As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens’ ProductCERT Security Advisories (CERT Services | Services | Siemens Global). 

View CSAF

1. EXECUTIVE SUMMARY

CVSS v4 7.7
ATTENTION: Exploitable from adjacent network
Vendor: Siemens
Equipment: SIMATIC RTLS Gateway RTLS4030G, SIMATIC RTLS Gateway RTLS4430G
Vulnerability: Improper Handling of Length Parameter Inconsistency

2. RISK EVALUATION

The Treck TCP/IP stack on affected devices improperly handles length parameter inconsistencies. Unauthenticated remote attackers may be able to send specially crafted IP packets which could lead to a denial of service condition or remote code execution.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following Siemens products are affected:

SIMATIC RTLS Gateway RTLS4030G, CMIIT (6GT2701-5DB23): All versions
SIMATIC RTLS Gateway RTLS4030G, ETSI (6GT2701-5DB03): All versions
SIMATIC RTLS Gateway RTLS4030G, FCC (6GT2701-5DB13): All versions
SIMATIC RTLS Gateway RTLS4030G, ISED (6GT2701-5DB33): All versions
SIMATIC RTLS Gateway RTLS4430G, Chirp, ETSI, FCC, ISED, IP65 (6GT2701-5CB03): All versions

3.2 Vulnerability Overview

3.2.1 IMPROPER HANDLING OF LENGTH PARAMETER INCONSISTENCY CWE-130

The Treck TCP/IP stack on affected devices improperly handles length parameter inconsistencies. Unauthenticated remote attackers may be able to send specially crafted IP packets which could lead to a denial-of-service condition or remote code execution.

CVE-2020-11896 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been assigned; the CVSS vector string is (CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2020-11896. A base score of 7.7 has been assigned; the CVSS vector string is (CVSS4.0/AV:A/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Multiple Sectors
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

Siemens reported this vulnerability to CISA.

4. MITIGATIONS

Siemens has identified the following specific workarounds and mitigations users can apply to reduce risk:

SIMATIC RTLS Gateway RTLS4030G, CMIIT (6GT2701-5DB23), SIMATIC RTLS Gateway RTLS4030G, ETSI (6GT2701-5DB03), SIMATIC RTLS Gateway RTLS4030G, FCC (6GT2701-5DB13), SIMATIC RTLS Gateway RTLS4030G, ISED (6GT2701-5DB33), SIMATIC RTLS Gateway RTLS4430G, Chirp, ETSI, FCC, ISED, IP65 (6GT2701-5CB03): Currently no fix is planned. Implement Security recommendations according to the product manual

As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens’ operational guidelines for industrial security and following recommendations in the product manuals.

Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage.

For more information see the associated Siemens security advisory SSA-647068 in HTML and CSAF.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability is not exploitable remotely. This vulnerability has a high attack complexity.

5. UPDATE HISTORY

February 15, 2024: Initial Publication

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens’ ProductCERT Security Advisories (CERT Services | Services | Siemens Global). 

View CSAF

1. EXECUTIVE SUMMARY

CVSS v3 9.8
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Siemens
Equipment: SCALANCE W1750D
Vulnerabilities: Classic Buffer Overflow, Improper Input Validation, Command Injection

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to inject commands or exploit buffer overflow vulnerabilities which could lead to sensitive information disclosure, unauthenticated denial-of-service or unauthenticated remote code execution.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following products of Siemens, are affected:

SCALANCE W1750D (JP) (6GK5750-2HX01-1AD0): All versions
SCALANCE W1750D (ROW) (6GK5750-2HX01-1AA0): All versions
SCALANCE W1750D (USA) (6GK5750-2HX01-1AB0): All versions

3.2 Vulnerability Overview

3.2.1 BUFFER COPY WITHOUT CHECKING SIZE OF INPUT (‘CLASSIC BUFFER OVERFLOW’) CWE-120

There are buffer overflow vulnerabilities in the underlying CLI service that could lead to unauthenticated remote code execution by sending specially crafted packets destined to the PAPI (Aruba’s access point management protocol) UDP port (8211). Successful exploitation of these vulnerabilities result in the ability to execute arbitrary code as a privileged user on the underlying operating system.

CVE-2023-45614 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

3.2.2 BUFFER COPY WITHOUT CHECKING SIZE OF INPUT (‘CLASSIC BUFFER OVERFLOW’) CWE-120

There are buffer overflow vulnerabilities in the underlying CLI service that could lead to unauthenticated remote code execution by sending specially crafted packets destined to the PAPI (Aruba’s access point management protocol) UDP port (8211). Successful exploitation of these vulnerabilities result in the ability to execute arbitrary code as a privileged user on the underlying operating system.

CVE-2023-45615 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

3.2.3 BUFFER COPY WITHOUT CHECKING SIZE OF INPUT (‘CLASSIC BUFFER OVERFLOW’) CWE-120

There is a buffer overflow vulnerability in the underlying AirWave client service that could lead to unauthenticated remote code execution by sending specially crafted packets destined to the PAPI (Aruba’s access point management protocol) UDP port (8211). Successful exploitation of this vulnerability results in the ability to execute arbitrary code as a privileged user on the underlying operating system.

CVE-2023-45616 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

3.2.4 IMPROPER INPUT VALIDATION CWE-20

There are arbitrary file deletion vulnerabilities in the CLI service accessed by PAPI (Aruba’s access point management protocol). Successful exploitation of these vulnerabilities result in the ability to delete arbitrary files on the underlying operating system, which could lead to the ability to interrupt normal operation and impact the integrity of the access point.

CVE-2023-45617 has been assigned to this vulnerability. A CVSS v3 base score of 8.2 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H).

3.2.5 IMPROPER INPUT VALIDATION CWE-20

There are arbitrary file deletion vulnerabilities in the AirWave client service accessed by PAPI (Aruba’s access point management protocol). Successful exploitation of these vulnerabilities result in the ability to delete arbitrary files on the underlying operating system, which could lead to the ability to interrupt normal operation and impact the integrity of the access point.

CVE-2023-45618 has been assigned to this vulnerability. A CVSS v3 base score of 8.2 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H).

3.2.6 IMPROPER INPUT VALIDATION CWE-20

There is an arbitrary file deletion vulnerability in the RSSI service accessed by PAPI (Aruba’s access point management protocol). Successful exploitation of this vulnerability results in the ability to delete arbitrary files on the underlying operating system, which could lead to the ability to interrupt normal operation and impact the integrity of the access point.

CVE-2023-45619 has been assigned to this vulnerability. A CVSS v3 base score of 8.2 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H).

3.2.7 IMPROPER INPUT VALIDATION CWE-20

Unauthenticated Denial-of-Service (DoS) vulnerabilities exist in the CLI service accessed via the PAPI protocol. Successful exploitation of these vulnerabilities result in the ability to interrupt the normal operation of the affected access point.

CVE-2023-45620 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

3.2.8 IMPROPER INPUT VALIDATION CWE-20

Unauthenticated Denial-of-Service (DoS) vulnerabilities exist in the CLI service accessed via the PAPI protocol. Successful exploitation of these vulnerabilities result in the ability to interrupt the normal operation of the affected access point.

CVE-2023-45621 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

3.2.9 IMPROPER INPUT VALIDATION CWE-20

Unauthenticated Denial-of-Service (DoS) vulnerabilities exist in the BLE daemon service accessed via the PAPI protocol. Successful exploitation of these vulnerabilities result in the ability to interrupt the normal operation of the affected access point.

CVE-2023-45622 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

3.2.10 IMPROPER INPUT VALIDATION CWE-20

Unauthenticated Denial-of-Service (DoS) vulnerabilities exist in the Wi-Fi Uplink service accessed via the PAPI protocol. Successful exploitation of these vulnerabilities result in the ability to interrupt the normal operation of the affected access point.

CVE-2023-45623 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

3.2.11 IMPROPER INPUT VALIDATION CWE-20

An unauthenticated Denial-of-Service (DoS) vulnerability exists in the soft ap daemon accessed via the PAPI protocol. Successful exploitation of this vulnerability results in the ability to interrupt the normal operation of the affected access point.

CVE-2023-45624 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

3.2.12 IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS USED IN A COMMAND (‘COMMAND INJECTION’) CWE-77

Multiple authenticated command injection vulnerabilities exist in the command line interface. Successful exploitation of these vulnerabilities result in the ability to execute arbitrary commands as a privileged user on the underlying operating system.

CVE-2023-45625 has been assigned to this vulnerability. A CVSS v3 base score of 7.2 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).

3.2.13 IMPROPER INPUT VALIDATION CWE-20

An authenticated vulnerability has been identified allowing an attacker to effectively establish highly privileged persistent arbitrary code execution across boot cycles.

CVE-2023-45626 has been assigned to this vulnerability. A CVSS v3 base score of 7.2 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).

3.2.14 IMPROPER INPUT VALIDATION CWE-20

An authenticated Denial-of-Service (DoS) vulnerability exists in the CLI service. Successful exploitation of this vulnerability results in the ability to interrupt the normal operation of the affected access point.

CVE-2023-45627 has been assigned to this vulnerability. A CVSS v3 base score of 6.5 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Multiple
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

Siemens ProductCERT reported these vulnerabilities to CISA.

4. MITIGATIONS

Siemens has identified the following specific workarounds and mitigations users can apply to reduce risk:

CVE-2023-45614, CVE-2023-45615, CVE-2023-45616, CVE-2023-45617, CVE-2023-45618, CVE-2023-45619, CVE-2023-45620, CVE-2023-45621, CVE-2023-45622, CVE-2023-45623, CVE-2023-45624: Enabling cluster-security via the cluster-security command will prevent the vulnerabilities from being exploited.
CVE-2023-45625, CVE-2023-45626, CVE-2023-45627: The CLI and web-based management interfaces should be restricted to a dedicated layer 2 segment/VLAN and/or controlled by firewall policies at layer 3 and above.

As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens’ operational guidelines for industrial security and following recommendations in the product manuals.

Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage.

For more information see the associated Siemens security advisory SSA-716164 in HTML and CSAF.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY

February 15, 2024: Initial Publication

View CSAF

1. EXECUTIVE SUMMARY

CVSS v3 6.5
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Mitsubishi Electric
Equipment: MELSEC iQ-R Series Safety CPU and SIL2 Process CPU Module
Vulnerability: Incorrect Privilege Assignment

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow a non-administrator user to disclose the credentials (user ID and password) of a user with a lower access level than themselves.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

Mitsubishi Electric reports that the following MELSEC iQ-R Series products are affected:

MELSEC iQ-R Series Safety CPU R08SFCPU: All versions
MELSEC iQ-R Series Safety CPU R16SFCPU: All versions
MELSEC iQ-R Series Safety CPU R32SFCPU: All versions
MELSEC iQ-R Series Safety CPU R120SFCPU: All versions
MELSEC iQ-R Series SIL2 Process CPU R08PSFCPU: All versions
MELSEC iQ-R Series SIL2 Process CPU R16PSFCPU: All versions
MELSEC iQ-R Series SIL2 Process CPU R32PSFCPU: All versions
MELSEC iQ-R Series SIL2 Process CPU R120PSFCPU: All versions

3.2 Vulnerability Overview

3.2.1 INCORRECT PRIVILEGE ASSIGNMENT CWE-266

Information disclosure vulnerability due to incorrect privilege assignment exists in MELSEC iQ-R Series Safety CPU and SIL2 Process CPU modules. After a remote attacker logs into the CPU module as a non-administrator user, the attacker may disclose the credentials (user ID and password) of a user with a lower access level than the attacker by sending a specially crafted packet.

CVE-2023-6815 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Japan

3.4 RESEARCHER

Reid Wightman of Dragos Inc. reported this vulnerability to Mitsubishi Electric.

4. MITIGATIONS

When MELSEC iQ-R Series Safety CPU versions 27 or later is used with GX Works3 versions 1.087R or later, this attack can be prevented by enabling “communicating with only the enhanced version of vulnerability management of GX Works3” when writing user information to the CPU module. Mitsubishi Electric will implement the workaround in other products in the near future. Please contact your local Mitsubishi Electric representative to update your CPU module to the one listed above.

Mitsubishi Electric recommends that users take the following mitigation measures to minimize the risk of exploiting this vulnerability:

Use a firewall or virtual private network (VPN), etc., to prevent unauthorized access when Internet access is required.
Use within a LAN and block access from untrusted networks and hosts through firewalls.
Use IP filter function to block access from untrusted hosts. For details on the IP filter function, please refer to the following manual for each product. “1.13 Security” – “IP filter” in the MELSEC iQ-R Ethernet User’s Manual (Application).
Restrict physical access to the affected product as well as to the personal computers and the network devices that can communicate with it.
Install antivirus software on your personal computer that can access the affected product.

For specific update instructions and additional details, see Mitsubishi Electric advisory 2023-021.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

February 13, 2024: Initial Publication

View CSAF

1. EXECUTIVE SUMMARY

CVSS v3 7.3
ATTENTION: Low attack complexity
Vendor: Qolsys, Inc.
Equipment: IQ Panel 4, IQ4 Hub
Vulnerability: Exposure of Sensitive Information to an Unauthorized Actor

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow the panel software, under certain circumstances, to provide unauthorized access to settings.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following products from Qolsys, Inc, a subsidiary of Johnson Controls, are affected:

Qolsys IQ Panel 4: Versions prior to 4.4.2
Qolsys IQ4 Hub: Versions prior to 4.4.2

3.2 Vulnerability Overview

3.2.1 EXPOSURE OF SENSITIVE INFORMATION TO AN UNAUTHORIZED ACTOR CWE-200

In Qolsys IQ Panel 4 and IQ4 Hub versions prior to 4.4.2, panel software, under certain circumstances, could allow unauthorized access to settings.

CVE-2024-0242 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.3 has been calculated; the CVSS vector string is (AV:P/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:H).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Ireland

3.4 RESEARCHER

Cody Jung reported this vulnerability to Johnson Controls, Inc.

4. MITIGATIONS

Johnson Controls has provided the following recommendations for its subsidiary company, Qolsys, Inc, to help reduce the risk of the vulnerability:

Upgrade IQ Panel 4, IQ4 Hub to version 4.4.2.
The firmware can be updated remotely to all available devices in the field.
The firmware update can also be manually loaded by applying the patch tag “iqpanel4.4.2” on the device after navigating to its firmware update page.
For more detailed mitigation instructions, please see Johnson Controls Product Security Advisory JCI-PSA-2024-03.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability is not exploitable remotely.

5. UPDATE HISTORY

February 8, 2024: Initial Publication

View CSAF

1. EXECUTIVE SUMMARY

CVSS v3 5.3
ATTENTION: Low attack complexity
Vendor: HID Global
Equipment: Reader Configuration Cards
Vulnerability: Improper Authorization

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to read the credential and device administration keys from a configuration card. Those keys could be used to create malicious configuration cards or credentials.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following HID products are affected:

HID iCLASS SE reader configuration cards: All versions
OMNIKEY Secure Elements reader configuration cards: All versions

3.2 Vulnerability Overview

3.2.1 IMPROPER AUTHORIZATION CWE-285

Sensitive data can be extracted from HID iCLASS SE reader configuration cards. This could include credential and device administrator keys.

CVE-2024-23806 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.3 has been calculated; the CVSS vector string is (AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Multiple
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER

HID Global reported this vulnerability to CISA.

4. MITIGATIONS

HID Global recommends the following mitigations to reduce the risk:

Elite Key and Custom Key customers that have kept their configuration cards secure should continue to be vigilant and restrict access to those cards. To exploit this vulnerability, a reader must be physically close to or in possession of the configuration cards to communicate with the card and extract information.

Administrators should plan to securely destroy unneeded configuration cards.

Customers using the HID standard key, and other customers who are concerned their keys may be compromised should consider steps to update the readers and credentials with new keys. To assist in this effort, HID will be introducing a free upgrade to the Elite Key program. Contact your HID representative for more information at https://www.hidglobal.com/support.

HID has also provided additional steps users can take steps to harden their readers to prevent malicious configuration changes.

iCLASS SE Readers

iCLASS SE Readers using firmware version 8.6.0.4 or higher can use the HID Reader Manager application to prevent the readers from accepting configuration changes from Configuration Cards.
If you need assistance, or if the reader firmware has not been updated to 8.6.0.4 or higher, contact HID Technical Support.

HID OMNIKEY Readers, OMNIKEY Secure Elements, iCLASS SE Reader Modules, iCLASS SE Processors

Contact HID to receive a “Shield Card” that will prevent further configuration changes using reader configuration cards.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability is not exploitable remotely.

5. UPDATE HISTORY

February 6, 2024: Initial Publication

View CSAF

1. EXECUTIVE SUMMARY

CVSS v3 5.9
ATTENTION: Exploitable locally
Vendor: HID Global
Equipment: iCLASS SE, OMNIKEY
Vulnerability: Improper Authorization

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to read data from reader configuration cards and credentials. Reader configuration cards contain credential and device administration keys which could be used to create malicious configuration cards or credentials.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following HID products are affected when configured as an encoder:

iCLASS SE CP1000 Encoder: All versions
iCLASS SE Readers: All versions
iCLASS SE Reader Modules: All versions
iCLASS SE Processors: All versions
OMNIKEY 5427CK Readers: All versions
OMNIKEY 5127CK Readers: All versions
OMNIKEY 5023 Readers: All versions
OMNIKEY 5027 Readers: All versions

3.2 Vulnerability Overview

3.2.1 IMPROPER AUTHORIZATION CWE-285

Certain configuration available in the communication channel for encoders could expose sensitive data when reader configuration cards are programmed. This data could include credential and device administration keys.

CVE-2024-22388 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.9 has been calculated; the CVSS vector string is (AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Multiple
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER

HID Global reported this vulnerability to CISA.

4. MITIGATIONS

HID advises users to take the following steps to mitigate these threats.

Protect your reader configuration cards.

A malicious encoder or reader must be physically close to the reader configuration cards to communicate with them and extract information. Elite Key and Custom Key users that have kept their configuration cards secure should continue to be vigilant and restrict access to those cards.
HID standard key users and other users who are concerned their keys may be compromised should consider steps to update the readers and credentials with new keys. To assist in this effort, HID will be introducing a free upgrade to the Elite Key program. Contact your HID representative for more information.

Protect your credentials and disable legacy technologies.

Reading the PACS data from a credential is not enough to clone the credential for modern technologies like Seos and DESFire. These technologies use a credential key for authentication. However, if a system’s readers still support legacy technologies (i.e., HID Prox, MiFARE Classic, etc.), then it may be possible to insert the credential information into a legacy technology credential that would be accepted by those readers. Users are encouraged to disable legacy credential technologies in their readers.
Further, physical credentials should always be kept safe by their users, and site managers should remind their users to be vigilant with their credentials and report missing or stolen cards.

Harden your iCLASS SE Readers from configuration changes

iCLASS SE Readers using firmware firmware version 8.6.04 or higher can use the HID Reader Manager application to prevent the readers from accepting configuration changes from configuration cards. After this is complete, users may then securely destroy their reader configuration cards.
If you need assistance, or if the reader firmware has not been updated to 8.6.04 or higher, contact HID Technical Support.

Harden your HID OMNIKEY Readers, HID iCLASS SE Reader Modules, HID iCLASS SE Processors from configuration changes

Contact HID to receive a “Shield Card” that will prevent further configuration changes using reader configuration cards. After this is complete, users may then securely destroy their reader configuration cards.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability is not exploitable remotely. This vulnerability has a high attack complexity.

5. UPDATE HISTORY

February 6, 2024: Initial Publication

View CSAF

1. EXECUTIVE SUMMARY

CVSS v3 9.8
ATTENTION: Exploitable Remotely/Low attack complexity
Vendor: Gessler GmbH
Equipment: WEB-MASTER
Vulnerabilities: Use of Weak Credentials, Use of Weak Hash

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow a user to take control of the web management of the device. An attacker with access to the device could also extract and break the password hashes for all users stored on the device.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of Gessler GmbH WEB-MASTER, an emergency lighting management system, are affected:

WEB-MASTER: version 7.9

3.2 Vulnerability Overview

3.2.1 USE OF WEAK CREDENTIALS CWE-1391

Gessler GmbH WEB-MASTER has a restoration account that uses weak hard coded credentials and if exploited could allow an attacker control over the web management of the device.

CVE-2024-1039 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

3.2.2 USE OF WEAK HASH CWE-328

Gessler GmbH WEB-MASTER user account is stored using a weak hashing algorithm. The attacker can restore the passwords by breaking the hashes stored on the device.

CVE-2024-1040 has been assigned to this vulnerability. A CVSS v3.1 base score of 4.4 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Multiple
COUNTRIES/AREAS DEPLOYED: Worlwide
COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

Felix Eberstaller and Nino Fürthauer of Limes Security reported these vulnerabilities to CISA.

4. MITIGATIONS

Gessler GmbH recommends updating EZ2 to 3.2 or greater and WebMaster to 4.4 or greater to mitigate these vulnerabilities. Updates have to be applied by Gessler GmbH technicians. For more information contact Gessler GmbH.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY

February 1, 2024: Initial Publication

View CSAF

1. EXECUTIVE SUMMARY

CVSS v3 7.3
ATTENTION: Low attack complexity
Vendor: AVEVA
Equipment: AVEVA Edge products (formerly known as InduSoft Web Studio)
Vulnerability: Uncontrolled Search Path Element

2. RISK EVALUATION

Successful exploitation of this vulnerability could result in an attacker achieving arbitrary code execution and privilege escalation by tricking AVEVA Edge to load an unsafe DLL.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following AVEVA Edge products (formerly known as InduSoft Web Studio) are affected:

AVEVA Edge: 2020 R2 SP2 and prior

3.2 Vulnerability Overview

3.2.1 UNCONTROLLED SEARCH PATH ELEMENT CWE-427

The vulnerability, if exploited, could allow a malicious entity with access to the file system to achieve arbitrary code execution and privilege escalation by tricking AVEVA Edge to load an unsafe DLL.

CVE-2023-6132 has been assigned to this vulnerability. A CVSS v3 base score of 7.3 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Multiple
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER

Ting Chen of UESTC discovered and disclosed this vulnerability to AVEVA. ADLab of Venustech discovered and disclosed this vulnerability to AVEVA.

4. MITIGATIONS

AVEVA recommends users upgrade to AVEVA Edge 2023, or AVEVA Edge 2020 R2 SP2 P01 as soon as possible. Upgrades can be downloaded from the AVEVA official website: AVEVA Edge 2023, AVEVA Edge 2020 R2 SP2 P01.

Note: Log-in is required.

For additional information, please refer to AVEVA’s security advisory AVEVA-2024-002.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

Do not click web links or open attachments in unsolicited email messages.
Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability is not exploitable remotely.

5. UPDATE HISTORY

February 1, 2024: Initial Publication

View CSAF

1. EXECUTIVE SUMMARY

CVSS v3 5.9
ATTENTION: Exploitable remotely
Vendor: Mitsubishi Electric
Equipment: MELSEC WS Series
Vulnerability: Authentication Bypass by Capture-replay

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an unauthorized attacker to login to the modules and disclose or tamper with the programs and parameters in the modules.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of Mitsubishi Electric MELSEC WS Series Ethernet Interface Modules, are affected:

WS0-GETH00200: All serial numbers

3.2 Vulnerability Overview

3.2.1 AUTHENTICATION BYPASS BY CAPTURE-REPLAY CWE-294

An authentication bypass vulnerability exists in the MELSEC WS Series Ethernet Interface Modules. A remote unauthenticated attacker can bypass authentication by capture-replay attack and login to the modules. As a result, the remote attacker who has logged in may be able to disclose or tamper with the programs and parameters in the modules.

CVE-2023-6374 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.9 has been calculated; the CVSS vector string is (AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Japan

3.4 RESEARCHER

Mitsubishi Electric reported this vulnerability to CISA.

4. MITIGATIONS

Mitsubishi Electric recommends that users take the following mitigation measures to minimize the risk of exploiting this vulnerability:

Use a virtual private network (VPN), etc. to encrypt the communication between affected products and the peer.
Use a firewall or virtual private network (VPN), etc. to prevent unauthorized access when Internet access is required.
Use within a LAN and block access from untrusted networks and hosts through firewalls.
Restrict physical access to affected products and to personal computers and network devices located in the LAN to which the affected products are connected.

For more information, see Mitsubishi Electric’s security advisory.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability has a high attack complexity.

5. UPDATE HISTORY

January 30, 2024: Initial Publication

View CSAF

1. EXECUTIVE SUMMARY

CVSS v3 9.8
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Rockwell Automation
Equipment: FactoryTalk Service Platform
Vulnerability: Improper Verification of Cryptographic Signature

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to retrieve user information and modify settings without any authentication.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of Smart Security Manager, a software management platform, are affected:

FactoryTalk Service Platform: Versions prior to v6.4

3.2 Vulnerability Overview

3.2.1 IMPROPER VERIFICATION OF CRYPTOGRAPHIC SIGNATURE CWE-347

A vulnerability exists in the affected product that allows a malicious user to obtain the service token and use it for authentication on another FTSP directory. This is due to the lack of digital signing between the FTSP service token and directory. If exploited, a malicious user could potentially retrieve user information and modify settings without any authentication.

CVE-2024-21917 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER

Rockwell Automation reported this vulnerability to CISA.

4. MITIGATIONS

Rockwell recommends the following:

Set DCOM authentication level to 6, which enables encryption of the service token and communication channel between the server and client. Please refer to Mitigating Microsoft DCOM Hardening Patch (CVE-2021-26414) for Affected Rockwell Automation Products (custhelp.com)
When it is not possible to update to v6.40 or later, enable verification of the publisher information (i.e., digital signature) of any executable attempting to use the FactoryTalk Services APIs. This helps prevent a malicious user from calling the API to receive the service token. This setting can be changed from the Application Authorization node located within System Policies using the FactoryTalk® Administration Console application.
Security Best Practices

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

Do not click web links or open attachments in unsolicited email messages.
Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

January 30, 2024: Initial Publication