Posts Page - CloudCentric

SystemK NVR 504/508/516

Written by on January 25, 2024. Posted in CISA-Published Industrial Control System Vulnerabilities.

1. EXECUTIVE SUMMARY

CVSS v3 9.8
ATTENTION: Exploitable remotely/low attack complexity/public exploits are available
Vendor: SystemK
Equipment: NVR 504/508/516
Vulnerability: Command Injection

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to execute commands with root privileges.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of SystemK NVR, a network video recorder, are affected:

NVR 504: 2.3.5SK.30084998
NVR 508: 2.3.5SK.30084998
NVR 516: 2.3.5SK.30084998

3.2 Vulnerability Overview

3.2.1 IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS USED IN A COMMAND (‘COMMAND INJECTION’) CWE-77

SystemK NVR 504/508/516 versions 2.3.5SK.30084998 and prior are vulnerable to a command injection vulnerability in the dynamic domain name system (DDNS) settings that could allow an attacker to execute arbitrary commands with root privileges.

CVE-2023-7227 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Commercial Facilities
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Japan

3.4 RESEARCHER

CISA discovered a public Proof of Concept (PoC) as authored by Keniver Wang.

4. MITIGATIONS

SystemK has not responded to requests to work with CISA to mitigate this vulnerability. Users of affected versions of SystemK NVR products are invited to contact SystemK customer support for additional information.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

January 25, 2024: Initial Publication

Crestron AM-300

Written by on January 23, 2024. Posted in CISA-Published Industrial Control System Vulnerabilities.

View CSAF

1. EXECUTIVE SUMMARY

CVSS v3 8.4
ATTENTION: Low attack complexity
Vendor: Crestron
Equipment: AM-300
Vulnerability: OS Command Injection

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to escalate their privileges to root-level access.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following Crestron AirMedia Presentation System products are affected:

AM-300: Version 1.4499.00018

3.2 Vulnerability Overview

3.2.1 CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)

There is an OS command injection vulnerability in Crestron AM-300 firmware version 1.4499.00018 which may enable a user of a limited-access SSH session to escalate their privileges to root-level access.

CVE-2023-6926 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.4 has been calculated; the CVSS vector string is AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H.

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Multiple
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER

Uri Katz of Claroty Research Team82 reported this vulnerability to CISA.

4. MITIGATIONS

Crestron has resolved this vulnerability in firmware version 1.4499.00023.001 or higher. Please see https://security.crestron.com or contact True Blue Support for additional information.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability is not exploitable remotely.

5. UPDATE HISTORY

January 23, 2024: Initial Publication

APsystems Energy Communication Unit (ECU-C) Power Control Software

Written by on January 23, 2024. Posted in CISA-Published Industrial Control System Vulnerabilities.

View CSAF

1. EXECUTIVE SUMMARY

CVSS v3 8.8
ATTENTION: Exploitable via adjacent network / low attack complexity
Vendor: APsystems
Equipment: Energy communication Unit (ECU-C) Power Control Software
Vulnerability: Improper Access Control

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to access sensitive data and execute specific commands and functions with full admin rights without authenticating.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following APsystems products are affected:

Energy Communication Unit Power Control Software: C1.2.2
Energy Communication Unit Power Control Software: v3.11.4
Energy Communication Unit Power Control Software: W2.1.NA
Energy Communication Unit Power Control Software: v4.1SAA
Energy Communication Unit Power Control Software: v4.1NA

3.2 Vulnerability Overview

3.2.1 IMPROPER ACCESS CONTROL CWE-284

APsystems ENERGY COMMUNICATION UNIT (ECU-C) Power Control Software V4.1NA, V3.11.4, W2.1NA, V4.1SAA, C1.2.2 allows attackers to access sensitive data and execute specific commands and functions with full admin rights.

CVE-2022-44037 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.8 has been calculated; the CVSS vector string is (AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Energy
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER

CISA discovered public proof of concept as authored by Momen Eldawakhly (Cyber Guy).

4. MITIGATIONS

APSystems has not responded to requests to work with CISA to mitigate this vulnerability. Users of the affected product are encouraged to contact APSystems support for additional information.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

January 23, 2024: Initial Publication

Westermo Lynx 206-F2G

Written by on January 23, 2024. Posted in CISA-Published Industrial Control System Vulnerabilities.

View CSAF

1. EXECUTIVE SUMMARY

CVSS v3 8.0
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Westermo
Equipment: Lynx 206-F2G
Vulnerabilities: Cross-site Scripting, Code Injection, Cross-Origin Resource Sharing, Cleartext Transmission of Sensitive Information, Cross-Site Request Forgery

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to access the web application, inject arbitrary code, execute malicious code, obtain sensitive information, or execute a malicious request.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of Lynx 206-F2G, a layer three industrial Ethernet switch, are affected:

Lynx: Model Version L206-F2G1
Lynx: Firmware Version 4.24.

3.2 Vulnerability Overview

3.2.1 IMPROPER NEUTRALIZATION OF INPUT DURING WEB PAGE GENERATION (‘CROSS-SITE SCRIPTING’) CWE-79

An attacker with access to the web application that has the vulnerable software could introduce arbitrary JavaScript by injecting a cross-site scripting payload into the “forward.0.domain” parameter.

CVE-2023-40143 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.4 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N).

3.2.2 IMPROPER NEUTRALIZATION OF INPUT DURING WEB PAGE GENERATION (‘CROSS-SITE SCRIPTING’) CWE-79

An attacker with access to the web application that has the vulnerable software could introduce arbitrary JavaScript by injecting a cross-site scripting payload into the “autorefresh” parameter.

CVE-2023-45222 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.4 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N).

3.2.3 IMPROPER CONTROL GENERATION OF CODE (‘CODE INJECTION’) CWE-94

A potential attacker with access to the device would be able to execute malicious code that could affect the correct functioning of the device.

CVE-2023-45735 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.0 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H).

3.2.4 CROSS-ORIGIN RESOURCE SHARING (CORS) CWE-942

A potential attacker with access to the device would be able to execute malicious code that could affect the correct functioning of the device.

CVE-2023-45213 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.5 has been calculated; the CVSS vector string is (AV:A/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N).

3.2.5 IMPROPER NEUTRALIZATION OF INPUT DURING WEB PAGE GENERATION (‘CROSS-SITE SCRIPTING’) CWE-79

An attacker with access to the vulnerable software could introduce arbitrary JavaScript by injecting a cross-site scripting payload into the “username” parameter in the SNMP configuration.

CVE-2023-42765 has been assigned to this vulnera or craft a malicious request.bility. A CVSS v3.1 base score of 5.4 has been calculated; the CVSS vector string is (AV:A/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N).

3.2.6 IMPROPER NEUTRALIZATION OF INPUT DURING WEB PAGE GENERATION (‘CROSS-SITE SCRIPTING’) CWE-319

An attacker with access to the network where the affected devices are located could maliciously actions to obtain, via a sniffer, sensitive information exchanged via TCP communications.

CVE-2023-40544 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.7 has been calculated; the CVSS vector string is (AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N).

3.2.7 CROSS-SITE REQUEST FORGERY (CSRF) CWE-352

The cross-site request forgery token in the request may be predictable or easily guessable allowing attackers to craft a malicious request, which could be triggered by a victim unknowingly. In a successful CSRF attack, the attacker could lead the victim user to carry out an action unintentionally.

CVE-2023-38579 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.0 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H).

3.2.8 IMPROPER NEUTRALIZATION OF INPUT DURING WEB PAGE GENERATION (‘CROSS-SITE SCRIPTING’) CWE-79

An attacker with access to the web application with vulnerable software could introduce arbitrary JavaScript by injecting a cross-site scripting payload into the “dns.0.server” parameter.

CVE-2023-45227 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.4 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Multiple
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Sweden

3.4 RESEARCHER

Aarón Flecha Menéndez, Iván Alonso Álvarez and Víctor Bello Cuevas reported these vulnerabilities to CISA.

4. MITIGATIONS

Westermo recommends following best practices for hardening, such as restricting access, disable unused services (attack surface reduction), etc., to mitigate the reported vulnerabilities.

The reported cross-site scripting vulnerabilities will be mitigated in a future report.
The reported cross-origin resource sharing vulnerability will be mitigated in a future report.
The reported code injection vulnerability will be mitigated in a future report.
The reported cross site request forgery vulnerability was patched in a later WeOS4 version.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the Internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

Do not click web links or open attachments in unsolicited email messages.
Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY

January 23,2024: Initial Publication

Voltronic Power ViewPower Pro

Written by on January 23, 2024. Posted in CISA-Published Industrial Control System Vulnerabilities.

View CSAF

1. EXECUTIVE SUMMARY

CVSS v3 9.8
ATTENTION: Exploitable remotely/Low attack complexity
Vendor: Voltronic Power
Equipment: ViewPower Pro
Vulnerabilities: Deserialization of Untrusted Data, Missing Authentication for Critical Function, Exposed Dangerous Method or Function, OS Command Injection

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to create a denial-of-service condition, obtain administrator credentials, or achieve remote code execution.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of ViewPower Pro, an Uninterruptable Power Supply (UPS) management software, are affected:

ViewPower Pro: 2.0-22165

3.2 Vulnerability Overview

3.2.1 DESERIALIZATION OF UNTRUSTED DATA CWE-502

The affected product deserializes untrusted data without sufficiently verifying the resulting data will be valid.

CVE-2023-51570 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

3.2.2 MISSING AUTHENTICATION FOR CRITICAL FUNCTION CWE-306

When a specific service of the affected product receives a certain message from an unauthenticated user, that process may stop.

CVE-2023-51571 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

3.2.3 IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS USED IN AN OS COMMAND (‘OS COMMAND INJECTION’) CWE-78

The affected product is vulnerable to an OS command injection, which may allow remote code execution on the underlying operating system.

CVE-2023-51572 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

3.2.4 EXPOSED DANGEROUS METHOD OR FUNCTION CWE-749

The affected product allows an unauthenticated user to invoke a method that may modify the administrator account password.

CVE-2023-51573 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER

Simon Janz (@esj4y) of Trend Micro’s Zero Day Initiative reported these vulnerabilities to CISA.

4. MITIGATIONS

Voltronic Power did not respond to CISA’s attempts at coordination. Users of Voltronic Power products are encouraged to contact Voltronic Power and keep their systems up to date.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY

January 23, 2024: Initial Publication

Lantronix XPort

Written by on January 23, 2024. Posted in CISA-Published Industrial Control System Vulnerabilities.

View CSAF

1. EXECUTIVE SUMMARY

CVSS v3 5.7
ATTENTION: Low attack complexity
Vendor: Lantronix
Equipment: XPort
Vulnerability: Weak Encoding for Password

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to obtain credentials.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of XPort, a device server configuration manager, are affected:

XPort Device Server Configuration Manager: Version 2.0.0.13

3.2 Vulnerability Overview

3.2.1 Weak Encoding for Password CWE-261

Lantronix XPort sends weakly encoded credentials within web request headers.

CVE-2023-7237 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.7 has been calculated; the CVSS vector string is (AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing, Energy, Healthcare, Transportation
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER

Aarón Flecha Menéndez of S21Sec reported this vulnerability to CISA.

4. MITIGATIONS

Lantronix states that XPort is an old legacy product and is not designed for strong encryption or TLS/SSL encryption. Users who require stronger encryption are encouraged to upgrade to xPort Edge.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as virtual private networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

January 23, 2024: Initial Publication

AVEVA PI Server

Written by on January 18, 2024. Posted in CISA-Published Industrial Control System Vulnerabilities.

View CSAF

1. EXECUTIVE SUMMARY

CVSS v3 7.5
ATTENTION: Exploitable remotely/low attack complexity
Vendor: AVEVA
Equipment: PI Server
Vulnerabilities: Improper Check or Handling of Exceptional Conditions, Missing Release of Resource after Effective Lifetime

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to crash the product being accessed or throttle the memory leading to a partial denial-of-service condition.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of AVEVA PI Server, are affected:

PI Server: 2023
PI Server: 2018 SP3 P05 and prior

3.2 Vulnerability Overview

3.2.1 IMPROPER CHECK OR HANDLING OF EXCEPTIONAL CONDITIONS CWE-703

AVEVA PI Server versions 2023 and 2018 SP3 P05 and prior contain a vulnerability that could allow an unauthenticated user to remotely crash the PI Message Subsystem of a PI Server, resulting in a denial-of-service condition.

CVE-2023-34348 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

3.2.2 MISSING RELEASE OF RESOURCE AFTER EFFECTIVE LIFETIME CWE-772

AVEVA PI Server versions 2023 and 2018 SP3 P05 and prior contain a vulnerability that could allow an unauthenticated user to cause the PI Message Subsystem of a PI Server to consume available memory resulting in throttled processing of new PI Data Archive events and a partial denial-of-service condition.

CVE-2023-31274 has been assigned to this vulnerability. A CVSS v3 base score of 5.3 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: United Kingdom

3.4 RESEARCHER

AVEVA reported these vulnerabilities to CISA.

4. MITIGATIONS

All affected versions can be fixed by upgrading to AVEVA PI Server version 2023 Patch 1 or later. From OSI Soft Customer Portal, search for “PI Server” and select version “2023 Patch 1”.

For an alternative fix, AVEVA PI Server 2018 SP3 Patch 5 and prior can be fixed by deploying AVEVA PI Server version 2018 SP3 Patch 6 or later. From OSI Soft Customer Portal, search for “PI Server” and select version “2018 SP3 Patch 6”.

AVEVA recommends that organizations evaluate the impact of these vulnerabilities based on their operational environment, architecture, and product implementation. Users with the affected products should apply security updates as soon as possible.

AVEVA recommends the following defensive measures:

Set the PI Message Subsystem to auto restart.
Monitor the memory usage of the PI Message Subsystem.
Limit network access to port 5450 to trusted workstations and software
Confirm that only authorized users have access to write to the PI Server Message Log. This is done through configuration of the PIMSGSS entry within the Database Security plugin accessible through PI System Management Tools.

For more information on this vulnerability, including security updates, users should see security bulletin AVEVA-2024-001.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY

January 18, 2024: Initial Publication

SEW-EURODRIVE MOVITOOLS MotionStudio

Written by on January 16, 2024. Posted in CISA-Published Industrial Control System Vulnerabilities.

View CSAF

1. EXECUTIVE SUMMARY

CVSS v3 5.5
ATTENTION: Low attack complexity
Vendor: SEW-EURODRIVE
Equipment: MOVITOOLS MotionStudio
Vulnerability: Improper Restriction of XML EXTERNAL Entity Reference

2. RISK EVALUATION

Successful exploitation of this vulnerability could result in open access to file information.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of MOVITOOLS MotionStudio are affected:

MOVITOOLS MotionStudio: Version 6.5.0.2

3.2 Vulnerability Overview

3.2.1 IMPROPER RESTRICTION OF XML EXTERNAL ENTITY REFERENCE CWE-611

When the affected product processes XML information unrestricted file access can occur.

CVE-2023-6926 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.5 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Multiple
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

Esjay (@esj4y) working with Trend Micro Zero Day Initiative reported this vulnerability to CISA.

4. MITIGATIONS

SEW-EURODRIVE has not responded to requests to work with CISA to mitigate these vulnerabilities. Users of affected versions of MOVITOOLS MotionStudio are invited to contact SEW-EURODRIVE for additional information.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability is not exploitable remotely.

5. UPDATE HISTORY

January 16, 2024: Initial Publication

Integration Objects OPC UA Server Toolkit

Written by on January 16, 2024. Posted in CISA-Published Industrial Control System Vulnerabilities.

View CSAF

1. EXECUTIVE SUMMARY

CVSS v3 5.3
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Integration Objects
Equipment: OPC UA Server Toolkit
Vulnerability: Improper Output Neutralization for Logs

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow a remote attacker to add content to the log file.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of OPC UA Server Toolkit, OPC library designed to allow creation of OPC DA, DX and HDA servers software, are affected:

OPC UA Server Toolkit: All versions

3.2 Vulnerability Overview

3.2.1 Improper Output Neutralization for Logs CWE-117

OPCUAServerToolkit will write a log message once an OPC UA client has successfully connected containing the client’s self-defined description field.

CVE-2023-7234 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.3 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER

Sam Hanson of Dragos reported this vulnerability to CISA.

4. MITIGATIONS

Integration Objects has not responded to requests to work with CISA to mitigate these vulnerabilities. Developers using affected versions of OPC UA Server Toolkit are invited to contact Integration Objects for additional information.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as virtual private networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

January 16, 2024: Initial Publication

Siemens SIMATIC

Written by on January 11, 2024. Posted in CISA-Published Industrial Control System Vulnerabilities.

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens’ ProductCERT Security Advisories (CERT Services | Services | Siemens Global).

View CSAF

1. EXECUTIVE SUMMARY

CVSS v3 10.0
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Siemens
Equipment: SIMATIC
Vulnerability: Improper Input Validation

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow and attacker to obtain remote unauthorized access.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following Siemens products with maxView Storage Manager on Windows, are affected:

SIMATIC IPC647E: All versions prior to V4.14.00.26068
SIMATIC IPC847E: All versions prior to V4.14.00.26068
SIMATIC IPC1047E: All versions prior to V4.14.00.26068

3.2 Vulnerability Overview

3.2.1 IMPROPER INPUT VALIDATION CWE-20

In default installations of maxView Storage Manager where Redfish® server is configured for remote system management, a vulnerability has been identified that can provide unauthorized access.

CVE-2023-51438 has been assigned to this vulnerability. A CVSS v3 base score of 10.0 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

Siemens reported this vulnerability to CISA.

4. MITIGATIONS

Siemens has identified the following specific workarounds and mitigations users can apply to reduce risk:

Update maxView Storage Manager to V4.14.00.26068 or later version

As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens’ operational guidelines for industrial security and following recommendations in the product manuals.

Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage.

For more information see the associated Siemens security advisory SSA-702935 in HTML and CSAF.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

January 11, 2024: Initial Publication