Posts Page - CloudCentric

Mitsubishi Electric FA Engineering Software Products

Written by on January 30, 2024. Posted in CISA-Published Industrial Control System Vulnerabilities.

1. EXECUTIVE SUMMARY

CVSS v3 9.8
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Mitsubishi Electric
Equipment: EZSocket, FR Configurator2, GT Designer3 Version1(GOT1000), GT Designer3 Version1(GOT2000), GX Works2, GX Works3, MELSOFT Navigator, MT Works2, MX Component, MX OPC Server DA/UA (Software packaged with MC Works64)
Vulnerabilities: Missing Authentication for Critical Function, Unsafe Reflection

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to disclose, tamper with, destroy or delete information in the products, or cause a denial-of-service (DoS) condition on the products.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of Mitsubishi Electric FA Engineering Software Products, are affected:

EZSocket: Versions 3.0 and later
FR Configurator2: All versions
GT Designer3 Version1(GOT1000): All versions
GT Designer3 Version1(GOT2000): All versions
GX Works2: Versions 1.11M and later
GX Works3: All versions
MELSOFT Navigator: Versions 1.04E and later
MT Works2: All versions
MX Component: Versions 4.00A and later
MX OPC Server DA/UA (Software packaged with MC Works64): All versions

3.2 Vulnerability Overview

3.2.1 MISSING AUTHENTICATION FOR CRITICAL FUNCTION CWE-306

A remote unauthenticated attacker may be able to bypass authentication by sending specially crafted packets and connect to the products.

CVE-2023-6942 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N).

3.2.2 USE OF EXTERNALLY-CONTROLLED INPUT TO SELECT CLASSES OR CODE (‘UNSAFE REFLECTION’) CWE-470

An attacker may be able to execute a malicious code by remotely calling a function with a path to a malicious library while connected to the products. As a result, unauthorized users may disclose, tamper with, destroy or delete information in the products, or cause a denial-of-service (DoS) condition on the products.

CVE-2023-6943 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Japan

3.4 RESEARCHER

Reid Wightman of Dragos reported these vulnerabilities to Mitsubishi Electric.

4. MITIGATIONS

Mitsubishi Electric recommends users take the following mitigation measures to minimize the risk of exploiting these vulnerabilities:

When connecting your personal computer with the affected products to the internet, use a firewall, virtual private network (VPN), etc., to prevent unauthorized access and allow only trusted users to remote login.
Use your personal computer with the affected products within a LAN and block access from untrusted networks and hosts.
Restrict physical access to your computer using the affected products as well as to the personal computers and network devices that can communicate with it.
Install antivirus software on your personal computer using the affected products and on the personal computers that can communicate with it.
Don’t open untrusted files or click untrusted links.

For more information, see Mitsubishi Electric’s security advisory.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY

January 30, 2024: Initial Publication

Rockwell Automation ControlLogix and GuardLogix

Written by on January 30, 2024. Posted in CISA-Published Industrial Control System Vulnerabilities.

View CSAF

1. EXECUTIVE SUMMARY

CVSS v3 8.6
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Rockwell Automation
Equipment: ControlLogix, GuardLogix
Vulnerability: Improper Restriction of Operations within the Bounds of a Memory Buffer

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to crash the device by exploiting a Denial-of-Service (DoS) vulnerability.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of Rockwell Automation ControlLogix and GuardLogix programmable logic controllers are affected:

ControlLogix 5570: Firmware version 20.011
ControlLogix 5570 redundant: Firmware versions 20.054_kit1
GuardLogix 5570: Firmware version 20.011

3.2 Vulnerability Overview

3.2.1 IMPROPER RESTRICTION OF OPERATIONS WITHIN THE BOUNDS OF A MEMORY BUFFER CWE-119

A Denial-of-Service (DoS) vulnerability exists that, if exploited, the product could potentially experience a major nonrecoverable fault (MNRF). The device will restart itself to recover from the MNRF.

CVE-2024 21916 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.6 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER

Rockwell Automation reported this vulnerability to CISA.

4. MITIGATIONS

Rockwell Automation users with the affected software are encouraged to apply the risk mitigations, if possible. Additionally, Rockwell Automation encourages users to implement their suggested security best practices to minimize the risk of vulnerability.

ControlLogix 5570: Corrected in v33.016, 34.013, 35.012, 36.011 and later
ControlLogix 5570 redundant: Corrected in v33.053_kit1, 34.052_kit1, 35.052_kit1, 36.051_kit1 and later
GuardLogix 5570: Corrected in v33.016, 34.013, 35.012, 36.011 and later

For more information, see Rockwell Automation’s security advisory.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

January 30, 2024: Initial Publication

Hitron Systems Security Camera DVR

Written by on January 30, 2024. Posted in CISA-Published Industrial Control System Vulnerabilities.

View CSAF

1. EXECUTIVE SUMMARY

CVSS v3 8.1
ATTENTION: Exploitable remotely/low attack complexity/public exploits are available/known public exploitation
Vendor: Hitron Systems
Equipment: DVR
Vulnerability: Improper Input Validation

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to affect the availability of the product through exploitation of an improper input validation vulnerability and default credentials.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of Hitron Systems DVR, a digital video recorder, are affected:

DVR HVR-4781: Versions 1.03 through 4.02
DVR HVR-8781: Versions 1.03 through 4.02
DVR HVR-16781: Versions 1.03 through 4.02
DVR LGUVR-4H: Versions 1.02 through 4.02
DVR LGUVR-8H: Versions 1.02 through 4.02
DVR LGUVR-16H: Versions 1.02 through 4.02

3.2 Vulnerability Overview

3.2.1 IMPROPER INPUT VALIDATION CWE-20

An improper input validation vulnerability exists in Hitron Systems DVR HVR-4781 versions 1.03 through 4.02 that could allow an attacker to cause a denial-of-service condition when using default admin name and password.

CVE-2024-22768 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.4 has been calculated; the CVSS vector string is (AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H).

3.2.2 IMPROPER INPUT VALIDATION CWE-20

An improper input validation vulnerability exists in Hitron Systems DVR HVR-8781 versions 1.03 through 4.02 that could allow an attacker to cause a denial-of-service condition when using default admin name and password.

CVE-2024-22769 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.4 has been calculated; the CVSS vector string is (AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H).

3.2.3 IMPROPER INPUT VALIDATION CWE-20

An improper input validation vulnerability exists in Hitron Systems DVR HVR-16781 versions 1.03 through 4.02 that could allow an attacker to cause a denial-of-service condition when using default admin name and password.

CVE-2024-22770 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.4 has been calculated; the CVSS vector string is (AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H).

3.2.4 IMPROPER INPUT VALIDATION CWE-20

An improper input validation vulnerability exists in Hitron Systems DVR LGUVR-4H versions 1.02 through 4.02 that could allow an attacker to cause a denial-of-service condition when using default admin name and password.

CVE-2024-22771 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.4 has been calculated; the CVSS vector string is (AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H).

3.2.5 IMPROPER INPUT VALIDATION CWE-20

An improper input validation vulnerability exists in Hitron Systems DVR LGUVR-8H versions 1.02 through 4.02 that could allow an attacker to cause a denial-of-service condition when using default admin name and password.

CVE-2024-22772 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.4 has been calculated; the CVSS vector string is (AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H).

3.2.6 IMPROPER INPUT VALIDATION CWE-20

An improper input validation vulnerability exists in Hitron Systems DVR LGUVR-16H versions 1.02 through 4.02 that could allow an attacker to cause a denial-of-service condition when using default admin name and password.

CVE-2024-23842 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.4 has been calculated; the CVSS vector string is (AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Commercial Facilities
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: South Korea

3.4 RESEARCHER

Aline Eliovich, Chad Seaman, and Larry Cashdollar of Akamai Technologies reported this vulnerability to CISA.

4. MITIGATIONS

Hitron Systems has released the following updates for their DVR:

DVR HVR-4781: Version 4.03
DVR HVR-8781: Version 4.03
DVR HVR-16781: Version 4.03
DVR LGUVR-4H: Version 4.03
DVR LGUVR-8H: Version 4.03
DVR LGUVR-16H: Version 4.03

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA has received reports of this vulnerability being actively exploited.

5. UPDATE HISTORY

January 30, 2024: Initial Publication

Rockwell Automation LP30/40/50 and BM40 Operator Interface

Written by on January 30, 2024. Posted in CISA-Published Industrial Control System Vulnerabilities.

View CSAF

1. EXECUTIVE SUMMARY

CVSS v3 8.8
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Rockwell Automation
Equipment: LP30, LP40, LP50, and BM40 Operator Panels
Vulnerability: Improper Validation of Consistency within Input, Out-of-bounds Write, Stack-based Buffer Overflow, Untrusted Pointer Dereference

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an authenticated attacker to use specifically crafted communication requests to perform a denial-of-service condition, memory overwriting, or remote code execution.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following Rockwell Automation products are affected:

LP30 Operator Panel: Versions prior to V3.5.19.0
LP40 Operator Pane: Versions prior to V3.5.19.0
LP50 Operator Panel: Versions prior to V3.5.19.0
BM40 Operator Panel: Versions prior to V3.5.19.0

3.2 Vulnerability Overview

3.2.1 IMPROPER VALIDATION OF CONSISTENCY WITHIN INPUT CWE-1288

After successful authentication, specifically crafted communication requests with inconsistent content can cause the CmpFiletransfer component to read internally from an invalid address, potentially leading to a denial-of-service condition.

CVE-2022-47378 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

3.2.2 OUT-OF-BOUNDS WRITE CWE-787

After successful authentication, specifically crafted communication requests can cause the CmpApp component to write threat actor-controlled data to memory, which can lead to a denial-of-service condition, memory overwriting, or remote code execution.

CVE-2022-47379 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H ).

3.2.3 STACK-BASED BUFFER OVERFLOW CWE-121

After successful authentication, specifically crafted communication requests can cause the CmpApp component to write threat actor-controlled data to stack, which can lead to a denial-of-service condition, memory overwriting, or remote code execution.

CVE-2022-47380 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

3.2.4 STACK-BASED BUFFER OVERFLOW CWE-121

CVE-2022-47381 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

3.2.5 STACK-BASED BUFFER OVERFLOW CWE-121

After successful authentication, specifically crafted communication requests can cause the CmpTraceMgr component to write threat actor-controlled data to stack, which can lead to a denial-of-service condition, memory overwriting, or remote code execution.

CVE-2022-47382 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

3.2.6 STACK-BASED BUFFER OVERFLOW CWE-121

CVE-2022-47383 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

3.2.7 STACK-BASED BUFFER OVERFLOW CWE-121

CVE-2022-47384 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

3.2.8 STACK-BASED BUFFER OVERFLOW CWE-121

CVE-2022-47386 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

3.2.9 STACK-BASED BUFFER OVERFLOW CWE-121

CVE-2022-47387 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

3.2.10 STACK-BASED BUFFER OVERFLOW CWE-121

CVE-2022-47388 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

3.2.11 STACK-BASED BUFFER OVERFLOW CWE-121

CVE-2022-47389 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

3.2.12 STACK-BASED BUFFER OVERFLOW CWE-121

CVE-2022-47390 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

3.2.13 STACK-BASED BUFFER OVERFLOW CWE-121

After successful authentication, specifically crafted communication requests can cause the CmpAppForce component to write threat actor-controlled data to stack, which can lead to a denial-of-service condition, memory overwriting, or remote code execution.

CVE-2022-47385 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

3.2.14 IMPROPER VALIDATION OF CONSISTENCY WITHIN INPUT CWE-1288

After successful authentication, specifically crafted communication requests with inconsistent content can cause the CmpApp/CmpAppBP/CmpAppForce components to read internally from an invalid address, potentially leading to a denial-of-service condition.

CVE-2022-47392 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

3.2.15 UNTRUSTED POINTER DEREFERENCE CWE-822

After successful authentication, specifically crafted communication requests can cause the cmpFiletransfer component to dereference addresses provided by the request for internal read access, which can lead to a denial-of-service situation.

CVE-2022-47393 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER

Rockwell Automation reported these vulnerabilities to CISA.

4. MITIGATIONS

Rockwell Automation recommend users using the affected software to apply the risk mitigations, if possible:

Upgrade to CODESYS version 3.5.19.2 which has been released to mitigate these issues.
Additionally, we encourage the user to implement our suggested security best practices to minimize risk of the vulnerability.

Users can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

Additional information can be found in the CODESYS Advisory.

CISA recommends users take defensive measures to minimize the risk of exploitation of this these vulnerabilities, such as:

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY

January 30, 2024: Initial Publication

Emerson Rosemount GC370XA, GC700XA, GC1500XA

Written by on January 30, 2024. Posted in CISA-Published Industrial Control System Vulnerabilities.

View CSAF

1. EXECUTIVE SUMMARY

CVSS v3 9.8
ATTENTION: Exploitable remotely
Vendor: Emerson
Equipment: Rosemount GC370XA, GC700XA, GC1500XA
Vulnerabilities: Command Injection, Improper Authentication, Improper Authorization

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an unauthenticated attacker with network access to run arbitrary commands, access sensitive information, cause a denial-of-service condition, and bypass authentication to acquire admin capabilities.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following Emerson Rosemount Gas Chromatographs are affected:

GC370XA: Version 4.1.5
GC700XA: Version 4.1.5
GC1500XA: Version 4.1.5

3.2 Vulnerability Overview

3.2.1 IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS USED IN A COMMAND (‘COMMAND INJECTION’) CWE-77

In Emerson Rosemount GC370XA, GC700XA, and GC1500XA products, an unauthenticated user with network access could execute arbitrary commands in root context from a remote computer.

CVE-2023-46687 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

3.2.2 IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS USED IN A COMMAND (‘COMMAND INJECTION’) CWE-77

In Emerson Rosemount GC370XA, GC700XA, and GC1500XA products, an authenticated user with network access could run arbitrary commands from a remote computer.

CVE-2023-49716 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.9 has been calculated; the CVSS vector string is (AV:A/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:H).

3.2.3 IMPROPER AUTHENTICATION CWE-287

In Emerson Rosemount GC370XA, GC700XA, and GC1500XA products, an unauthenticated user with network access could bypass authentication and acquire admin capabilities.

CVE-2023-51761 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.3 has been calculated; the CVSS vector string is (AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H).

3.2.4 IMPROPER AUTHORIZATION CWE-285

In Emerson Rosemount GC370XA, GC700XA, and GC1500XA products, an unauthenticated user with network access could obtain access to sensitive information or cause a denial-of-service condition.

CVE-2023-43609 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.9 has been calculated; the CVSS vector string is (AV:A/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:H).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Energy, Chemical
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER

Vera Mens of Claroty Research reported these vulnerabilities to Emerson.

4. MITIGATIONS

Emerson recommends end users update the affected products’ firmware. For update information, contact Emerson Tech Support. Emerson recommends end users continue to use current cybersecurity industry best practices, and in the event such infrastructure is not implemented within an end user’s network, the user should take action to ensure the affected product is connected to a well-protected network and not connected to the Internet. For more information, refer to the Emerson Security web page.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time. These vulnerabilities have a high attack complexity.

5. UPDATE HISTORY

January 30, 2024: Initial Publication

Opteev MachineSense FeverWarn

Written by on January 25, 2024. Posted in CISA-Published Industrial Control System Vulnerabilities.

View CSAF

1. EXECUTIVE SUMMARY

CVSS v3 10.0
ATTENTION: Exploitable remotely/low attack complexity
Vendor: MachineSense LLC.
Equipment: MachineSense FeverWarn
Vulnerabilities: Missing Authentication for Critical Function, Use of Hard-coded Credentials, Improper Access Control, OS Command Injection, Improper Restriction of Operations within the Bounds of a Memory Buffer

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to obtain user data from devices, execute remote code on devices, or gain control over devices to perform malicious actions.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following components of the FeverWarn ecosystem, an IoT-based skin temperature scanning system, are affected:

FeverWarn: ESP32
FeverWarn: RaspberryPi
FeverWarn: DataHub RaspberryPi

3.2 Vulnerability Overview

3.2.1 Missing Authentication for Critical Function CWE-306

The cloud provider MachineSense uses for integration and deployment for multiple MachineSense devices, such as the programmable logic controller (PLC), PumpSense, PowerAnalyzer, FeverWarn, and others is insufficiently protected against unauthorized access. An attacker with access to the internal procedures could view source code, secret credentials, and more.

CVE-2023-6221 has been assigned to this vulnerability. A CVSS v3 base score of 7.7 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N).

3.2.2 Use of Hard-coded Credentials CWE-798

Multiple MachineSense devices have credentials unable to be changed by the user or administrator.

CVE-2023-46706 has been assigned to this vulnerability. A CVSS v3 base score of 9.1 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N).

3.2.3 Missing Authentication for Critical Function CWE-306

The MachineSense application programmable interface (API) is improperly protected and can be accessed without authentication. A remote attacker could retrieve and modify sensitive information without any authentication.

CVE-2023-49617 has been assigned to this vulnerability. A CVSS v3 base score of 10.0 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N).

3.2.4 Missing Authentication for Critical Function CWE-306

MachineSense devices use unauthenticated MQTT messaging to monitor devices and remote viewing of sensor data by users.

CVE-2023-49115 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

3.2.5 Improper Access Control CWE-284

MachineSense FeverWarn devices are configured as Wi-Fi hosts in a way that attackers within range could connect to the device’s web services and compromise the device.

CVE-2023-47867 has been assigned to this vulnerability. A CVSS v3 base score of 8.8 has been calculated; the CVSS vector string is (AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

3.2.6 Improper Input Validation CWE-20

MachineSense FeverWarn Raspberry Pi-based devices lack input sanitization, which could allow an attacker on an adjacent network to send a message running commands or could overflow the stack.

CVE-2023-49610 has been assigned to this vulnerability. A CVSS v3 base score of 8.1 has been calculated; the CVSS vector string is (AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Healthcare and Public Health Sector
COUNTRIES/AREAS DEPLOYED: United States
COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER

Vera Mens of Claroty Research reported these vulnerabilities to CISA.

4. MITIGATIONS

FeverWarn and the associated cloud service were pandemic-specific products for elevated body temperature scanning, discontinued by MachineSense prior to the end of the pandemic. They are no longer available, and there will be no future availability or upgrades. MachineSense is not aware of any current users of FeverWarn. Users of the affected product are encouraged to contact MachineSense for additional information.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. Specifically, users should:

Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet.
Locate control system networks and remote devices behind firewalls and isolate them from business networks.
When remote access is required, use secure methods, such as virtual private networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

Do not click web links or open attachments in unsolicited email messages.
Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY

January 25, 2024: Initial Publication

SystemK NVR 504/508/516

Written by on January 25, 2024. Posted in CISA-Published Industrial Control System Vulnerabilities.

View CSAF

1. EXECUTIVE SUMMARY

CVSS v3 9.8
ATTENTION: Exploitable remotely/low attack complexity/public exploits are available
Vendor: SystemK
Equipment: NVR 504/508/516
Vulnerability: Command Injection

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to execute commands with root privileges.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of SystemK NVR, a network video recorder, are affected:

NVR 504: 2.3.5SK.30084998
NVR 508: 2.3.5SK.30084998
NVR 516: 2.3.5SK.30084998

3.2 Vulnerability Overview

3.2.1 IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS USED IN A COMMAND (‘COMMAND INJECTION’) CWE-77

SystemK NVR 504/508/516 versions 2.3.5SK.30084998 and prior are vulnerable to a command injection vulnerability in the dynamic domain name system (DDNS) settings that could allow an attacker to execute arbitrary commands with root privileges.

CVE-2023-7227 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Commercial Facilities
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Japan

3.4 RESEARCHER

CISA discovered a public Proof of Concept (PoC) as authored by Keniver Wang.

4. MITIGATIONS

SystemK has not responded to requests to work with CISA to mitigate this vulnerability. Users of affected versions of SystemK NVR products are invited to contact SystemK customer support for additional information.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

January 25, 2024: Initial Publication

Crestron AM-300

Written by on January 23, 2024. Posted in CISA-Published Industrial Control System Vulnerabilities.

View CSAF

1. EXECUTIVE SUMMARY

CVSS v3 8.4
ATTENTION: Low attack complexity
Vendor: Crestron
Equipment: AM-300
Vulnerability: OS Command Injection

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to escalate their privileges to root-level access.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following Crestron AirMedia Presentation System products are affected:

AM-300: Version 1.4499.00018

3.2 Vulnerability Overview

3.2.1 CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)

There is an OS command injection vulnerability in Crestron AM-300 firmware version 1.4499.00018 which may enable a user of a limited-access SSH session to escalate their privileges to root-level access.

CVE-2023-6926 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.4 has been calculated; the CVSS vector string is AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H.

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Multiple
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER

Uri Katz of Claroty Research Team82 reported this vulnerability to CISA.

4. MITIGATIONS

Crestron has resolved this vulnerability in firmware version 1.4499.00023.001 or higher. Please see https://security.crestron.com or contact True Blue Support for additional information.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability is not exploitable remotely.

5. UPDATE HISTORY

January 23, 2024: Initial Publication

APsystems Energy Communication Unit (ECU-C) Power Control Software

Written by on January 23, 2024. Posted in CISA-Published Industrial Control System Vulnerabilities.

View CSAF

1. EXECUTIVE SUMMARY

CVSS v3 8.8
ATTENTION: Exploitable via adjacent network / low attack complexity
Vendor: APsystems
Equipment: Energy communication Unit (ECU-C) Power Control Software
Vulnerability: Improper Access Control

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to access sensitive data and execute specific commands and functions with full admin rights without authenticating.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following APsystems products are affected:

Energy Communication Unit Power Control Software: C1.2.2
Energy Communication Unit Power Control Software: v3.11.4
Energy Communication Unit Power Control Software: W2.1.NA
Energy Communication Unit Power Control Software: v4.1SAA
Energy Communication Unit Power Control Software: v4.1NA

3.2 Vulnerability Overview

3.2.1 IMPROPER ACCESS CONTROL CWE-284

APsystems ENERGY COMMUNICATION UNIT (ECU-C) Power Control Software V4.1NA, V3.11.4, W2.1NA, V4.1SAA, C1.2.2 allows attackers to access sensitive data and execute specific commands and functions with full admin rights.

CVE-2022-44037 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.8 has been calculated; the CVSS vector string is (AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Energy
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER

CISA discovered public proof of concept as authored by Momen Eldawakhly (Cyber Guy).

4. MITIGATIONS

APSystems has not responded to requests to work with CISA to mitigate this vulnerability. Users of the affected product are encouraged to contact APSystems support for additional information.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

January 23, 2024: Initial Publication

Westermo Lynx 206-F2G

Written by on January 23, 2024. Posted in CISA-Published Industrial Control System Vulnerabilities.

View CSAF

1. EXECUTIVE SUMMARY

CVSS v3 8.0
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Westermo
Equipment: Lynx 206-F2G
Vulnerabilities: Cross-site Scripting, Code Injection, Cross-Origin Resource Sharing, Cleartext Transmission of Sensitive Information, Cross-Site Request Forgery

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to access the web application, inject arbitrary code, execute malicious code, obtain sensitive information, or execute a malicious request.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of Lynx 206-F2G, a layer three industrial Ethernet switch, are affected:

Lynx: Model Version L206-F2G1
Lynx: Firmware Version 4.24.

3.2 Vulnerability Overview

3.2.1 IMPROPER NEUTRALIZATION OF INPUT DURING WEB PAGE GENERATION (‘CROSS-SITE SCRIPTING’) CWE-79

An attacker with access to the web application that has the vulnerable software could introduce arbitrary JavaScript by injecting a cross-site scripting payload into the “forward.0.domain” parameter.

CVE-2023-40143 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.4 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N).

3.2.2 IMPROPER NEUTRALIZATION OF INPUT DURING WEB PAGE GENERATION (‘CROSS-SITE SCRIPTING’) CWE-79

An attacker with access to the web application that has the vulnerable software could introduce arbitrary JavaScript by injecting a cross-site scripting payload into the “autorefresh” parameter.

CVE-2023-45222 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.4 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N).

3.2.3 IMPROPER CONTROL GENERATION OF CODE (‘CODE INJECTION’) CWE-94

A potential attacker with access to the device would be able to execute malicious code that could affect the correct functioning of the device.

CVE-2023-45735 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.0 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H).

3.2.4 CROSS-ORIGIN RESOURCE SHARING (CORS) CWE-942

A potential attacker with access to the device would be able to execute malicious code that could affect the correct functioning of the device.

CVE-2023-45213 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.5 has been calculated; the CVSS vector string is (AV:A/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N).

3.2.5 IMPROPER NEUTRALIZATION OF INPUT DURING WEB PAGE GENERATION (‘CROSS-SITE SCRIPTING’) CWE-79

An attacker with access to the vulnerable software could introduce arbitrary JavaScript by injecting a cross-site scripting payload into the “username” parameter in the SNMP configuration.

CVE-2023-42765 has been assigned to this vulnera or craft a malicious request.bility. A CVSS v3.1 base score of 5.4 has been calculated; the CVSS vector string is (AV:A/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N).

3.2.6 IMPROPER NEUTRALIZATION OF INPUT DURING WEB PAGE GENERATION (‘CROSS-SITE SCRIPTING’) CWE-319

An attacker with access to the network where the affected devices are located could maliciously actions to obtain, via a sniffer, sensitive information exchanged via TCP communications.

CVE-2023-40544 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.7 has been calculated; the CVSS vector string is (AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N).

3.2.7 CROSS-SITE REQUEST FORGERY (CSRF) CWE-352

The cross-site request forgery token in the request may be predictable or easily guessable allowing attackers to craft a malicious request, which could be triggered by a victim unknowingly. In a successful CSRF attack, the attacker could lead the victim user to carry out an action unintentionally.

CVE-2023-38579 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.0 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H).

3.2.8 IMPROPER NEUTRALIZATION OF INPUT DURING WEB PAGE GENERATION (‘CROSS-SITE SCRIPTING’) CWE-79

An attacker with access to the web application with vulnerable software could introduce arbitrary JavaScript by injecting a cross-site scripting payload into the “dns.0.server” parameter.

CVE-2023-45227 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.4 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Multiple
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Sweden

3.4 RESEARCHER

Aarón Flecha Menéndez, Iván Alonso Álvarez and Víctor Bello Cuevas reported these vulnerabilities to CISA.

4. MITIGATIONS

Westermo recommends following best practices for hardening, such as restricting access, disable unused services (attack surface reduction), etc., to mitigate the reported vulnerabilities.

The reported cross-site scripting vulnerabilities will be mitigated in a future report.
The reported cross-origin resource sharing vulnerability will be mitigated in a future report.
The reported code injection vulnerability will be mitigated in a future report.
The reported cross site request forgery vulnerability was patched in a later WeOS4 version.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the Internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY

January 23,2024: Initial Publication