Skip to main content
(844) 422-7000

AVEVA Operations Control Logger

View CSAF

1. EXECUTIVE SUMMARY

CVSS v3 7.8
ATTENTION: Low attack complexity
Vendor: AVEVA
Equipment: Operations Control Logger
Vulnerabilities: Execution with Unnecessary Privileges, External Control of File Name or Path

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow privilege escalation or denial of service.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

AVEVA has created a security update to address vulnerabilities in the AVEVA Operations Control Logger (formerly known as ArchestrA Logger), impacting the following products:

AVEVA SystemPlatform: 2020 R2 SP1 P01 and prior
AVEVA Historian: 2020 R2 SP1 P01 and prior
AVEVA Application Server: 2020 R2 SP1 P01 and prior
AVEVA InTouch: 2020 R2 SP1 P01 and prior
AVEVA Enterprise Licensing (formerly known as License Manager): version 3.7.002 and prior
AVEVA Manufacturing Execution System (formerly known as Wonderware MES): 2020 P01 and prior
AVEVA Recipe Management: 2020 R2 Update 1 Patch 2 and prior
AVEVA Batch Management: 2020 SP1 and prior
AVEVA Edge (formerly known as Indusoft Web Studio): 2020 R2 SP1 P01 and prior
AVEVA Worktasks (formerly known as Workflow Management): 2020 U2 and prior
AVEVA Plant SCADA (formerly known as Citect): 2020 R2 Update 15 and prior
AVEVA Mobile Operator (formerly known as IntelaTrac Mobile Operator Rounds): 2020 R1 and prior
AVEVA Communication Drivers Pack: 2020 R2 SP1 and prior
AVEVA Telemetry Server: 2020 R2 SP1 and prior

3.2 Vulnerability Overview

3.2.1 Execution with Unnecessary Privileges CWE-250

This privilege escalation vulnerability, if exploited, cloud allow a local OS-authenticated user with standard privileges to escalate to System privilege on the machine where these products are installed, resulting in complete compromise of the target machine.

CVE-2023-33873 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

3.2.2 External Control of File Name or Path CWE-73

This external control vulnerability, if exploited, could allow a local OS-authenticated user with standard privileges to delete files with System privilege on the machine where these products are installed, resulting in denial of service.

CVE-2023-34982 has been assigned to this vulnerability. A CVSS v3 base score of 5.5 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: United Kingdom

3.4 RESEARCHER

Lukasz Piotrowski from Equinor reported these vulnerabilities to AVEVA.

4. MITIGATIONS

AVEVA recommends that organizations evaluate the impact of these vulnerabilities based on their operational environment, architecture, and product implementation. Users of affected products should apply security updates as soon as possible.

In addition to applying security updates, users should follow these general precautions:

Ensure that Guest or Anonymous local OS accounts are disabled.
Ensure that only trusted users are able to login on the nodes where the Operations Control Logger is running.

Please see AVEVA Security Bulletin number AVEVA-2023-003 for more information and for links for individual security updates and mitigations for each of the affected products.

AVEVA System Platform 2020 through 2020 R2 SP1 cannot be newly installed on top of other AVEVA products which have been previously patched with the Operations Control Logger v22.1. For additional details please refer to Alert 000038736.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as virtual private networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.
Exercise principles of least privilege.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time. These vulnerabilities are not exploitable remotely.

5. UPDATE HISTORY

November 14, 2023: Initial Publication

Johnson Controls Quantum HD Unity

View CSAF

1. EXECUTIVE SUMMARY

CVSS v3 10.0
ATTENTION: Exploitable Remotely/Low attack complexity
Vendor: Johnson Controls Inc.
Equipment: Quantum HD Unity
Vulnerability: Active Debug Code

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an unauthorized user to access debug features that were accidentally exposed.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following Johnson Controls Quantum HD Unity products are affected:

Quantum HD Unity Compressor control panels (Q5): All versions prior to v11.22
Quantum HD Unity Compressor control panels (Q6): All versions prior to v12.22
Quantum HD Unity AcuAir control panels(Q5): All versions prior to v11.12
Quantum HD Unity AcuAir control panels(Q6): All versions prior to v12.12
Quantum HD Unity Condenser/Vessel control panels (Q5): All versions prior to v11.11
Quantum HD Unity Condenser/Vessel control panels (Q6): All versions prior to v12.11
Quantum HD Unity Evaporator control panels (Q5): All versions prior to v11.11
Quantum HD Unity Evaporator control panels (Q6): All versions prior to v12.11
Quantum HD Unity Engine Room control panels (Q5): All versions prior to v11.11
Quantum HD Unity Engine Room control panels (Q6): All versions prior to v12.11
Quantum HD Unity Interface control panels (Q5): All versions prior to v11.11
Quantum HD Unity Interface control panels (Q6): All versions prior to v12.11

3.2 Vulnerability Overview

3.2.1 ACTIVE DEBUG CODE CWE-489

Johnson Controls Quantum HD products could allow an unauthorized user to access debug features that were accidentally exposed.

CVE-2023-4804 has been assigned to this vulnerability. A CVSS v3.1 base score of 10.0 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Ireland

3.4 RESEARCHER

Jim Reprogle reported this vulnerability to Johnson Controls.

4. MITIGATIONS

Johnson Controls recommends users update the products to the latest versions:

Update all Quantum HD Unity Compressor control panels to firmware version 11.22 (Q5) or 12.22 (Q6).
Update all Quantum HD Unity AcuAir control panels to firmware version 11.12 (Q5) or 12.12 (Q6).
Update all Quantum HD Unity Condenser/Vessel control panels to firmware version 11.11 (Q5) or 12.11 (Q6).
Update all Quantum HD Unity Evaporator control panels to firmware version 11.11 (Q5) or 12.11 (Q6).
Update all Quantum HD Unity Engine Room control panels to firmware version 11.11 (Q5) or 12.11 (Q6).
Update all Quantum HD Unity Interface control panels to firmware version 11.11 (Q5) or 12.11 (Q6).

Refer to the update procedure for assistance in applying the mitigations provided by Johnson Controls.

For more detailed mitigation instructions, please see Johnson Controls Product Security Advisory JCI-PSA-2023-09 v1.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

November 09, 2023: Initial Publication

Hitachi Energy eSOMS

View CSAF

1. EXECUTIVE SUMMARY

CVSS v3 5.3
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Hitachi Energy
Equipment: eSOMS
Vulnerabilities: Generation of Error Message Containing Sensitive Information, Exposure of Sensitive System Information to an Unauthorized Control Sphere

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to disclose sensitive information related to eSOMS application configuration.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following Hitachi Energy products are affected:

eSOMS: v6.3.13 and prior

3.2 Vulnerability Overview

3.2.1 GENERATION OF ERROR MESSAGE CONTAINING SENSITIVE INFORMATION CWE-209

The response messages received from the eSOMS report generation using certain parameter queries with full file path can be abused for enumerating the local file system structure.

CVE-2023-5514 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.3 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).

3.2.2 EXPOSURE OF SENSITIVE INFORMATION TO AN UNAUTHORIZED CONTROL SPHERE CWE-497

The responses for web queries with certain parameters disclose internal path of resources. This information can be used to learn internal structure of the application and to further plot attacks against web servers and deployed web applications.

CVE-2023-5515 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.3 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).

3.2.3 EXPOSURE OF SENSITIVE INFORMATION TO AN UNAUTHORIZED CONTROL SPHERE CWE-497

Poorly constructed webap requests and URI components with special characters trigger unhandled errors and exceptions, disclosing information about the underlying technology and other sensitive information details. The website unintentionally reveals sensitive information including technical details like version info, endpoints, backend server, Internal IP. etc., which could expose additional attack surface containing other vulnerabilities.

CVE-2023-5516 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.3 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Energy
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Switzerland

3.4 RESEARCHER

Hitachi Energy reported these vulnerabilities to CISA.

4. MITIGATIONS

Hitachi Energy recommends updating eSOMS to a fixed version when available.

For more information on this issue, see the Hitachi Energy eSOMS Security Advisory 8DBD000175.

CISA recommends users take defensive measures to minimize the risk of exploitation of this these vulnerabilities, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY

November 9, 2023: Initial Publication

CVE-2023-5561

WordPress does not properly restrict which user fields are searchable via the REST API, allowing unauthenticated attackers to discern the email addresses of users who have published public posts on an affected website via an Oracle style attack (CVSS:5.3) (EPSS:0.07%) (Last Update:2023-11-08 19:15:10)

CVE-2022-21663

WordPress is a free and open-source content management system written in PHP and paired with a MariaDB database. On a multisite, users with Super Admin role can bypass explicit/additional hardening under certain conditions through object injection. This has been patched in WordPress version 5.8.3. Older affected versions are also fixed via security release, that go back till 3.7.37. We strongly recommend that you keep auto-updates enabled. There are no known workarounds for this issue. (CVSS:7.2) (EPSS:0.33%) (Last Update:2023-06-27 19:03:59)

CVE-2022-21664

WordPress is a free and open-source content management system written in PHP and paired with a MariaDB database. Due to lack of proper sanitization in one of the classes, there’s potential for unintended SQL queries to be executed. This has been patched in WordPress version 5.8.3. Older affected versions are also fixed via security release, that go back till 4.1.34. We strongly recommend that you keep auto-updates enabled. There are no known workarounds for this issue. (CVSS:8.8) (EPSS:0.47%) (Last Update:2022-04-12 18:53:08)

GE MiCOM S1 Agile

View CSAF

1. EXECUTIVE SUMMARY

CVSS v3 5.3
ATTENTION: Low attack complexity
Vendor: General Electric
Equipment: MiCOM S1 Agile
Vulnerability: Uncontrolled Search Path Element

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to upload malicious files and achieve code execution.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of General Electric MiCOM S1 Agile is affected:

MiCOM S1 Agile: All versions

3.2 Vulnerability Overview

3.2.1 UNCONTROLLED SEARCH PATH ELEMENT CWE-427

General Electric MiCOM S1 Agile is vulnerable to an attacker achieving code execution by placing malicious DLL files in the directory of the application.

CVE-2023-0898 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.3 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:H).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Multiple
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER

Sushant Mane, Anooja Joy & Dr. Faruk Kazi from CoE-CNDS Lab, VJTI, Mumbai, India reported this vulnerability to CISA.

4. MITIGATIONS

General Electric has released an update that resolves this vulnerability. No action is required by the user.

For more information, see General Electric’s Security Advisory.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

Do not click web links or open attachments in unsolicited email messages.
Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability is not exploitable remotely.

5. UPDATE HISTORY

November 07, 2023: Initial Publication

CVE-2022-43504

Improper authentication vulnerability in WordPress versions prior to 6.0.3 allows a remote unauthenticated attacker to obtain the email address of the user who posted a blog using the WordPress Post by Email Feature. The developer also provides new patched releases for all versions since 3.7. (CVSS:5.3) (EPSS:0.10%) (Last Update:2023-02-03 16:58:26)

CVE-2023-39999

Exposure of Sensitive Information to an Unauthorized Actor in WordPress from 6.3 through 6.3.1, from 6.2 through 6.2.2, from 6.1 through 6.13, from 6.0 through 6.0.5, from 5.9 through 5.9.7, from 5.8 through 5.8.7, from 5.7 through 5.7.9, from 5.6 through 5.6.11, from 5.5 through 5.5.12, from 5.4 through 5.4.13, from 5.3 through 5.3.15, from 5.2 through 5.2.18, from 5.1 through 5.1.16, from 5.0 through 5.0.19, from 4.9 through 4.9.23, from 4.8 through 4.8.22, from 4.7 through 4.7.26, from 4.6 through 4.6.26, from 4.5 through 4.5.29, from 4.4 through 4.4.30, from 4.3 through 4.3.31, from 4.2 through 4.2.35, from 4.1 through 4.1.38. (CVSS:4.3) (EPSS:0.30%) (Last Update:2023-11-03 22:15:10)

Franklin Fueling System TS-550

View CSAF

1. EXECUTIVE SUMMARY

CVSS v3 8.3
ATTENTION: Exploitable remotely/low attack complexity/public exploits are available
Vendor: Franklin Fueling System
Equipment: TS-550
Vulnerability: Use of Password Hash with Insufficient Computational Effort

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to access the device and gain unauthenticated access.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of Franklin Fueling System TS-550, are affected:

TS-550: All versions prior to 1.9.23.8960

3.2 Vulnerability Overview

3.2.1 USE OF PASSWORD HASH WITH INSUFFICIENT COMPUTATIONAL EFFORT CWE-916

Franklin Fueling System TS-550 versions prior to 1.9.23.8960 are vulnerable to attackers decoding admin credentials, resulting in unauthenticated access to the device.

CVE-2023-5846 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.3 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER

CISA discovered a public Proof of Concept (PoC) as authored by Parsa Rezaie Khiabanloo and reported it to Exploit-db.

4. MITIGATIONS

Franklin Fueling Systems released the following to fix this vulnerability:

TS-550: Version 1.9.23.8960

For more information, contact Franklin Fueling System.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

November 2, 2023: Initial Publication