Skip to main content
(844) 422-7000

Schneider Electric SpaceLogic C-Bus Toolkit

View CSAF

1. EXECUTIVE SUMMARY

CVSS v3 9.8
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Schneider Electric
Equipment: SpaceLogic C-Bus Toolkit
Vulnerabilities: Improper Privilege Management, Path Traversal

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to perform remote code execution, which could result in tampering of the SpaceLogic C-Bus home automation system.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following Schneider Electric products are affected:

SpaceLogic C-Bus Toolkit: Versions 1.16.3 and prior

3.2 Vulnerability Overview

3.2.1 Improper Privilege Management CWE-269

Schneider Electric’s SpaceLogic C-Bus Toolkit product is vulnerable due to improper privilege management, which could cause remote code execution when the transfer command is used over the network.

CVE-2023-5402 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

3.2.2 Path Traversal CWE-22

Schneider Electric’s SpaceLogic C-Bus Toolkit product contains a path traversal vulnerability, which could cause tampering of files on the personal computer running C-Bus when using the File Command.

CVE-2023-5399 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Commercial Facilities
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: France

3.4 RESEARCHER

An anonymous researcher working with Trend Micro’s Zero Day Initiative reported these vulnerabilities to CISA.

4. MITIGATIONS

Schneider Electric has provided a fix to these vulnerabilities and recommends updating the software to v1.16.4. After installation, it is recommended to reboot the system and verify the version number reflects the new version.

If users choose not to apply the remediation provided, they should immediately apply the following mitigation to reduce the risk of exploit:

Block TCP Port 20023 to SpaceLogic C-Bus Toolkit by using the rules in the PC firewall.

By doing this, the vulnerable commands could not then be used to compromise the PC by an external entity as the connection and ultimately the command will not be accepted by SpaceLogic C-Bus Toolkit.

For more information, refer to Schneider Electric’s Security Bulletin SEVD-2023-283-1

Schneider Electric strongly recommends the following industry cybersecurity best practices.

Locate control and safety system networks and remote devices behind firewalls and isolate them from the business network.
Install physical controls so no unauthorized personnel can access your industrial control and safety systems, components, peripheral equipment, and networks.
Place all controllers in locked cabinets and never leave them in the “Program” mode.
Never connect programming software to any network other than the network intended for that device.
Scan all methods of mobile data exchange with the isolated network such as CDs, USB drives, etc., before use in the terminals or any node connected to these networks.
Never allow mobile devices that have connected to any other network besides the intended network to connect to the safety or control networks without proper sanitation.
Minimize network exposure for all control system devices and systems and ensure that they are not accessible from the Internet.
When remote access is required, use secure methods, such as virtual private networks (VPNs). Recognize that VPNs may have vulnerabilities and should be updated to the most current version available. Also, understand that VPNs are only as secure as the connected devices.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

Do not click web links or open attachments in unsolicited email messages.
Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY

November 2, 2023: Initial Publication

Red Lion Crimson

View CSAF

1. EXECUTIVE SUMMARY

CVSS v3 8.8
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Red Lion
Equipment: FlexEdge Gateway, DA50A, DA70A running Crimson
Vulnerability: Improper Neutralization of Null Byte or NUL Character

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to truncate passwords configured by the Crimson configuration tool which could create weaker than intended credentials.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following Red Lion products are affected:

Crimson: v3.2.0053.18 or prior

3.2 Vulnerability Overview

3.2.1 IMPROPER NEUTRALIZATION OF NULL BYTE OR NUL CHARACTER CWE-158

The Crimson 3.2 Windows-based configuration tool allows users with administrative access to define new passwords for users and to download the resulting security configuration to a device. If such a password contains the percent (%) character, invalid values will be included, potentially truncating the string if a NUL is encountered. If the simplified password is not detected by the administrator, the device might be left in a vulnerable state as a result of more-easily compromised credentials. Note that passwords entered via the Crimson system web server do not suffer from this vulnerability.

CVE-2023-5719 has been assigned to this vulnerability. A CVSS v3 base score of 8.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Multiple Sectors
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER

Alexander Ratelle of Hepburn Engineering Inc, reported this vulnerability to Red Lion.

4. MITIGATIONS

Red Lion recommends updating the Crimson configuration tool to version 3.2.0063 or later by using the automatic update feature or visiting the Red Lion website.

Any existing or new accounts created should refrain from using the percent (%) character in the configured password in versions 3.2.0053.18 or below.

For more information refer to Red Lion’s security advisory RLCSIM-2023-04.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

November 2, 2023: Initial Publication

Weintek EasyBuilder Pro

View CSAF

1. EXECUTIVE SUMMARY

CVSS v3 9.8
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Weintek
Equipment: EasyBuilder Pro
Vulnerability: Use of Hard-coded Credentials

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to obtain remote control of a victim’s computer as a privileged user.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following Weintek products are affected:

EasyBuilder Pro: Versions prior to v6.07.02
EasyBuilder Pro: Versions 6.08.01.592 and prior
EasyBuilder Pro: Versions 6.08.02.470 and prior

3.2 Vulnerability Overview

3.2.1 USE OF HARD-CODED CREDENTIALS CWE-798

The affected product contains a vulnerability that, even when the private key is immediately deleted after the crash report transmission is finished, the private key is exposed to the public, which could result in obtaining remote control of the crash report server.

CVE-2023-5777 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Taiwan

3.4 RESEARCHER

Hank Chen (PSIRT and Threat Research of TXOne Networks) reported this vulnerability to CISA.

4. MITIGATIONS

Weintek recommends users apply the following mitigations:

Update EasyBuilder Pro to v6.08.01.614
Update EasyBuilder Pro to v6.08.02.500

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

November 2, 2023: Initial Publication

Mitsubishi Electric MELSEC Series

View CSAF

1. EXECUTIVE SUMMARY

CVSS v3 9.1
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Mitsubishi Electric Corporation
Equipment: MELSEC Series
Vulnerability: Insufficient Verification of Data Authenticity

2. RISK EVALUATION

Successful exploitation of this vulnerability may allow a remote attacker to reset the memory of the products to factory default state and cause a denial-of-service condition.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

Mitsubishi Electric reports that the following versions of MELSEC-F series programmable controllers are affected if they are used with ethernet communication special adapter FX3U-ENET-ADP or ethernet communication block FX3U-ENET(-L) with the exception of “FX3GE-xMy/z x=24,40, y=T,R, z=ES,ESS,DS,DSS”. Some of these products are sold in limited regions, see the Mitsubishi Electric advisory for details:

MELSEC-F series FX3U-xMy/z x=16,32,48,64,80,128, y=T,R, z=ES,ESS,DS,DSS: All versions
MELSEC-F series FX3U-32MR/UA1, FX3U-64MR/UA1: All versions
MELSEC-F series FX3U-32MS/ES, FX3U-64MS/ES: All versions
MELSEC-F series FX3U-xMy/ES-A x=16,32,48,64,80,128, y=T,R: All versions
MELSEC-F series FX3UC-xMT/z x=16,32,64,96, z=D,DSS: All versions
MELSEC-F series FX3UC-16MR/D-T, FX3UC-16MR/DS-T: All versions
MELSEC-F series FX3UC-32MT-LT, FX3UC-32MT-LT-2: All versions
MELSEC-F series FX3UC-16MT/D-P4, FX3UC-16MT/DSS-P4: All versions
MELSEC-F series FX3G-xMy/z x=14,24,40,60, y=T,R, z=ES,ESS,DS,DSS: All versions
MELSEC-F series FX3G-xMy/ES-A x=14,24,40,60, y=T,R: All versions
MELSEC-F series FX3GC-32MT/D, FX3GC-32MT/DSS: All versions
MELSEC-F series FX3GE-xMy/z x=24,40, y=T,R, z=ES,ESS,DS,DSS: All versions
MELSEC-F series FX3GA-xMy-CM x=24,40,60, y=T,R: All versions
MELSEC-F series FX3S-xMy/z x=10,14,20,30, y=T,R, z=ES,ESS,DS,DSS: All versions
MELSEC-F series FX3S-30My/z-2AD y=T,R, z=ES,ESS: All versions
MELSEC-F series FX3SA-xMy-CM x=10,14,20,30, y=T,R: All versions
MELSEC iQ-F series FX5U-xMy/z x=32,64,80, y=T,R, z=ES,DS,ESS,DSS: All versions
MELSEC iQ-F series FX5UC-xMy/z x=32,64,96, y=T, z=D,DSS: All versions
MELSEC iQ-F series FX5UC-32MT/DS-TS, FX5UC-32MT/DSS-TS, FX5UC-32MR/DS-TS: All versions
MELSEC iQ-F series FX5UJ-xMy/z x=24,40,60, y=T,R, z=ES,ESS,DS,DSS: All versions
MELSEC iQ-F series FX5UJ-xMy/ES-A x=24,40,60, y=T,R: All versions
MELSEC iQ-F series FX5S-xMy/z x=30,40,60,80, y=T,R, z=ES,ESS: All versions

3.2 Vulnerability Overview

3.2.1 Insufficient Verification of Data Authenticity CWE-345

A denial-of-service vulnerability exists in the MELSEC-F Series main modules and MELSEC iQ-F Series CPU modules. A remote attacker may be able to reset the memory of the products to factory default state and cause a denial-of-service condition on the products by sending specific packets.

CVE-2023-4699 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.1 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Japan

3.4 RESEARCHER

Mitsubishi Electric reported this vulnerability to CISA.

4. MITIGATIONS

Mitsubishi Electric recommends that customers take the following mitigation measures to minimize the risk of exploiting this vulnerability:

Use a firewall or virtual private network (VPN), etc. to prevent unauthorized access when Internet access is required.
Use within a LAN and block access from untrusted networks and hosts through firewalls.
For MELSEC iQ-F Series, use IP filter function to block access from untrusted hosts. For details on the IP filter function, please refer to the following manual for each product. “12.1 IP Filter Function” in the MELSEC iQ-F FX5 User’s Manual (Ethernet Communication)
Restrict physical access to the affected products and the LAN that is connected by them.

For specific update instructions and additional details see the Mitsubishi Electric advisory.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

November 2, 2023: Initial Publication

Mitsubishi Electric MELSEC iQ-F Series CPU Module

View CSAF

1. EXECUTIVE SUMMARY

CVSS v3 5.3
ATTENTION: Exploitable remotely/low attack complexity
Equipment: MELSEC iQ-F Series
Vulnerability: Improper Restriction of Excessive Authentication Attempts

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow a remote attacker to prevent legitimate users from logging into the web server function for a certain period, resulting in a denial-of-service condition. The impact of this vulnerability will persist while the attacker continues to attempt the attack.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following Mitsubishi Electric MELSEC iQ-F Series products are affected (Products with * are sold in limited regions):

FX5U-xMy/z x=32,64,80, y=T,R, z=ES,DS,ESS,DSS (Serial number 17X**** and later): All versions
FX5U-xMy/z x=32,64,80, y=T,R, z=ES,DS,ESS,DSS (Serial number 179**** and prior): Versions 1.060 or later
FX5UC-xMy/z x=32,64,96, y=T, z=D,DSS (Serial number 17X**** and later): All versions
FX5UC-xMy/z x=32,64,96, y=T, z=D,DSS (Serial number 179**** and prior): Versions 1.060 or later
FX5UC-32MT/DS-TS, FX5UC-32MT/DSS-TS, FX5UC-32MR/DS-TS: All versions
FX5UJ-xMy/z x=24,40,60, y=T,R, z=ES,DS,ESS,DSS: All versions
FX5UJ-xMy/ES-A* x=24,40,60, y=T,R: All versions
FX5S-xMy/z x=30,40,60,80*, y=T,R, z=ES,ESS: All versions

3.2 Vulnerability Overview

3.2.1 IMPROPER RESTRICTION OF EXCESSIVE AUTHENTICATION ATTEMPTS CWE-307

A denial-of-service vulnerability exists in the web server function of the MELSEC iQ-F Series CPU module, which could allow an attacker to prevent legitimate users from logging in to the web server function for a certain period of time. The impact of this vulnerability will persist while the attacker continues to attempt the attack.

CVE-2023-4625 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.3 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Japan

3.4 RESEARCHER

Peter Cheng from ELEX FEIGONG RESEARCH INSTITUTE of Elex Cybersecurity, Inc. reported this vulnerability to Mitsubishi Electric.

4. MITIGATIONS

Mitsubishi Electric recommends that users take the following mitigation measures to minimize the risk:

Use a firewall or virtual private network (VPN), etc. to prevent unauthorized access when Internet access is required.
Use within a LAN and block access from untrusted networks and hosts through firewalls.
Use IP filter function to block access from untrusted hosts. For details on the IP filter function, refer to the “12.1 IP Filter Function” in the MELSEC iQ-F FX5 User’s Manual (Ethernet Communication) manual.
Restrict physical access to the affected products and the LAN that is connected by them.

For additional information refer to Mitsubishi Electric’s security bulletin 2023-014_en.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

November 2, 2023: Initial Publication

Zavio IP Camera

View CSAF

1. EXECUTIVE SUMMARY

CVSS v3 9.8
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Zavio
Equipment: IP Camera
Vulnerability: Improper Restriction of Operations within the Bounds of a Memory Buffer, OS Command Injection

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow remote code execution.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of Zavio IP Cameras are affected:

CF7500: version M2.1.6.05
CF7300: version M2.1.6.05
CF7201: version M2.1.6.05
CF7501: version M2.1.6.05
CB3211: version M2.1.6.05
CB3212: version M2.1.6.05
CB5220: version M2.1.6.05
CB6231: version M2.1.6.05
B8520: version M2.1.6.05
B8220: version M2.1.6.05
CD321: version M2.1.6.05

3.2 Vulnerability Overview

3.2.1 Stack-based Buffer Overflow CWE-121

Zavio IP Cameras CF7500, CF7300, CF7201, CF7501, CB3211, CB3212, CB5220, CB6231, B8520, B8220, CD321 with firmware version M2.1.6.05 are vulnerable to multiple instances of stack-based overflows. While processing XML elements from incoming network requests, the product does not sufficiently check or validate allocated buffer size. This may lead to remote code execution.

CVE-2023-3959 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

3.2.2 Stack-based Buffer Overflow CWE-121

Zavio IP Cameras CF7500, CF7300, CF7201, CF7501, CB3211, CB3212, CB5220, CB6231, B8520, B8220, CD321 with firmware version M2.1.6.05 are vulnerable to multiple instances of stack-based overflows. While parsing certain XML elements from incoming network requests, the product does not sufficiently check or validate allocated buffer size. This may lead to remote code execution.

CVE-2023-45225 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

3.2.3 Stack-based Buffer Overflow CWE-121

Zavio IP Cameras CF7500, CF7300, CF7201, CF7501, CB3211, CB3212, CB5220, CB6231, B8520, B8220, CD321 with firmware version M2.1.6.05 are vulnerable to multiple instances of stack-based overflows. During the processing and parsing of certain fields in XML elements from incoming network requests, the product does not sufficiently check or validate allocated buffer size. This may lead to remote code execution.

CVE-2023-43755 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

3.2.4 Stack-based Buffer Overflow CWE-121

Zavio IP Cameras CF7500, CF7300, CF7201, CF7501, CB3211, CB3212, CB5220, CB6231, B8520, B8220, CD321 with firmware version M2.1.6.05 are vulnerable to stack-based overflows. During the process of updating certain settings sent from incoming network requests, the product does not sufficiently check or validate allocated buffer size. This may lead to remote code execution.

CVE-2023-39435 has been assigned to this vulnerability. A CVSS v3 base score of 8.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

3.2.5 Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’) CWE-78

Zavio IP Cameras CF7500, CF7300, CF7201, CF7501, CB3211, CB3212, CB5220, CB6231, B8520, B8220, CD321 with firmware version M2.1.6.05 has a command injection vulnerability in their implementation of their binaries and handling of network requests.

CVE-2023-4249 has been assigned to this vulnerability. A CVSS v3 base score of 8.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Multiple
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Taiwan

3.4 RESEARCHER

Attila Szasz of BugProve reported these vulnerabilities to CISA. Mike Haldas of CCTV Camera Pros assisted in the coordination of these vulnerabilities with CISA.

4. MITIGATIONS

The affected products are end-of-life and have been identified to contain many insecurities. The vendor, Zavio, is no longer actively in business and therefore development for firmware fixes, mitigations, and updates are not available and will not become available. CISA recommends users discontinue use of the product.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY

October 31, 2023: Initial Publication

INEA ME RTU

View CSAF

1. EXECUTIVE SUMMARY

CVSS v3 9.9
ATTENTION: Exploitable remotely/low attack complexity
Vendor: INEA
Equipment: ME RTU
Vulnerabilities: OS Command Injection, Improper Authentication

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow remote code execution.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of Inea ME RTU are affected:

ME RTU: versions 3.36b and prior

3.2 Vulnerability Overview

3.2.1 IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS USED IN AN OS COMMAND (‘OS COMMAND INJECTION’)CWE-78

Versions of INEA ME RTU firmware 3.36b and prior are vulnerable to operating system (OS) command injection, which could allow remote code execution.

CVE-2023-35762 has been assigned to this vulnerability. A CVSS v3 base score of 9.9 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).

3.2.2 IMPROPER AUTHENTICATION CWE-287

Versions of INEA ME RTU firmware 3.36b and prior do not require authentication to the “root” account on the host system of the device. This could allow an attacker to obtain admin-level access to the host system.

CVE-2023-29155 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Energy, Water and Wastewater, Transportation
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Slovenia

3.4 RESEARCHER

Floris Hendriks of Radboud University reported these vulnerabilities to CISA.

4. MITIGATIONS

INEA recommends users to upgrade ME RTU to firmware version 3.37.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. Specifically, users should:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.

Locate control system networks and remote devices behind firewalls and isolating them from business networks.

When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY

October 31, 2023: Initial Publication

Sielco PolyEco FM Transmitter

View CSAF

1. EXECUTIVE SUMMARY

CVSS v3 9.8
ATTENTION: Exploitable remotely/low attack complexity/public exploits are available
Vendor: Sielco
Equipment: PolyEco1000
Vulnerabilities: Session Fixation, Improper Restriction of Excessive Authentication Attempts, Improper Access Control

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to escalate privileges, access restricted pages, or hijack sessions.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of Sielco PolyEco1000, a FM transmitter, are affected:

PolyEco1000: CPU:2.0.6 FPGA:10.19
PolyEco1000: CPU:1.9.4 FPGA:10.19
PolyEco1000: CPU:1.9.3 FPGA:10.19
PolyEco500: CPU:1.7.0 FPGA:10.16
PolyEco300: CPU:2.0.2 FPGA:10.19
PolyEco300: CPU:2.0.0 FPGA:10.19

3.2 Vulnerability Overview

3.2.1 SESSION FIXATION CWE-384

Sielco PolyEco1000 is vulnerable to a session hijack vulnerability due to the cookie being vulnerable to a brute force attack, lack of SSL, and the session being visible in requests.

CVE-2023-0897 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

3.2.2 IMPROPER RESTRICTION OF EXCESSIVE AUTHENTICATION ATTEMPTS CWE-307

Sielco PolyEco1000 uses a weak set of default administrative credentials that can be easily guessed in remote password attacks and gain full control of the system.

CVE-2023-5754 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.1 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N).

3.2.3 IMPROPER ACCESS CONTROL CWE-284

Sielco PolyEco1000 is vulnerable to an attacker escalating their privileges by modifying passwords in POST requests.

CVE-2023-46661 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

3.2.4 IMPROPER ACCESS CONTROL CWE-284

Sielco PolyEco1000 is vulnerable to an information disclosure vulnerability due to improper access control enforcement. An unauthenticated remote attacker can exploit this via a specially crafted request to gain access to sensitive information.

CVE-2023-46662 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

3.2.5 IMPROPER ACCESS CONTROL CWE-284

Sielco PolyEco1000 is vulnerable to an attacker bypassing authorization and accessing resources behind protected pages. The application interface allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests.

CVE-2023-46663 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

3.2.6 IMPROPER ACCESS CONTROL CWE-284

Sielco PolyEco1000 is vulnerable to an improper access control vulnerability when the application provides direct access to objects based on user-supplied input. As a result of this vulnerability attackers can bypass authorization and access resources behind protected pages.

CVE-2023-46664 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

3.2.7 IMPROPER ACCESS CONTROL CWE-284

Sielco PolyEco1000 is vulnerable to an authentication bypass vulnerability due to an attacker modifying passwords in a POST request and gain unauthorized access to the affected device with administrative privileges.

CVE-2023-46665 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Communications
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Italy

3.4 RESEARCHER

CISA discovered a public proof of concept as authored by Gjoko Krstic of ZeroScience.

4. MITIGATIONS

Sielco has not responded to requests to work with CISA to mitigate these vulnerabilities. Users of affected versions of Sielco PolyEco FM Transmitter are invited to contact Sielco customer support for additional information.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

Do not click web links or open attachments in unsolicited email messages.
Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

5. UPDATE HISTORY

October 26, 2023: Initial Publication

Rockwell Automation FactoryTalk View Site Edition

View CSAF

1. EXECUTIVE SUMMARY

CVSS v3 7.5
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Rockwell Automation
Equipment: FactoryTalk View Site Edition
Vulnerability: Improper Input Validation

2. RISK EVALUATION

Successful exploitation of this vulnerability could cause the product to become unavailable and require a restart to recover resulting in a denial-of-service condition.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

Rockwell Automation reports that the following versions of FactoryTalk View Site Edition are affected:

FactoryTalk View Site Edition: V11.0

3.2 Vulnerability Overview

3.2.1 IMPROPER INPUT VALIDATION CWE-20

FactoryTalk View Site Edition V11.0 insufficiently validates user input, which could potentially allow threat actors to send malicious data bringing the product offline. If exploited, the product would become unavailable and require a restart to recover resulting in a denial-of-service condition.

CVE-2023-46289 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER

Rockwell Automation reported this vulnerability to CISA.

4. MITIGATIONS

Rockwell Automation has provided patches for these versions v11.0 & v12.0 & v13.0.

Rockwell Automation encourages users of the affected software to apply the risk mitigations if possible. Additionally, they encourage users to implement their suggested security best practices to minimize the risk

For more information, see Rockwell Automation’s security advisory.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as virtual private networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

 

5. UPDATE HISTORY

October 26, 2023: Initial Publication

Centralite Pearl Thermostat

View CSAF

1. EXECUTIVE SUMMARY

CVSS v3 7.5
ATTENTION: Exploitable remotely/low attack complexity/public exploits are available
Vendor: Centralite
Equipment: Pearl Thermostat
Vulnerability: Allocation of Resources Without Limits or Throttling

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to cause a denial of service on the affected product.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions Centralite Pearl Thermostat are affected:

Pearl Thermostat: version 0x04075010

3.2 Vulnerability Overview

3.2.1 ALLOCATION OF RESOURCES WITHOUT LIMITS OR THROTTLING CWE-770

A vulnerability in Centralite Pearl Thermostat 0x04075010 allows attackers to cause a denial of service (DoS) via a crafted Zigbee message.

CVE-2023-24678 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Commercial Facilities, Communications
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER

Xiaoyue Ma (xma9@gmu.edu), Lannan “Lisa” Luo (lluo4@gmu.edu) and Qiang Zeng (zeng@gmu.edu) of George Mason University reported this vulnerability.

4. MITIGATIONS

Centralite has not responded to requests to work with CISA to mitigate this vulnerability. Users of affected versions of Centralite Pearl Thermostat are invited to contact Centralite customer support for additional information.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

5. UPDATE HISTORY

October 26, 2023: Initial Publication