Posts Page - CloudCentric

ICONICS and Mitsubishi Electric Products

Written by on October 22, 2024. Posted in CISA-Published Industrial Control System Vulnerabilities.

1. EXECUTIVE SUMMARY

CVSS v3 7.8
ATTENTION: Low attack complexity
Vendor: ICONICS, Mitsubishi Electric
Equipment: ICONICS Product Suite, Mitsubishi Electric MC Works64
Vulnerability: Incorrect Default Permissions

2. RISK EVALUATION

Successful exploitation of this vulnerability could result in disclosure of confidential information, data tampering, or a denial-of-service condition.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

ICONICS reports that the following versions of ICONICS and Mitsubishi Electric Products are affected:

ICONICS Suite including GENESIS64, Hyper Historian, AnalytiX, and MobileHMI: Version 10.97.3 and prior
Mitsubishi Electric MC Works64: all versions

3.2 Vulnerability Overview

3.2.1 Incorrect Default Permissions CWE-276

There is an incorrect default permissions vulnerability in ICONICS and Mitsubishi Electric products which may allow a disclosure of confidential information, data tampering, or a denial of service condition due to incorrect default permissions.

CVE-2024-7587 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: ICONICS is headquartered in the United States. Mitsubishi Electric is headquartered in Japan.

3.4 RESEARCHER

Asher Davila and Malav Vyas of Palo Alto Networks reported this vulnerability to ICONICS.

4. MITIGATIONS

Version 10.97.3 CFR1 and later is not vulnerable to this issue. ICONICS recommends that users of its products take the following mitigation steps:

For new systems, use the 10.97.3 CFR1 or later version of the ICONICS products.
If planning to use GENESIS64 v10.97.3 or earlier on a new freshly installed system, do not install the included GenBroker32. Instead, download the latest GenBroker32 from ICONICS and install this version if needed.
For systems that already have v10.97.3 or an earlier version, or MC Works64 installed, verify the permissions on the c:ProgramDataICONICS folder do not include “Everyone”. If this folder is set to provide access to “Everyone”, remove this access by performing the following steps:

Right click C:ProgramDataICONICS folder and open the Properties display
Open the Security tab
Click Advanced
Click Change Permissions
Select “Everyone” and check the “Replace all object permissions entries with inheritable permission entries from this project” checkbox
Click Remove

ICONICS and Mitsubishi Electric recommends users update the ICONICS Suite with the latest security patches as they become available. ICONICS Suite security patches may be found here(login required).

ICONICS and Mitsubishi Electric is releasing security updates as critical fixes/rollup releases. Refer to the [ICONICS Whitepaper on Security Vulnerabilities])https://iconics.com/About/Security/CERT), and to the for information on the availability of the security updates.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability is not exploitable remotely.

5. UPDATE HISTORY

October 22, 2024: Initial Publication

Kieback&Peter DDC4000 Series

Written by on October 17, 2024. Posted in CISA-Published Industrial Control System Vulnerabilities.

View CSAF

1. EXECUTIVE SUMMARY

CVSS v4 9.3
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Kieback&Peter
Equipment: DDC4000 Series
Vulnerabilities: Path Traversal, Insufficiently Protected Credentials, Use of Weak Credentials

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an unauthenticated attacker to gain full administrator rights on the system.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following Kieback&Peter DDC4000 series products are affected:

DDC4002 : Versions 1.12.14 and prior
DDC4100 : Versions 1.7.4 and prior
DDC4200 : Versions 1.12.14 and prior
DDC4200-L : Versions 1.12.14 and prior
DDC4400 : Versions 1.12.14 and prior
DDC4002e : Versions 1.17.6 and prior
DDC4200e : Versions 1.17.6 and prior
DDC4400e : Versions 1.17.6 and prior
DDC4020e : Versions 1.17.6 and prior
DDC4040e : Versions 1.17.6 and prior

3.2 Vulnerability Overview

3.2.1 IMPROPER LIMITATION OF A PATHNAME TO A RESTRICTED DIRECTORY (‘PATH TRAVERSAL’) CWE-22

The affected product is vulnerable to a path traversal vulnerability, which may allow an unauthenticated attacker to read files on the system.

CVE-2024-41717 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-41717. A base score of 9.3 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.2 INSUFFICIENTLY PROTECTED CREDENTIALS CWE-522

The affected product has an insufficiently protected credentials vulnerability, which may allow an unauthenticated attacker with access to /etc/passwd to read the password hashes of all users on the system.

CVE-2024-43812 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.4 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-43812. A base score of 8.6 has been calculated; the CVSS vector string is (CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.3 USE OF WEAK CREDENTIALS CWE-1391

The affected product uses weak credentials, which may allow an unauthenticated attacker to get full admin rights on the system.

CVE-2024-43698 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-43698. A base score of 9.3 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing Sector, Commercial Facilities Sector, Communications Sector, Financial Services Sector, Food and Agriculture Sector, Government Services and Facilities Sector, Healthcare and Public Health Sector, Information Technology Sector
COUNTRIES/AREAS DEPLOYED: Europe, the Middle East and Asia.
COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

Raphael Ruf of terreActive AG reported these vulnerabilities to CISA.

4. MITIGATIONS

Kieback&Peter DDC4002, DDC4100, DDC4200, DDC4200-L and DDC4400 controllers are considered End-of-Life (EOL) and are no longer supported. Users operating these controllers should ensure they are operated in a strictly separate OT environment and consider updating to a supported controller.

Kieback&Peter recommends users update to DDC4002e, DDC4200e, DDC4400e, DDC4020e and DDC4040e controllers.

Kieback&Peter recommends all affected users contact their local Kieback&Peter office to update the firmware of the supported DDC systems to v1.21.0 or later.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

Do not click web links or open attachments in unsolicited email messages.
Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY

October 17, 2024: Initial Publication

HMS Networks EWON FLEXY 202

Written by on October 17, 2024. Posted in CISA-Published Industrial Control System Vulnerabilities.

View CSAF

1. EXECUTIVE SUMMARY

CVSS v4 7.1
ATTENTION: Exploitable remotely/low attack complexity
Vendor: HMS Networks
Equipment: EWON FLEXY 202
Vulnerability: Insufficiently Protected Credentials

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to sniff and decode credentials that are transmitted using weak encoding techniques.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of EWON FLEXY 202, an industrial modular gateway, are affected:

EWON FLEXY 202: Firmware Version 14.2s0

3.2 Vulnerability Overview

3.2.1 CWE-522: Insufficiently Protected Credentials

The EWON FLEXY 202 transmits credentials using a weak encoding method base64. An attacker who is present in the network can sniff the traffic and decode the credentials.

CVE-2024-7755 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.2 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N).

CVE-2024-7755 has been assigned to this vulnerability. A CVSS v4 base score of 7.1 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Water and Wastewater Systems, Energy, and Food and Agriculture
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Sweden

3.4 RESEARCHER

Anurag Chevendra, Parul Sindhwad and Dr. Faruk Kazi CoE-CNDS Lab, VJTI, Mumbai, India reported this vulnerability to CISA.

4. MITIGATIONS

HMS Networks recommends users update to firmware version 14.9s2.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

October 17, 2024: Initial Publication

LCDS LAquis SCADA

Written by on October 17, 2024. Posted in CISA-Published Industrial Control System Vulnerabilities.

View CSAF

1. EXECUTIVE SUMMARY

CVSS v4 7.0
ATTENTION: Exploitable remotely/low attack complexity
Vendor: LCDS – Leão Consultoria e Desenvolvimento de Sistemas Ltda ME
Equipment: LAquis SCADA
Vulnerability: Cross-site Scripting

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to steal cookies, inject arbitrary code, or perform unauthorized actions.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of LAquis SCADA, an HMI program, are affected:

LAquis SCADA: Version 4.7.1.511

3.2 Vulnerability Overview

3.2.1 IMPROPER NEUTRALIZATION OF INPUT DURING WEB PAGE GENERATION (‘CROSS-SITE SCRIPTING’) CWE-79

In LAquis SCADA version 4.7.1.511, a cross-site scripting vulnerability could allow an attacker to inject arbitrary code into a web page. This could allow an attacker to steal cookies, redirect users, or perform unauthorized actions.

CVE-2024-9414 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.1 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N).

A CVSS v4 score has also been calculated for CVE-2024-9414. A base score of 7.0 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Chemical, Commercial Facilities, Energy, Food and Agriculture, Transportation Systems, Water and Wastewater Systems
COUNTRIES/AREAS DEPLOYED: South America
COMPANY HEADQUARTERS LOCATION: Brazil

3.4 RESEARCHER

Mounir Aarab reported this vulnerability to CISA.

4. MITIGATIONS

LCDS recommends users update to version 4.7.1.611 or newer versions of LAquis SCADA.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

October 17, 2024: Initial Publication

Elvaco M-Bus Metering Gateway CMe3100

Written by on October 17, 2024. Posted in CISA-Published Industrial Control System Vulnerabilities.

View CSAF

1. EXECUTIVE SUMMARY

CVSS v4 9.2
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Elvaco
Equipment: M-Bus Metering Gateway CMe3100
Vulnerabilities: Missing Authentication for Critical Function, Unrestricted Upload of File with Dangerous Type, Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’), Insufficiently Protected Credentials.

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to perform remote code execution, impersonate and send false information, or bypass authentication.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of Elvaco CMe3100, a metering gateway are affected:

CMe3100: Version 1.12. 1

3.2 Vulnerability Overview

3.2.1 INSUFFICIENTLY PROTECTED CREDENTIALS (CWE-522)

The affected product is vulnerable due to insufficiently protected credentials, which may allow an attacker to impersonate Elvaco and send false information.

CVE-2024-49396 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N).

A CVSS v4 score has also been calculated for CVE-2024-49396. A base score of 8.7 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N).

3.2.2 IMPROPER NEUTRALIZATION OF INPUT DURING WEB PAGE GENERATION(‘CROSS-SITE SCRIPTING’) (CWE-79)

The affected product is vulnerable to a cross-site scripting attack which may allow an attacker to bypass authentication and takeover admin accounts.

CVE-2024-49397 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.1 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-49397. A base score of 9.2 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.3 UNRESTRICTED UPLOAD OF FILE WITH DANGEROUS TYPE (CWE-434)

The affected product is vulnerable to unrestricted file uploads, which may allow an attacker to remotely execute code.

CVE-2024-49398 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.1 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-49398. A base score of 8.8 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.4 MISSING AUTHENTICATION FOR CRITICAL FUNCTION (CWE-306)

The affected product is vulnerable to an attacker being able to use commands without providing a password which may allow an attacker to leak information.

CVE-2024-49399 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2024-49399. A base score of 8.7 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing, Energy
COUNTRIES/AREAS DEPLOYED: Multiple
COMPANY HEADQUARTERS LOCATION: Sweden

3.4 RESEARCHER

Tomer Goldschmidt of Claroty Research – Team82 reported these vulnerabilities to CISA.

4. MITIGATIONS

Elvaco has not responded to requests to work with CISA to mitigate these vulnerabilities. Users of affected versions of M-Bus Metering Gateway CMe3100 are invited to contact Elvaco customer support for additional information.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA recommends users take the following measures to protect themselves from social engineering attacks:

No known public exploits specifically targeting these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY

October 17, 2024: Initial Publication

Mitsubishi Electric CNC Series

Written by on October 17, 2024. Posted in CISA-Published Industrial Control System Vulnerabilities.

View CSAF

1. EXECUTIVE SUMMARY

CVSS v3 5.9
ATTENTION: Exploitable remotely
Vendor: Mitsubishi Electric
Equipment: CNC Series
Vulnerability: Improper Validation of Specified Quantity in Input

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an unauthenticated remote attacker to cause a denial-of-service (DoS) condition on the affected device.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following Mitsubishi Electric products are affected:

M800VW (BND-2051W000-**): All versions
M800VS (BND-2052W000-**): All versions
M80V (BND-2053W000-**): All versions
M80VW (BND-2054W000-**): All versions
M800W (BND-2005W000-**): All versions
M800S (BND-2006W000-**): All versions
M80 (BND-2007W000-**): All versions
M80W (BND-2008W000-**): All versions
E80 (BND-2009W000-**): All versions
C80 (BND-2036W000-**): All versions
M750VW (BND-1015W002-**): All versions
M730VW/M720VW (BND-1015W000-**): All versions
M750VS (BND-1012W002-**): All versions
M730VS/M720VS (BND-1012W000-**): All versions
M70V (BND-1018W000-**): All versions
E70 (BND-1022W000-**): All versions
NC Trainer2 (BND-1802W000-**): All versions
NC Trainer2 plus (BND-1803W000-**): All versions

3.2 Vulnerability Overview

3.2.1 IMPROPER VALIDATION OF SPECIFIED QUANTITY IN INPUT CWE-1284

A denial-of-service (DoS) vulnerability exists in Numerical Control Systems (CNC). A malicious unauthenticated remote attacker may cause a denial-of-service (DoS) condition in the affected product by sending specially crafted packets to TCP port 683

CVE-2024-7316 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.9 has been calculated; the CVSS vector string is (AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Energy
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Japan

3.4 RESEARCHER

Mitsubishi Electric reported this vulnerability to CISA.

4. MITIGATIONS

Mitsubishi Electric recommends that users take the following mitigating measures to minimize the risk of exploiting this
vulnerability.

Use a firewall, virtual private network (VPN), etc. to prevent unauthorized access when internet access is required.
Install anti-virus software on your PC that can access the product.
Use within a LAN and block access from untrusted networks and hosts through firewalls.
Restrict physical access to the affected product and the LAN to which the product is connected.
Use IP filter function*1 to block access from untrusted hosts.
IP filter function is available for M800V/M80V Series and M800/M80/E80 Series.
For details about the IP filter function, please refer to the following manual for each product: M800V/M80V Series Instruction Manual “16. Appendix 3 IP Address Filter Setting Function” and M800/M80/E80 Series Instruction Manual “15. Appendix 2 IP Address Filter Setting Function”

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

For additional information see Mitsubishi Electric advisory.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability has a high attack complexity.

5. UPDATE HISTORY

October 17, 2024: Initial Publication

Siemens Siveillance Video Camera

Written by on October 15, 2024. Posted in CISA-Published Industrial Control System Vulnerabilities.

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens’ ProductCERT Security Advisories (CERT Services | Services | Siemens Global).

View CSAF

1. EXECUTIVE SUMMARY

CVSS v4 7.3
ATTENTION: Exploitable from an adjacent network
Vendor: Siemens
Equipment: Siveillance Video Camera
Vulnerability: Classic Buffer Overflow

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to execute commands.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of Siemens Siveillance Video Camera are affected:

Siveillance Video Camera: All versions prior to V13.2

3.2 Vulnerability Overview

3.2.1 BUFFER COPY WITHOUT CHECKING SIZE OF INPUT (‘CLASSIC BUFFER OVERFLOW’) CWE-120

A possible buffer overflow in selected cameras’ drivers from XProtect Device Pack can allow an attacker with access to internal network to execute commands on Recording Server under strict conditions.

CVE-2024-3506 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.7 has been calculated; the CVSS vector string is (AV:A/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:L).

A CVSS v4 score has also been calculated for CVE-2024-3506. A base score of 7.3 has been calculated; the CVSS vector string is (CVSS4.0/AV:A/AC:H/AT:P/PR:N/UI:A/VC:H/VI:H/VA:L/SC:L/SI:L/SA:L).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

Milestone PSIRT reported this vulnerability to Siemens. Siemens reported this vulnerability to CISA.

4. MITIGATIONS

Siemens has identified the following specific workarounds and mitigations users can apply to reduce risk:

Siveillance Video Camera: Update to V13.2 or later version

As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens’ operational guidelines for industrial security and following recommendations in the product manuals.

Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage

For more information see the associated Siemens security advisory SSA-438590 in HTML and CSAF.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability is not exploitable remotely. This vulnerability has a high attack complexity.

5. UPDATE HISTORY

October 15, 2024: Initial Publication

Schneider Electric Data Center Expert

Written by on October 15, 2024. Posted in CISA-Published Industrial Control System Vulnerabilities.

View CSAF

1. EXECUTIVE SUMMARY

CVSS v4 8.6
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Schneider Electric
Equipment: Data Center Expert
Vulnerability: Improper Verification of Cryptographic Signature, Missing Authentication for Critical Function

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to access private data.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

Schneider Electric reports that the following versions of Data Center Expert, a monitoring software, are affected:

Data Center Expert: Versions 8.1.1.3 and prior

3.2 Vulnerability Overview

3.2.1 Improper Verification of Cryptographic Signature CWE-347

An improper verification of cryptographic signature vulnerability exists that could compromise the Data Center Expert software when an upgrade bundle is manipulated to include arbitrary bash scripts that are executed as root.

CVE-2024-8531 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.2 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-8531. A base score of 8.6 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.2 Missing Authentication for Critical Function CWE-306

A missing authentication for critical function vulnerability exists in Data Center Expert software that could cause exposure of private data when an already generated “logcaptures” archive is accessed directly by HTTPS.

CVE-2024-8530 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.9 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2024-8530. A base score of 8.2 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Commercial Facilities, Energy, Food and Agriculture, Government Facilities, Transportation Systems, Water and Wastewater Systems
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: France

3.4 RESEARCHER

Anonymous working with Trend Micro Zero Day Initiative reported these vulnerabilities to Schneider Electric.

4. MITIGATIONS

Version 8.2 of EcoStruxure IT Data Center Expert includes fixes for these vulnerabilities and is available upon request from Schneider Electric’s Customer Care Center.

Users should use appropriate patching methodologies when applying these patches to their systems. Schneider Electric strongly recommends the use of back-ups and evaluating the impact of these patches in a test and development environment or on an offline infrastructure. Contact
Schneider Electric’s Customer Care Center if you need assistance removing a patch.

If users choose not to apply the remediation provided above, they should immediately apply the following mitigations to reduce the risk of exploit:

Ensure that the principals of least privilege are being followed so that only those with need have account access and that the level of their respective account authorization aligns with their role, including privileged accounts as described in the Data Center Expert Security Handbook.
Verify SHA1 checksums of upgrade bundles prior to executing upgrades as described in the Upgrades section of the Data Center Expert Security Handbook.
Delete any existing “logcapture” archives present on the system and do not create any new “logcapture” archives. Existing archives can be deleted from the https://server_ip/capturelogs web page after authenticating.

Schneider Electric strongly recommends the following industry cybersecurity best practices:

Locate control and safety system networks and remote devices behind firewalls and isolate them from the business network.
Install physical controls so no unauthorized personnel can access your industrial control and safety systems, components, peripheral equipment, and networks.
Place all controllers in locked cabinets and never leave them in the “Program” mode.
Never connect programming software to any network other than the network intended for that device.
Scan all methods of mobile data exchange with the isolated network such as CDs, USB drives, etc. before use in the terminals or any node connected to these networks.
Never allow mobile devices that have connected to any other network besides the intended network to connect to the safety or control networks without proper sanitation.
Minimize network exposure for all control system devices and systems and ensure that they are not accessible from the Internet.
When remote access is required, use secure methods, such as virtual private networks (VPNs). Recognize that VPNs may have vulnerabilities and should be updated to the most current version available. Also, understand that VPNs are only as secure as the connected devices.

For more information refer to the Schneider Electric Recommended Cybersecurity Best Practices document.

For more information see the associated Schneider Electric security notification SEVD-2024-282-01 in PDF and CSAF

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY

October 15, 2024: Initial Publication

Siemens Sentron Powercenter 1000

Written by on October 10, 2024. Posted in CISA-Published Industrial Control System Vulnerabilities.

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens’ ProductCERT Security Advisories (CERT Services | Services | Siemens Global).

View CSAF

1. EXECUTIVE SUMMARY

CVSS v4 9.2
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Siemens
Equipment: Sentron Powercenter 1000
Vulnerability: Improper Check for Unusual or Exceptional Conditions

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to cause a denial-of-service condition on the affected device.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following Siemens products are affected:

SENTRON Powercenter 1000 (7KN1110-0MC00): All versions

3.2 Vulnerability Overview

3.2.1 IMPROPER CHECK FOR UNUSUAL OR EXCEPTIONAL CONDITIONS CWE-754

Prior to v7.4.0, Ember ZNet is vulnerable to a denial-of-service attack through manipulation of the NWK sequence number. For SENTRON Powercenter 1000: The product is vulnerable through the manipulation of a component sequence number, other devices/networks are not affected, only the same powercenter/network is affected. The product is vulnerable through the manipulation of a component sequence number, other
devices/networks are not affected, only the same powercenter/network is affected.

CVE-2023-6874 has been assigned to this vulnerability. A CVSS v3 base score of 8.6 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H).

A CVSS v4 score has also been calculated for CVE-2023-6874. A base score of 9.2 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Energy
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

Siemens reported this vulnerability to CISA.

4. MITIGATIONS

Siemens has identified the following specific workarounds and mitigations users can apply to reduce risk:

Mitigate through physical isolation

Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage

For more information see the associated Siemens security advisory SSA-340240 in HTML and CSAF.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

October 10, 2024: Initial Publication

Rockwell Automation Verve Asset Manager

Written by on October 10, 2024. Posted in CISA-Published Industrial Control System Vulnerabilities.

View CSAF

1. EXECUTIVE SUMMARY

CVSS v4 8.4
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Rockwell Automation
Equipment: Verve Asset Manager
Vulnerability: Placement of User into Incorrect Group

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an unauthorized user to access previous data they should no longer have access to.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

Rockwell Automation reports that the following versions of Verve Asset Manager are affected:

Verve Asset Manager: Versions 1.38 and prior

3.2 Vulnerability Overview

3.2.1 Placement of User into Incorrect Group CWE-842

An improper authorization vulnerability exists in the affected products that could allow an unauthorized user to sign in. While removal of all role mappings is unlikely, it could occur in the case of unexpected or accidental removal by the administrator. If exploited, an unauthorized user could access data they previously had but should no longer have access to.

CVE-2024-9412 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-9412. A base score of 8.4 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N ).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Chemical, Critical Manufacturing, Water and Wastewater Systems, Healthcare and Public Health, and Energy
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER

Rockwell Automation reported this vulnerability to CISA.

4. MITIGATIONS

Rockwell Automation has addressed this issue in version 1.38 and encourages users to update to the newest available version.

Rockwell Automation encourages users of the affected software to apply risk mitigations, if possible. Additionally, they encourage users to implement suggested security best practices to minimize the risk of vulnerability:

The presence of any mappings will help prevent this vulnerability from being exploited. If all mappings must be removed, manually removing previously mapped users is an effective workaround.
Security Best Practices

For more information about this issue, please see the advisory on the Rockwell Automation security page.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as virtual private networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

October 10, 2024: Initial Publication