION’) CWE-89

Intrado 911 Emergency Gateway login form is vulnerable to an unauthenticated blind time-based SQL injection, which may allow an attacker to execute malicious code, exfiltrate data, or manipulate the database.

CVE-2024-1839 has been assigned to this vulnerability. A CVSS v3.1 base score of 10.0 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-1839. A base score of 10.0 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:L/S:P/AU:Y/R:U/V:C).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Emergency Services
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER

An anonymous individual reported this vulnerability to CISA.

4. MITIGATIONS

Intrado has provided a patch to mitigate the vulnerability. Any EGWs deployed on older revisions will need to be upgraded to the 5.5/5.6 branch to apply the patch. For assistance in obtaining the patch, contact Intrado’s technical support group at 1-888-908-4167 or E911Support@intrado.com.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

June 11, 2024: Initial Publication

AVEVA PI Web API

View CSAF

1. EXECUTIVE SUMMARY

CVSS v4 8.4
ATTENTION: Exploitable remotely/low attack complexity
Vendor: AVEVA
Equipment: PI Web API
Vulnerability: Deserialization of Untrusted Data

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to perform remote code execution.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of AVEVA PI Web API, a RESTful interface to the PI system, are affected:

AVEVA PI Web API: Versions 2023 and prior

3.2 Vulnerability Overview

3.2.1 Deserialization of Untrusted Data CWE-502

There is a vulnerability in AVEVA PI Web API that could allow malicious code to execute on the PI Web API environment under the privileges of an interactive user that was socially engineered to use API XML import functionality with content supplied by an attacker.

CVE-2024-3468 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.6 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:L).

A CVSS v4 score has also been calculated for CVE-2024-3468. A base score of 8.4 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: United Kingdom

3.4 RESEARCHER

AVEVA reported this vulnerability to CISA.

4. MITIGATIONS

AVEVA recommends that organizations evaluate the impact of these vulnerabilities based on their operational environment, architecture, and product implementation. Customers using affected products should apply security updates as soon as possible:

From OSI Soft Customer Portal, search for “PI Web API” and select version “2023 SP1” or later.

(Alternative) PI Web API 2021 SP3 can be fixed by upgrading PI AF Client to one of the versions specified in AVEVA Security Bulletin AVEVA-2024-004 / ICSA-24-163-03

AVEVA further recommends users follow general defensive measures:

Set “DisableWrites” configuration setting to true, if this instance of PI Web API is used only for reading data or GET requests.
Uninstall Core Endpoints feature if this instance of PI Web API is used only for data collection from AVEVA Adapters. Keep OMF feature installed.
Limit AF Servers’ Administrators, so that most of the PI Web API user accounts don’t have the permission to change the backend AF servers.

For additional information please refer to AVEVA-2024-003

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

Do not click web links or open attachments in unsolicited email messages.
Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

June 11, 2024: Initial Publication

Rockwell Automation ControlLogix, GuardLogix, and CompactLogix

View CSAF

1. EXECUTIVE SUMMARY

CVSS v4 8.3
ATTENTION: Low attack complexity
Vendor: Rockwell Automation
Equipment: ControlLogix, GuardLogix, CompactLogix
Vulnerability: Always-Incorrect Control Flow Implementation

2. RISK EVALUATION

Successful exploitation of this vulnerability could compromise the availability of the device.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

Rockwell Automation reports that the following controllers are affected:

ControlLogix 5580: V34.011
GuardLogix 5580: V34.011
1756-EN4: V4.001
CompactLogix 5380: V34.011
Compact GuardLogix 5380: V34.011
CompactLogix 5380: V34.011
ControlLogix 5580: V34.011
CompactLogix 5480: V34.011

3.2 Vulnerability Overview

3.2.1 Always-Incorrect Control Flow Implementation CWE-670

Rockwell Automation was made aware of a vulnerability that causes all affected controllers on the same network to result in a major nonrecoverable fault (MNRF/Assert). This vulnerability could be exploited by sending abnormal packets to the mDNS port. If exploited, the availability of the device would be compromised.

CVE-2024-5659 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.4 has been calculated; the CVSS vector string is (AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H).

A CVSS v4 score has also been calculated for CVE-2024-5659. A base score of 8.3 has been calculated; the CVSS vector string is (CVSS4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER

Rockwell Automation reported this vulnerability to CISA.

4. MITIGATIONS

Rockwell Automation offers users the following solutions:

ControlLogix 5580: corrected in V34.014, V35.013, V36.011 and later
GuardLogix 5580: corrected in V34.014, V35.013, V36.011 and later
1756-EN4: corrected in V6.001 and later
CompactLogix 5380: corrected in V34.014, V35.013, V36.011 and later
Compact GuardLogix 5380: corrected in V34.014, V35.013, V36.011 and later
CompactLogix 5380: corrected in V34.014, V35.013, V36.011 and later
ControlLogix 5580: corrected in V34.014, V35.013, V36.011 and later
CompactLogix 5480: corrected in V34.014, V35.013, V36.011 and later

Rockwell Automation encourages users of the affected software, who are not able to upgrade to one of the corrected versions, to apply the risk mitigations where possible.

Users who do not use Automatic Policy Deployment (APD) should block mDNS port, 5353 to help prevent communication.
Enable CIP Security. CIP Security with Rockwell Automation Products Application Technique
Security Best Practices

For more information, see Rockwell Automation’s security advisory

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as virtual private networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

June 11, 2024: Initial Publication

AVEVA PI Asset Framework Client

View CSAF

1. EXECUTIVE SUMMARY

CVSS v4 7.0
ATTENTION: Low attack complexity
Vendor: AVEVA
Equipment: PI Asset Framework Client
Vulnerability: Deserialization of Untrusted Data

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow malicious code execution.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of AVEVA PI Asset Framework Client, a tool to model either physical or logical objects, are affected:

PI Asset Framework Client: 2023
PI Asset Framework Client: 2018 SP3 P04 and all prior

3.2 Vulnerability Overview

3.2.1 Deserialization of Untrusted Data CWE-502

There is a vulnerability in AVEVA PI Asset Framework Client that could allow malicious code to execute on the PI System Explorer environment under the privileges of an interactive user that was socially engineered to import XML supplied by an attacker.

CVE-2024-3467 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.3 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-3467. A base score of 7.0 has been calculated; the CVSS vector string is (CVSS4.0/AV:L/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: United Kingdom

3.4 RESEARCHER

AVEVA reported this vulnerability to CISA.

4. MITIGATIONS

AVEVA recommends that organizations evaluate the impact of these vulnerabilities based on their operational environment, architecture, and product implementation. Customers using affected products should apply security updates as soon as possible:

(Recommended) All affected versions can be fixed by upgrading to PI AF Client 2023 Patch 1 or later:
From OSI Soft Customer Portal, search for “Asset Framework” and select “PI Asset Framework (AF) Client 2023 Patch 1” or later.
(Alternative) AF Client 2018 SP3 P04 and prior can be fixed by deploying PI AF Client 2018 SP3 Patch 5 or later:
From OSI Soft Customer Portal, search for “Asset Framework” and select either “PI Asset Framework (AF) Client 2018 SP3 Patch 5” or later.

AVEVA further recommends users follow general defensive measures:

Run PI System Explorer as a least privilege interactive account when possible.
Establish procedures for verifying the source of XML is trusted before importing into PI System Explorer.

For additional information please refer to AVEVA-2024-004

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

Do not click web links or open attachments in unsolicited email messages.
Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability is not exploitable remotely.

5. UPDATE HISTORY

June 11, 2024: Initial Publication

Mitsubishi Electric CC-Link IE TSN Industrial Managed Switch

View CSAF

1. EXECUTIVE SUMMARY

CVSS v4 5.1
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Mitsubishi Electric
Equipment: CC-Link IE TSN Industrial Managed Switch
Vulnerability: Allocation of Resources Without Limits or Throttling

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to cause a temporary denial-of service (DoS) condition in the web service on the product.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of CC-Link IE TSN Industrial Managed Switch are affected:

NZ2MHG-TSNT8F2: Versions 05 and prior
NZ2MHG-TSNT4: Versions 05 and prior

3.2 Vulnerability Overview

3.2.1 Allocation of Resources Without Limits or Throttling CWE-770

Mitsubishi Electric CC-Link IE TSN Industrial Managed Switch has an OpenSSL vulnerability that allows an attacker to cause a temporary denial-of service (DoS) condition on the web service of the product by getting a legitimate administrator user to import specially crafted certificate that makes the product experience notable to very long delays.

CVE-2023-2650 has been assigned to this vulnerability. A CVSS v3.1 base score of 2.7 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L).

A CVSS v4 score has also been calculated forCVE-2023-2650. A base score of 5.1 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Japan

3.4 RESEARCHER

Mitsubishi Electric reported this vulnerability to CISA.

4. MITIGATIONS

Mitsubishi Electric recommends users to update to the fixed versions by following the steps below.

[Fixed versions]

CC-Link IE TSN Industrial Managed Switch NZ2MHG-TSNT8F2: Version “06” or later
CC-Link IE TSN Industrial Managed Switch NZ2MHG-TSNT4: Version “06” or later

[Update steps]

Contact your local Mitsubishi Electric representative to obtain the fixed firmware version file for CC-Link IE TSN Industrial Managed Switch.
After logging into NZ2MHG-TSNT8F2 or NZ2MHG-TSNT4 through the web interface, update the firmware to the fixed firmware version file mentioned in the above (1) by the function of [System] -> [System Management] -> [Firmware Upgrade] from Function menu. For the detailed procedures, please refer to “CC-Link IE TSN Industrial Managed Switch User’s Manual (SH-082449ENG)”.

Mitsubishi Electric recommends that customers take the following mitigations to minimize the risk of exploiting this vulnerability:

When internet access is required, use a virtual private network (VPN) or other means to prevent unauthorized access.
Use the products within a LAN and block access from untrusted networks and hosts.
Restrict physical access to the product and your computer and network equipment on the same network.
After you log into NZ2MHG-TSNT8F2 or NZ2MHG-TSNT4 through the web interface, change user name and password from default setting at [Account Management] displayed on the function menu. Also, set the proper access permissions for the users.

For additional information see Mitsubishi Electric advisory 2024-002

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

Do not click web links or open attachments in unsolicited email messages.
Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

June 6, 2024: Initial Publication

Johnson Controls Software House iStar Pro Door Controller

View CSAF

1. EXECUTIVE SUMMARY

CVSS v3 9.1
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Johnson Controls Inc.
Equipment: Software House iStar Pro Door Controller, ICU
Vulnerability: Missing Authentication for Critical Function

2. RISK EVALUATION

Successful exploitation of this vulnerability may allow an attacker to perform a machine-in-the-middle attack to inject commands which change configuration or initiate manual door control commands.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

Johnson Controls reports that the following products are affected:

Software House iStar Pro Door Controller: All versions
ICU: version 6.9.2.25888 and prior

3.2 Vulnerability Overview

3.2.1 Missing Authentication for Critical Function CWE-306

Under certain circumstances, communication between the ICU tool and an iStar Pro door controller is susceptible to machine-in-the-middle attacks which could impact door control and configuration.

CVE-2024-32752 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.1 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-32752. A base score of 8.8 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Ireland

3.4 RESEARCHER

Reid Wightman of Dragos reported this vulnerability to Johnson Controls, Inc.

4. MITIGATIONS

The iSTAR Pro controller has reached its end-of-support period and no further firmware updates will be provided. However, the iSTAR Pro has a physical dip switch located on its GCM board, labeled S4, that can be configured to block out communications to the ICU tool. Please consult the iSTAR Pro Installation and Configuration Guide for more details on how to set the dip switch to mitigate this vulnerability.

For more detailed mitigation instructions, please see Johnson Controls Product Security Advisory JCI-PSA-2024-06 v1

Aligning with CISA recommendations, Johnson Controls recommends taking steps to minimize risks to all building automation systems.

CISA provides a section for control systems security recommended practices on the ICS web page on us-cert.gov. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with defense-in-depth strategies.

Further ICS security notices and product security guidance are located at Johnson Controls product security website
Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to CISA for tracking and correlation against other incidents.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

June 6, 2024: Initial Publication

Emerson Ovation

View CSAF

1. EXECUTIVE SUMMARY

CVSS v3 9.8
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Emerson
Equipment: Ovation
Vulnerabilities: Missing Authentication for Critical Function, Insufficient Verification of Data Authenticity

CISA is aware of a public report, known as “OT:ICEFALL”, detailing vulnerabilities found in multiple operational technology (OT) vendors. CISA is issuing this advisory to provide notice of the reported vulnerabilities and identify baseline mitigations for reducing risks to these and other cybersecurity attacks.

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow remote code execution, loss of sensitive information, denial-of-service, or allow an attacker to modify the controller configuration.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following Emerson products are affected:

Ovation: Version 3.8.0 Feature Pack 1 and prior

3.2 Vulnerability Overview

3.2.1 MISSING AUTHENTICATION FOR CRITICAL FUNCTION CWE-306

The affected product has several protocols that have no authentication, which could allow an attacker to change controller configuration or cause a denial-of-service condition.

CVE-2022-29966 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2022-29966. A base score of 9.3 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.2 INSUFFICIENT VERIFICATION OF DATA AUTHENTICITY CWE-345

The affected product was found to have no authentication of firmware signing and relies on an insecure checksum for integrity. This could allow an attacker to push malicious firmware images, cause a denial-of-service condition, or achieve remote code execution.

CVE-2022-30267 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.1 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

A CVSS v4 score has also been calculated for CVE-2022-30267. A base score of 8.7 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Energy
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER

Daniel dos Santos and Jos Wetzels from Forescout Technologies reported these vulnerabilities to CISA

4. MITIGATIONS

Emerson recommends the following:

Upgrade to the currently available release of Ovation 3.8.0 Feature Pack 3 for remediation of many of the identified vulnerabilities.
Users are advised to consider the use of OCR3000 controllers, which offer an extra layer of protection that is not available to older controller models.
Deploy and configure Ovation systems and related components as described in the Cybersecurity for Ovation Systems manual (OVREF1000). Ovation Users’ Group Website (User Manuals | Reference Manuals) (login required)
Users with questions or concerns regarding the impact of these vulnerabilities on Ovation should contact the
Ovation-CERT by email or phone (1-800-445-9723, option 3).

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY

June 6, 2024: Initial Publication

Emerson PACSystem and Fanuc

View CSAF

1. EXECUTIVE SUMMARY

CVSS v4 5.6
ATTENTION: Low attack complexity
Vendor: Emerson
Equipment: PACSystem, Fanuc
Vulnerabilities: Cleartext Transmission of Sensitive Information, Insufficient Verification of Data Authenticity Insufficiently Protected Credentials, Download of Code Without Integrity Check

CISA is aware of a public report, known as “OT:ICEFALL”, detailing vulnerabilities found in multiple operational technology (OT) vendors. CISA is issuing this advisory to provide notice of the reported vulnerabilities and identify baseline mitigations for reducing risks to these and other cybersecurity attacks.

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow remote code execution, loss of sensitive information, or a denial-of-service condition.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following Emerson products are affected:

PAC Machine Edition: All versions (CVE-2022-30263, CVE-2022-30265)
PACSystem RXi: All versions (CVE-2022-30263, CVE-2022-30268, CVE-2022-30266)
PACSystem RX3i: All versions (CVE-2022-30263, CVE-2022-30268, CVE-2022-30265)
PACSystem RSTi-EP: All versions (CVE-2022-30263, CVE-2022-30268, CVE-2022-30266, CVE-2022-30265)
PACSystem VersaMax: All versions (CVE-2022-30263, CVE-2022-30265)
Fanuc VersaMax: All versions (CVE-2022-30263, CVE-2022-30268, CVE-2022-30266)

3.2 Vulnerability Overview

3.2.1 CLEARTEXT TRANSMISSION OF SENSITIVE INFORMATION CWE-319

The affected product utilizes a protocol that allows cleartext transmission of credentials. This could allow an attacker to retrieve these over the network and gain control of the PLC, but cryptographically secure authentication using the SRP-6a protocol is supported and recommended. Enabling authentication on the PLC prevents replay attacks, and requires the attacker to intercept and modify an active connection. Implementation of a non-routing control network also requires compromise of the network topology before SRTP packets can be intercepted.

CVE-2022-30263 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.9 has been calculated; the CVSS vector string is (AV:P/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2022-30263. A base score of 4.4 has been calculated; the CVSS vector string is (CVSS4.0/AV:P/AC:L/AT:P/PR:N/UI:A/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N)

3.2.2 INSUFFICIENT VERIFICATION OF DATA AUTHENTICITY CWE-345

The affected products use the Winloader utility to manage firmware updates by serial port or a serial-over-Ethernet link that were found to not use authentication. This could allow an attacker to push malicious firmware images to the controller and cause a denial-of-service condition or allow remote code execution. This vulnerability only effects version of the CPE302, 205, and 310 that were produced before the “-Bxxx” hardware revisions.

CVE-2022-30268 has been assigned to this vulnerability. A CVSS v3.1 base score of 4.9 has been calculated; the CVSS vector string is (AV:P/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L).

A CVSS v4 score has also been calculated for CVE-2022-30268. A base score of 5.2 has been calculated; the CVSS vector string is (CVSS4.0/AV:P/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N)

3.2.3 INSUFFICIENTLY PROTECTED CREDENTIALS CWE-522

The affected product uses a simple hashing scheme by client-side JavaScript. This could allow an attacker to intercept the hashes and strip the hashing scheme to obtain the credentials in plaintext. These credentials are only valid for 5 minutes due to the TLS protocol used, and also requires physical presence to press a button on the device, limiting this attack to being physically present and in a very short window. If this is accomplished, this only allows the attacker to upgrade or downgrade the firmware version. Due to this threat of Man-in-the-Middle attack, documentation recommends limiting physical access to networking equipment, and disabling IP routing on control networks. This vulnerability does not apply to older PLCs without a network-based update process.

CVE-2022-30266 has been assigned to this vulnerability. A CVSS v3.1 base score of 4.0 has been calculated; the CVSS vector string is (AV:P/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2022-30266. A base score of 4.1 has been calculated; the CVSS vector string is (CVSS4.0/AV:P/AC:H/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N)

3.2.4 DOWNLOAD OF CODE WITHOUT INTEGRITY CHECK CWE-494

Control logic downloaded to the PLC, which can be either written in one of the IEC 61131-3 languages or written in C and supplied as an ELF binary block, is not cryptographically authenticated.

CVE-2022-30265 has been assigned to this vulnerability. A CVSS v3.1 base score of 4.4 has been calculated; the CVSS vector string is AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N).

A CVSS v4 score has also been calculated for CVE-2022-30265. A base score of 5.6 has been calculated; the CVSS vector string is (CVSS4.0/AV:L/AC:L/AT:P/PR:H/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N)

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Energy
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER

Daniel dos Santos and Jos Wetzels from Forescout Technologies reported these vulnerabilities to CISA.

4. MITIGATIONS

Emerson recommends the following:

For CVE-2022-30263, see the following sections of PACSystems RXi, RX3i and RSTi-EP Secure Deployment Guide (GFK-2830Y):

2.4 General Recommendations
4.3.3 Secure Login
4.3.4 Recommendations, Paragraph 2
If SRP6-a is not being used to secure authentication, see Section 2.4 General Recommendations and Section 6.1 Reference Architecture
5.2.1.1 Disabling Ethernet Services

For CVE-2022-30268, see the following sections of PACSystems RXi, RX3i and RSTi-EP Secure Deployment Guide (GFK-2830Y):

4.3 Authentication
4.3.4 Recommendations, Paragraph 3
4.3.4.1 Personnel Security Protection
4.3.4.2 Physical Security Perimeter Protection

Emerson has updated the Fanuc VersaMax Secure Deployment Guide (GFK-2955D) to include the above recommendations for CVE-2022-30268.

For CVE-2022-30266, see the following sections of PACSystems RXi, RX3i and RSTi-EP Secure Deployment Guide (GFK-2830Y):

2.4 General Recommendations
5.2.1.1 Disabling Ethernet Services
6.1 Reference Architecture

For CVE-2022-30265, see the following sections of the PACSystems RXi, RX3i and RSTi-EP Secure Deployment Guide (GFK-2830Y):

4.3.4.1 Personnel Security Protection
4.3.4.2 Physical Security Perimeter Protection

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

Do not click web links or open attachments in unsolicited email messages.
Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY

June 6, 2024: Initial Publication

Uniview NVR301-04S2-P4

View CSAF

1. EXECUTIVE SUMMARY

CVSS v4 4.8
ATTENTION: Exploitable remotely/low attack complexity/public exploits available
Vendor: Uniview
Equipment: NVR301-04S2-P4
Vulnerability: Cross-site Scripting

2. RISK EVALUATION

An attacker could send a user a URL that if clicked on could execute malicious JavaScript in their browser.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following version of Uniview NVR, a network video recorder, is affected:

NVR301-04S2-P4: Versions prior to NVR-B3801.20.17.240507

3.2 Vulnerability Overview

3.2.1 Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) CWE-79

The affected product is vulnerable to reflected cross-site scripting attack (XSS). An attacker could send a user a URL that if clicked on could execute malicious JavaScript in their browser. This vulnerability also requires authentication before it can be exploited, so the scope and severity is limited. Also, even if JavaScript is executed, no additional benefits are obtained.

CVE-2024-3850 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.4 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N).

A CVSS v4 score has also been calculated for CVE-2024-3850. A base score of 4.8 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Commercial Facilities
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: China

3.4 RESEARCHER

CISA discovered a public Proof of Concept (PoC) as authored by Bleron Rrustemi and reported it to Uniview.

4. MITIGATIONS

Uniview encourages users to obtain the fixed version, Uniview NVR-B3801.20.17.240507, and update. You may contact your local dealer, Uniview Service Hotline, or regional technical support for assistance.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the Internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.
CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

5. UPDATE HISTORY

June 4, 2024: Initial Publication