Posts Page - CloudCentric

Siemens Siveillance Control

Written by on March 14, 2024. Posted in CISA-Published Industrial Control System Vulnerabilities.

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens’ ProductCERT Security Advisories (CERT Services | Services | Siemens Global).

View CSAF

1. EXECUTIVE SUMMARY

CVSS v4 6.8
ATTENTION: Low Attack Complexity
Vendor: Siemens
Equipment: Siveillance Control
Vulnerability: Incorrect Authorization

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow a local attacker to gain write privileges for objects where they only have read privileges.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following products of Siemens, are affected:

Siveillance Control: Versions V2.8 and after until V3.1.1

3.2 Vulnerability Overview

3.2.1 INCORRECT AUTHORIZATION CWE-863

The affected product does not properly check the list of access groups that are assigned to an individual user. This could enable a locally logged on user to gain write privileges for objects where they only have read privileges.

CVE-2023-45793 has been assigned to this vulnerability. A CVSS v3 base score of 5.5 has been assigned; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N).

A CVSS v4 score has been calculated for CVE-2023-45793. A base score of 6.8 has been calculated; the CVSS vector string is (CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Energy
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

Siemens reported this vulnerability to CISA.

4. MITIGATIONS

Siemens has released a new version for Siveillance Control and recommends users update to the latest version:

Update to V3.1.1 or later version
Restrict access to the machine where the Siveillance Control frontend is installed

As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens’ operational guidelines for industrial security and following recommendations in the product manuals.

Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage.

For more information see the associated Siemens security advisory SSA-145196 in HTML and CSAF.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability is not exploitable remotely.

5. UPDATE HISTORY

March 14, 2024: Initial Publication

Mitsubishi Electric MELSEC-Q/L Series

Written by on March 14, 2024. Posted in CISA-Published Industrial Control System Vulnerabilities.

View CSAF

1. EXECUTIVE SUMMARY

CVSS v3 9.8
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Mitsubishi Electric
Equipment: MELSEC-Q/L Series
Vulnerabilities: Incorrect Pointer Scaling, Integer Overflow or Wraparound

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow a remote attacker to be able to read arbitrary information or execute malicious code on a target product by sending a specially crafted packet.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of Mitsubishi Electric MELSEC-Q/L Series, a controller used for factory automation, are affected:

MELSEC-Q Series Q03UDECPU, Q04/06/10/13/20/26/50/100UDEHCPU: All Versions
MELSEC-Q Series Q03/04/06/13/26UDVCPU: All Versions
MELSEC-Q Series Q04/06/13/26UDPVCPU: All Versions
MELSEC-L Series L02/06/26CPU(-P), L26CPU-(P)BT: All Versions

3.2 Vulnerability Overview

3.2.1 Incorrect Pointer Scaling CWE-468

In the Mitsubishi Electric MELSEC-Q/L Series a remote attacker may be able to read arbitrary information from a target product or execute malicious code on a target product by sending a specially crafted packet.

CVE-2024-0802 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

3.2.2 Integer Overflow or Wraparound CWE-190

In the Mitsubishi Electric MELSEC-Q/L Series a remote attacker may be able to execute malicious code on a target product by sending a specially crafted packet

CVE-2024-0803 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

3.2.3 Incorrect Pointer Scaling CWE-468

In the Mitsubishi Electric MELSEC-Q/L Series a remote attacker may be able to execute malicious code on a target product by sending a specially crafted packet

CVE-2024-1915 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

3.2.4 Integer Overflow or Wraparound CWE-190

In the Mitsubishi Electric MELSEC-Q/L Series a remote attacker may be able to execute malicious code on a target product by sending a specially crafted packet

CVE-2024-1916 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

3.2.5 Integer Overflow or Wraparound CWE-190

In the Mitsubishi Electric MELSEC-Q/L Series a remote attacker may be able to execute malicious code on a target product by sending a specially crafted packet

CVE-2024-1917 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Japan

3.4 RESEARCHER

Anton Dorfman from Positive Technologies reported these vulnerabilities to Mitsubishi Electric who reported them to CISA.

4. MITIGATIONS

Mitsubishi Electric recommends that users take the following mitigation measures to minimize the risk of exploiting these vulnerabilities:

Use a firewall, virtual private network (VPN), etc. to prevent unauthorized access when Internet access is required.
Use within a LAN and block access from untrusted networks and hosts through firewalls.
Restrict physical access to the affected product as well as to the personal computers and the network devices that can communicate with it.
Install antivirus software on your personal computer that can access the affected product.

For specific additional details, see Mitsubishi Electric advisory 2023-024.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY

March 14, 2024: Initial Publication

Siemens SINEMA Remote Connect Client

Written by on March 14, 2024. Posted in CISA-Published Industrial Control System Vulnerabilities.

View CSAF

1. EXECUTIVE SUMMARY

CVSS v4 6.1
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Siemens
Equipment: SINEMA Remote Connect Client
Vulnerability: Insertion of Sensitive Information into Externally-Accessible File or Directory

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to access sensitive information.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of Siemens SINEMA Remote Connect Client, a remote management platform, are affected:

SINEMA Remote Connect Client: All versions prior to V3.1 SP1

3.2 Vulnerability Overview

3.2.1 INSERTION OF SENSITIVE INFORMATION INTO EXTERNALLY-ACCESSIBLE FILE OR DIRECTORY CWE-538

The product places sensitive information into files or directories that are accessible to actors who are allowed to have access to the files, but not to the sensitive information. This information is also available via the web interface of the product.

CVE-2024-22045 has been assigned to this vulnerability. A CVSS v3 base score of 7.6 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N).

A CVSS v4 score has also been calculated for CVE-2024-22045. A base score of 6.1 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing, Commercial Facilities, Energy, Food and Agriculture, Healthcare and Public Health, Transportation Systems, Water and Wastewater Systems
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

Siemens reported this vulnerability to CISA.

4. MITIGATIONS

Siemens has released updates for the affected products and recommends to update to the latest versions:

Update to V3.1 SP1 or later version.
In order to fully mitigate the issue, administrators are advised to backup and clear the log files and to change the VPN credentials.

Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage.

For more information see the associated Siemens security advisory SSA-653855 in HTML and CSAF.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

Do not click web links or open attachments in unsolicited email messages.
Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

March 14, 2024: Initial Publication

Siemens SENTRON 7KM PAC3x20

Written by on March 14, 2024. Posted in CISA-Published Industrial Control System Vulnerabilities.

View CSAF

1. EXECUTIVE SUMMARY

CVSS v4 5.1
ATTENTION: Low attack complexity
Vendor: Siemens
Equipment: SENTRON 7KM PAC3120, SENTRON 7KM PAC3220
Vulnerability: Improper Access Control

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow attacker to read out the data from the internal flash of affected device.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of Siemens SENTRON 7KM PAC3120 and PAC3220, power measuring devices, are affected:

SENTRON 7KM PAC3120 AC/DC (7KM3120-0BA01-1DA0): Versions V3.2.3 and after but before V3.3.0 only when manufactured between LQN231003… and LQN231215… (with LQNYYMMDD…)
SENTRON 7KM PAC3120 DC (7KM3120-1BA01-1EA0): Versions V3.2.3 and after but before V3.3.0 only when manufactured between LQN231003… and
LQN231215… (with LQNYYMMDD…)
SENTRON 7KM PAC3220 AC/DC (7KM3220-0BA01-1DA0): Versions V3.2.3 and after but before V3.3.0 only when manufactured between LQN231003… and LQN231215… (with LQNYYMMDD…)
SENTRON 7KM PAC3220 DC (7KM3220-1BA01-1EA0): Versions V3.2.3 and after but before V3.3.0 only when manufactured between LQN231003… and
LQN231215… (with LQNYYMMDD…)

3.2 Vulnerability Overview

3.2.1 IMPROPER ACCESS CONTROL CWE-284

The read out protection of the internal flash of affected devices was not properly set at the end of the
manufacturing process. An attacker with physical access to the device could read out the data.

CVE-2024-21483 has been assigned to this vulnerability. A CVSS v3.1 base score of 4.6 has been calculated; the CVSS vector string is (AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

A CVSS v4 score has been calculated for CVE-2024-21483. A base score of 5.1 has been calculated; the CVSS vector string is (CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

Siemens reported this vulnerability to CISA.

4. MITIGATIONS

Siemens has identified the following specific workarounds and mitigations users can apply to reduce risk:

SENTRON 7KM PAC3120 AC/DC (7KM3120-0BA01-1DA0), SENTRON 7KM PAC3120 DC (7KM3120-1BA01-1EA0), SENTRON 7KM PAC3220 AC/DC (7KM3220-0BA01-1DA0), SENTRON 7KM PAC3220 DC (7KM3220-1BA01-1EA0): Restrict physical access to the device to trusted personnel.
SENTRON 7KM PAC3120 AC/DC (7KM3120-0BA01-1DA0), SENTRON 7KM PAC3120 DC (7KM3120-1BA01-1EA0), SENTRON 7KM PAC3220 AC/DC (7KM3220-0BA01-1DA0), SENTRON 7KM PAC3220 DC (7KM3220-1BA01-1EA0): Update to V3.3.0 or later version.

Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage.

For more information see the associated Siemens security advisory SSA-792319 in HTML and CSAF.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability is not exploitable remotely.

5. UPDATE HISTORY

March 14, 2024: Initial Publication

Schneider Electric EcoStruxure Power Design

Written by on March 12, 2024. Posted in CISA-Published Industrial Control System Vulnerabilities.

View CSAF

1. EXECUTIVE SUMMARY

CVSS v3 7.8
ATTENTION: Low Attack Complexity
Vendor: Schneider Electric
Equipment: EcoStruxure Power Design
Vulnerability: Deserialization of Untrusted Data

2. RISK EVALUATION

Successful exploitation of this vulnerability may allow for arbitrary code execution.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of Schneider Electric – EcoStruxure Power Design – Ecodial, an equipment management platform, are affected:

EcoStruxure Power Design – Ecodial NL: All Versions
EcoStruxure Power Design – Ecodial INT: All Versions
EcoStruxure Power Design – Ecodial FR: All Versions

3.2 Vulnerability Overview

3.2.1 DESERIALIZATION OF UNTRUSTED DATA CWE-502

All versions of Schneider Electric EcoStruxure Power Design – Ecodial NL, INT, and FR deserializes untrusted data which could allow an attacker to perform code execution when a malicious project file is loaded into the application by a valid user.

CVE-2024-2229 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Commercial Facilities, Information Technology, Healthcare and Public Health, Critical Manufacturing, Transportation Systems, Energy, Chemical
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: France

3.4 RESEARCHER

Sina Kheirkhah (@SinSinology) of Summoning Team (@SummoningTeam) working with Trend Micro Zero Day Initiative reported this vulnerability to CISA.

4. MITIGATIONS

Schneider Electric is establishing a remediation plan for all future versions of EcoStruxture Power Design – Ecodial that will include a fix for this vulnerability. Until then, customers should immediately apply the following mitigations to reduce the risk of exploit:

Compute hash of the project files and regularly check the consistency of this hash to verify the integrity before usage.
Store the hash information in a separate location from where the project file is stored.
When sharing or receiving project files with another user, the hash information should be provided over a separate, out of band channel.
When exchanging files over the network, use secure communication protocols.
Only open project files received from a trusted source.
Harden the workstation running the application.
Delete the accounts of people who no longer need access to the application and the computer running the application following the principle of least privilege.

To ensure you are informed of all updates, including details on affected products and remediation plans, subscribe to Schneider Electric’s security notification service.

Schneider Electric strongly recommends the following industry cybersecurity best practices.

Locate control and safety system networks and remote devices behind firewalls and isolate them from the business network.
Install physical controls so no unauthorized personnel can access your industrial control and safety systems, components, peripheral equipment, and networks.
Place all controllers in locked cabinets and never leave them in the “Program” mode.
Never connect programming software to any network other than the network intended for that device.
Scan all methods of mobile data exchange with the isolated network such as CDs, USB drives, etc., before use in the terminals or any node connected to these networks.
Never allow mobile devices that have connected to any other network besides the intended network to connect to the safety or control networks without proper sanitation.
Minimize network exposure for all control system devices and systems and ensure that they are not accessible from the Internet.
When remote access is required, use secure methods, such as Virtual Private Networks (VPNs). Recognize that VPNs may have vulnerabilities and should be updated to the most current version available. Also, understand that VPNs are only as secure as the connected devices.

For more information refer to the Schneider Electric Recommended Cybersecurity Best Practices document.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability is not exploitable remotely.

5. UPDATE HISTORY

March 12, 2024: Initial Publication

Chirp Systems Chirp Access

Written by on March 7, 2024. Posted in CISA-Published Industrial Control System Vulnerabilities.

View CSAF

1. EXECUTIVE SUMMARY

CVSS v3 9.1
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Chirp Systems
Equipment: Chirp Access
Vulnerability: Use of Hard-coded Credentials

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to take control and gain unrestricted physical access to systems using the affected product.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following Chirp Systems are affected:

Chirp Access: All Versions

3.2 Vulnerability Overview

3.2.1 USE OF HARD-CODED CREDENTIALS CWE-798

Chirp Access improperly stores credentials within its source code, potentially exposing sensitive information to unauthorized access.

CVE-2024-2197 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.1 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Commercial Facilities Sector
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER

Matt Brown reported this vulnerability to CISA.

4. MITIGATIONS

Chirp Systems has not responded to requests to work with CISA to mitigate this vulnerability. Users of the affected product are encouraged to contact Chirp Systems support for additional information.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

March 7, 2024: Initial Publication

Nice Linear eMerge E3-Series

Written by on March 5, 2024. Posted in CISA-Published Industrial Control System Vulnerabilities.

1. EXECUTIVE SUMMARY

CVSS v3 10.0
ATTENTION: Exploitable remotely/low attack complexity/public exploits are available
Vendor: Nice
Equipment: Linear eMerge E3-Series
Vulnerabilities: Path traversal, Cross-site scripting, OS command injection, Unrestricted Upload of File with Dangerous Type, Incorrect Authorization, Exposure of Sensitive Information to an Authorized Actor, Insufficiently Protected Credentials, Use of Hard-coded Credentials, Cross-site Request Forgery, Out-of-bounds Write

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow a remote attacker to gain full system access.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of Nice Linear eMerge E3-Series are affected:

Linear eMerge E3-Series: versions 1.00-06 and prior

3.2 Vulnerability Overview

3.2.1 IMPROPER LIMITATION OF A PATHNAME TO A RESTRICTED DIRECTORY (‘PATH TRAVERSAL’) CWE-22

Nice Linear eMerge E3-Series versions 1.00-06 and prior are vulnerable to path traversal. This could allow an attacker to gain unauthorized access to the system and sensitive data.

CVE-2019-7253 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

3.2.2 IMPROPER LIMITATION OF A PATHNAME TO A RESTRICTED DIRECTORY (‘PATH TRAVERSAL’) CWE-22

Versions of Nice Linear eMerge E3-Series firmware 1.00-06 and prior are vulnerable to a file inclusion through path traversal, which could give the attacker access to sensitive information.

CVE-2019-7254 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

3.2.3 IMPROPER NEUTRALIZATION OF INPUT DURING WEB PAGE GENERATION (‘CROSS-SITE SCRIPTING’) CWE-79

Nice Linear eMerge E3-Series versions 1.00-06 and prior are vulnerable to cross-site scripting, which could allow an attacker to obtain and alter some information on the system.

CVE-2019-7255 has been assigned to this vulnerability. A CVSS v3 base score of 6.1 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N).

3.2.4 IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS USED IN AN OS COMMAND (‘OS COMMAND INJECTION’) CWE-78

Nice Linear eMerge E3-Series versions 1.00-06 and prior are vulnerable to OS command injection, which could allow an attacker to cause remote code execution.

CVE-2019-7256 has been assigned to this vulnerability. A CVSS v3 base score of 10.0 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).

3.2.5 UNRESTRICTED UPLOAD OF FILE WITH DANGEROUS TYPE CWE-434

Nice Linear eMerge E3-Series versions 1.00-06 and prior are vulnerable to unrestricted upload of malicious files, which could allow an attacker to execute arbitrary code.

CVE-2019-7257 has been assigned to this vulnerability. A CVSS v3 base score of 10.0 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).

3.2.6 INCORRECT AUTHORIZATION CWE-863

Nice Linear eMerge E3-Series versions 1.00-06 and prior suffer from an authorization mechanism vulnerability. This could allow an attacker to escalate privileges and gain full control of the system.

CVE-2019-7258 has been assigned to this vulnerability. A CVSS v3 base score of 8.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

3.2.7 EXPOSURE OF SENSITIVE INFORMATION TO AN UNAUTHORIZED ACTOR CWE-200

An authorization bypass occurs in Nice Linear eMerge E3-Series versions 1.00-06 and prior when an authenticated attacker visits a specific GET request against the target, resulting in disclosure of administrative credentials in clear-text. This allows the attacker to re-login with admin privileges and have full access to the control interface.

CVE-2019-7259 has been assigned to this vulnerability. A CVSS v3 base score of 8.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

3.2.8 INSUFFICIENTLY PROTECTED CREDENTIALS CWE-522

The application of Nice Linear eMerge E3-Series versions 1.00-06 and prior stores passwords in clear-text in its DBMS system. Storing a password in plaintext may result in a system compromise.

CVE-2019-7260 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

3.2.9 USE OF HARD-CODED CREDENTIALS CWE-798

Hard-coded credentials are present in multiple binaries bundled in the Nice Linear eMerge E3-Series versions 1.00-06 and prior firmware OS. These hard-coded credentials typically create a significant hole that could allow an attacker to bypass the authentication configured by the software administrator.

CVE-2019-7261 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

3.2.10 USE OF HARD-CODED CREDENTIALS CWE-798

The Nice Linear eMerge E3-Series versions 1.00-06 and prior access control platform has SSH enabled with hardcoded credentials for the root account. This could allow an unauthenticated attacker to initiate a secure connection with highest privileges (root) and gain full system access.

CVE-2019-7265 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

3.2.11 CROSS-SITE REQUEST FORGERY (CSRF) CWE-352

The application of Nice Linear eMerge E3-Series versions 1.00-06 and prior allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. An attacker could exploit this to perform certain actions with administrative privileges if a logged-in user visits a malicious web site.

CVE-2019-7262 has been assigned to this vulnerability. A CVSS v3 base score of 8.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

3.2.12 OUT-OF-BOUNDS WRITE CWE-787

A stack-based buffer overflow exists, affecting several CGI binaries of Nice Linear eMerge E3-Series versions 1.00-06 and prior. The vulnerability is caused due to a boundary error in the processing of a user input, which an attacker could exploit to cause a buffer overflow. Successful exploitation could allow execution of arbitrary code on the affected device.

CVE-2019-7264 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Commercial Facilities
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Italy

3.4 RESEARCHER

Gjoko Krstic from Zero Science Lab reported these vulnerabilities to CISA.

4. MITIGATIONS

Nice/Nortek encourages users to upgrade to the latest firmware to mitigate the risk of these vulnerabilities. Please see Nice’s E3-Bulletin for more information.

Nice also recommends the following defensive measures to minimize the risk of exploitation of these vulnerabilities:

Minimize network exposure of devices, ensuring they are not accessible from the internet.
Place the devices behind firewalls and isolate them from other networks.
When remote access is required, use secure methods, such as Virtual Private Networks (VPNs). Keep your VPNs as updated as possible.
Change default credentials on the device.
Change the default IP address of the device.

See Nice’s Telephone Entry Bulletin for additional information.

Users should contact Nice with any questions.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

5. UPDATE HISTORY

March 5, 2024: Initial Publication

Delta Electronics CNCSoft-B

Written by on February 29, 2024. Posted in CISA-Published Industrial Control System Vulnerabilities.

View CSAF

1. EXECUTIVE SUMMARY

CVSS v3 7.8
ATTENTION: Low attack complexity
Vendor: Delta Electronics
Equipment: CNCSoft-B
Vulnerability: Stack-based Buffer Overflow

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following Delta Electronics products are affected:

CNCSoft-B: Versions 1.0.0.4 and prior

3.2 Vulnerability Overview

3.2.1 STACK-BASED BUFFER OVERFLOW CWE-121

Delta Electronics CNCSoft-B versions 1.0.0.4 and prior are vulnerable to a stack-based buffer overflow, which may allow an attacker to execute arbitrary code.

CVE-2024-1941 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Taiwan

3.4 RESEARCHER

Natnael Samson (@NattiSamson) working with Trend Micro Zero Day Initiative reported this vulnerability to CISA.

4. MITIGATIONS

Delta recommends users update to CNCSoft-B V 1.0.0.4 with Issue Date 2024-01-23 or later.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability is not exploitable remotely.

5. UPDATE HISTORY

February 29, 2024: Initial Publication

Mitsubishi Electric Multiple Factory Automation Products

Written by on February 27, 2024. Posted in CISA-Published Industrial Control System Vulnerabilities.

View CSAF

1. EXECUTIVE SUMMARY

CVSS v3 5.3
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Mitsubishi Electric Corporation
Equipment: MELSEC iQ-F Series
Vulnerability: Insufficient Resource Pool

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow a remote attacker to cause a temporary denial-of-service (DoS) condition for a certain period of time in the product’s Ethernet communication by performing a TCP SYN Flood attack.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of Mitsubishi Electric MELSEC iQ-F Series, a compact control platform, are affected:

Products with * are sold in limited regions.

MELSEC iQ-F FX5U-32MT/ES: All Versions
MELSEC iQ-F FX5U-32MT/DS: All Versions
MELSEC iQ-F FX5U-32MT/ESS: All Versions
MELSEC iQ-F FX5U-32MT/DSS: All Versions
MELSEC iQ-F FX5U-32MR/ES: All Versions
MELSEC iQ-F FX5U-32MR/DS: All Versions
MELSEC iQ-F FX5U-64MT/ES: All Versions
MELSEC iQ-F FX5U-64MT/ESS: All Versions
MELSEC iQ-F FX5U-64MT/DS: All Versions
MELSEC iQ-F FX5U-64MT/DSS: All Versions
MELSEC iQ-F FX5U-64MR/ES: All Versions
MELSEC iQ-F FX5U-64MR/DS: All Versions
MELSEC iQ-F FX5U-80MT/ES: All Versions
MELSEC iQ-F FX5U-80MT/DS: All Versions
MELSEC iQ-F FX5U-80MT/ESS: All Versions
MELSEC iQ-F FX5U-80MT/DSS: All Versions
MELSEC iQ-F FX5U-80MR/ES: All Versions
MELSEC iQ-F FX5U-80MR/DS: All Versions
MELSEC iQ-F FX5UC-32MT/D: All Versions
MELSEC iQ-F FX5UC-32MT/DSS: All Versions
MELSEC iQ-F FX5UC-64MT/D: All Versions
MELSEC iQ-F FX5UC-64MT/DSS: All Versions
MELSEC iQ-F FX5UC-96MT/D: All Versions
MELSEC iQ-F FX5UC-96MT/DSS: All Versions
MELSEC iQ-F FX5UC-32MT/DS-TS: All Versions
MELSEC iQ-F FX5UC-32MT/DSS-TS: All Versions
MELSEC iQ-F FX5UC-32MR/DS-TS: All Versions
MELSEC iQ-F FX5UJ-24MT/ES: All Versions
MELSEC iQ-F FX5UJ-24MT/DS: All Versions
MELSEC iQ-F FX5UJ-24MT/ESS: All Versions
MELSEC iQ-F FX5UJ-24MT/DSS: All Versions
MELSEC iQ-F FX5UJ-24MR/ES: All Versions
MELSEC iQ-F FX5UJ-24MR/DS: All Versions
MELSEC iQ-F FX5UJ-40MT/ES: All Versions
MELSEC iQ-F FX5UJ-40MT/DS: All Versions
MELSEC iQ-F FX5UJ-40MT/ESS: All Versions
MELSEC iQ-F FX5UJ-40MT/DSS: All Versions
MELSEC iQ-F FX5UJ-40MR/ES: All Versions
MELSEC iQ-F FX5UJ-40MR/DS: All Versions
MELSEC iQ-F FX5UJ-60MT/ES: All Versions
MELSEC iQ-F FX5UJ-60MT/DS: All Versions
MELSEC iQ-F FX5UJ-60MT/ESS: All Versions
MELSEC iQ-F FX5UJ-60MT/DSS: All Versions
MELSEC iQ-F FX5UJ-60MR/ES: All Versions
MELSEC iQ-F FX5UJ-60MR/DS: All Versions
MELSEC iQ-F FX5UJ-24MT/ES-A*: All Versions
MELSEC iQ-F FX5UJ-24MR/ES-A*: All Versions
MELSEC iQ-F FX5UJ-40MT/ES-A*: All Versions
MELSEC iQ-F FX5UJ-40MR/ES-A*: All Versions
MELSEC iQ-F FX5UJ-60MT/ES-A*: All Versions
MELSEC iQ-F FX5UJ-60MR/ES-A*: All Versions
MELSEC iQ-F FX5S-30MT/ES: All Versions
MELSEC iQ-F FX5S-30MT/ESS: All Versions
MELSEC iQ-F FX5S-30MR/ES: All Versions
MELSEC iQ-F FX5S-40MT/ES: All Versions
MELSEC iQ-F FX5S-40MT/ESS: All Versions
MELSEC iQ-F FX5S-40MR/ES: All Versions
MELSEC iQ-F FX5S-60MT/ES: All Versions
MELSEC iQ-F FX5S-60MT/ESS: All Versions
MELSEC iQ-F FX5S-60MR/ES: All Versions
MELSEC iQ-F FX5S-80*MT/ES: All Versions
MELSEC iQ-F FX5S-80*MT/ESS: All Versions
MELSEC iQ-F FX5S-80*MR/ES: All Versions

3.2 Vulnerability Overview

3.2.1 Insufficient Resource Pool CWE-410

In Mitsubishi Electric multiple FA products there is a denial-of-service (DoS) vulnerability that exists in the Ethernet function. A remote attacker could cause a temporary denial-of-service (DoS) condition for a certain period of time in the product’s Ethernet communication by performing a TCP SYN Flood attack.

CVE-2023-7033 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.3 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Japan

3.4 RESEARCHER

Mitsubishi Electric Corporation reported this vulnerability to CISA.

4. MITIGATIONS

Mitsubishi Electric recommends that users take the following mitigation measures to minimize the risk of exploiting this vulnerability:

Use a firewall, virtual private network (VPN) etc., to prevent unauthorized access when Internet access is required.
Use within a LAN and block access from untrusted networks and hosts through firewalls.
Use IP filter function to block access from untrusted hosts. For details on the IP filter function, please refer to the following manual for each product:
“13.1 IP Filter Function” in the MELSEC iQ-F FX5 User’s Manual (Communication).
Restrict physical access to the affected products and the LAN to which they are connected.

For specific update instructions and additional details refer to Mitsubishi Electric advisory 2023-023

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

February 27, 2024: Initial Publication

Delta Electronics CNCSoft-B DOPSoft

Written by on February 22, 2024. Posted in CISA-Published Industrial Control System Vulnerabilities.

View CSAF

1. EXECUTIVE SUMMARY

CVSS v3 7.8
ATTENTION: Low attack complexity
Vendor: Delta Electronics
Equipment: CNCSoft-B DOPSoft
Vulnerability: Uncontrolled Search Path Element

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to achieve remote code execution.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following Delta Electronics products are affected:

CNCSoft-B v1.0.0.4 DOPSoft: versions prior to v4.0.0.82

3.2.1 UNCONTROLLED SEARCH PATH ELEMENT CWE-427

The affected product insecurely loads libraries, which may allow an attacker to use DLL hijacking and takeover the system where the software is installed.

CVE-2024-1595 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Energy
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Taiwan

3.4 RESEARCHER

Delta Electronics reported this vulnerability to CISA.

4. MITIGATIONS

Delta recommends users upgrade to CNCSoft-B v1.0.0.4, which includes DOPSoft v4.0.0.94.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as virtual private networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

February 22, 2024: Initial Publication