Skip to main content
(844) 422-7000

Sielco Radio Link and Analog FM Transmitters

View CSAF

1. EXECUTIVE SUMMARY

CVSS v3 9.8
ATTENTION: Exploitable remotely/low attack complexity/public exploits are available
Vendor: Sielco
Equipment: Analog FM Transmitters and Radio Link
Vulnerabilities: Improper Access Control, Cross-Site Request Forgery, Privilege Defined with Unsafe Actions

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to escalate privileges, access restricted pages, or hijack sessions.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following Sielco devices are affected:

Analog FM transmitter: 2.12 (EXC5000GX)
Analog FM transmitter: 2.12 (EXC120GX)
Analog FM transmitter: 2.11 (EXC300GX)
Analog FM transmitter: 2.10 (EXC1600GX)
Analog FM transmitter: 2.10 (EXC2000GX)
Analog FM transmitter: 2.08 (EXC1600GX)
Analog FM transmitter: 2.08 (EXC1000GX)
Analog FM transmitter: 2.07 (EXC3000GX)
Analog FM transmitter: 2.06 (EXC5000GX)
Analog FM transmitter: 1.7.7 (EXC30GT)
Analog FM transmitter: 1.7.4 (EXC300GT)
Analog FM transmitter: 1.7.4 (EXC100GT)
Analog FM transmitter: 1.7.4 (EXC5000GT)
Analog FM transmitter: 1.6.3 (EXC1000GT)
Analog FM transmitter: 1.5.4 (EXC120GT)
Radio Link: 2.06 (RTX19)
Radio Link: 2.05 (RTX19)
Radio Link: 2.00 (EXC19)
Radio Link: 1.60 (RTX19)
Radio Link: 1.59 (RTX19)
Radio Link: 1.55 (EXC19)

3.2 Vulnerability Overview

3.2.1 Improper Access Control CWE-284

The cookie session ID is of insufficient length and can be exploited by brute force, which may allow a remote attacker to obtain a valid session, bypass authentication, and manipulate the transmitter.

CVE-2023-42769 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

3.2.2 Cross-Site Request Forgery CWE-352

The application interface allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to perform certain actions with administrative privileges if a logged-in user visits a malicious web site.

CVE-2023-45317 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

3.2.3 Improper Access Control CWE-284

The application suffers from improper access control when editing users. A user with read permissions can manipulate users, passwords, and permissions by sending a single HTTP POST request with modified parameters.

CVE-2023-45228 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N).

3.2.4 Privilege Defined With Unsafe Actions CWE-267

The application suffers from a privilege escalation vulnerability. A user with read permissions can elevate privileges by sending a HTTP POST to set a parameter.

CVE-2023-41966 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Communications
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Italy

3.4 RESEARCHER

CISA discovered public proof of concept of these vulnerabilities as authored by Gjoko Krstic of ZeroScience.

4. MITIGATIONS

Sielco has not responded to requests to work with CISA to mitigate these vulnerabilities. Users of affected versions of Sielco PolyEco FM Transmitter are invited to contact Sielco customer support for additional information.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as virtual private networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.
Exercise principles of least privilege.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

Do not click web links or open attachments in unsolicited email messages.
Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

5. UPDATE HISTORY

October 26, 2023: Initial Publication

Rockwell Automation Arena

View CSAF

1. EXECUTIVE SUMMARY

CVSS v3 7.8
ATTENTION: Low attack complexity
Vendor: Rockwell Automation
Equipment: Arena
Vulnerabilities: Out-of-Bounds Read, Access of Uninitialized Pointer

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to execute arbitrary code by using a memory buffer overflow or using an uninitialized pointer in the application.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of Arena, a simulation software, are affected:

Arena: Version 16.20.00001

3.2 Vulnerability Overview

3.2.1 OUT OF BOUNDS READ CWE-125

Version 16.20 of Rockwell Automation’s Arena software contains an out-of-bounds read vulnerability when certain malformed files are processed. An attacker with local access could utilize this to potentially leak memory or achieve arbitrary code execution.

CVE-2023-27854 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

3.2.2 ACCESS OF UNINITIALIZED POINTER CWE-824

Version 16.20 of Rockwell Automation’s Arena software contains an uninitialized pointer when certain malformed files are processed. A local attacker who has properly prepared a malformed file may be able to point to a predetermined location in memory and execute arbitrary code.

CVE-2023-27858 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Multiple
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER

Rockwell Automation reported these vulnerabilities to CISA.

4. MITIGATIONS

Rockwell Automation recommends upgrading the affected product software to 16.20.01.

Rockwell Automation encourages users to implement their suggested security best practices to minimize exploitation risk of these vulnerabilities.

For additional information, refer to Rockwell Automation’s Security Bulletin.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the Internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

Do not click web links or open attachments in unsolicited email messages.
Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time. These vulnerabilities are not exploitable remotely.

5. UPDATE HISTORY

October 26, 2023: Initial Publication

Dingtian DT-R002

View CSAF

1. EXECUTIVE SUMMARY

CVSS v3 5.9
ATTENTION: Exploitable remotely/public exploits are available
Vendor: Dingtian
Equipment: DT-R002
Vulnerability: Authentication Bypass by Capture-Replay

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to bypass authentication.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of Dingtian DT-R002, a relay board, are affected:

DT-R002: version 3.1.276A

3.2 Vulnerability Overview

3.2.1 AUTHENTICATION BYPASS BY CAPTURE-REPLAY CWE-294

relay_cgi.cgi on Dingtian DT-R002 2CH relay devices with firmware 3.1.276A allows an attacker to replay HTTP post requests without the need for authentication or a valid signed/authorized request.

CVE-2022-29593 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.9 has been calculated; the CVSS vector string is (AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Unknown
COMPANY HEADQUARTERS LOCATION: China

3.4 RESEARCHER

CISA discovered a public Proof of Concept (PoC) as authored by Victor Hanna of Trustwave SpiderLabs.

4. MITIGATIONS

Dingtian has not responded to requests to work with CISA to mitigate this vulnerability. Users of affected versions of Dingtian DT-R002 are invited to contact Dingtian customer support for additional information.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

Do not click web links or open attachments in unsolicited email messages.
Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

This vulnerability has a high attack complexity.

5. UPDATE HISTORY

October 26, 2023: Initial Publication

Rockwell Automation FactoryTalk Services Platform

View CSAF

1. EXECUTIVE SUMMARY

CVSS v3 8.1
ATTENTION: Exploitable remotely
Vendor: Rockwell Automation
Equipment: FactoryTalk Services Platform
Vulnerability: Improper Authentication

2. RISK EVALUATION

Successful exploitation of this vulnerability could use a token to log into the system.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

Rockwell Automation reports that the following products are affected:

FactoryTalk Services Platform: v2.74

3.2 Vulnerability Overview

3.2.1 Improper Authentication CWE-287

Due to inadequate code logic, a previously unauthenticated threat actor could potentially obtain a local Windows OS user token through the FactoryTalk Services Platform web service and then use the token to log in into FactoryTalk Services Platform. This vulnerability can only be exploited if the authorized user did not previously log in into the FactoryTalk Services Platform web service.

CVE-2023-46290 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.1 has been calculated; the CVSS vector string is (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER

Rockwell Automation reported this vulnerability to CISA.

4. MITIGATIONS

Rockwell Automation encourages users of the affected software to update to V2.80 or later, if possible. Additionally, they encourage customers to implement their suggested security best practices to minimize the risk of vulnerability.

For more information see Rockwell Automation’s security advisory.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as virtual private networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

This vulnerability has a high attack complexity.

5. UPDATE HISTORY

October 26, 2023: Initial Publication

Ashlar-Vellum Cobalt, Graphite, Xenon, Argon, Lithium

View CSAF

1. EXECUTIVE SUMMARY

CVSS v3 7.8
ATTENTION: Low attack complexity
Vendor: Ashlar-Vellum
Equipment: Cobalt, Graphite, Xenon, Argon, Lithium, and Cobalt Share
Vulnerabilities: Out-of-Bounds Write, Heap-based Buffer Overflow, Out-of-Bounds Read

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to execute arbitrary code.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following Ashlar-Vellum products are affected:

Cobalt: v12 SP0 Build (1204.77) and prior
Graphite: v13.0.48 and prior
Xenon: v12 SP0 Build (1204.77) and prior
Argon: v12 SP0 Build (1204.77) and prior
Lithium: v12 SP0 Build (1204.77) and prior

3.2 Vulnerability Overview

3.2.1 OUT-OF-BOUNDS WRITE CWE-787

In Ashlar-Vellum Cobalt, Xenon, Argon, Lithium, and Cobalt Share v12 SP0 Build (1204.77), the affected applications lack proper validation of user-supplied data when parsing XE files. This could lead to an out-of-bounds write. An attacker could leverage this vulnerability to execute arbitrary code in the context of the current process.

CVE-2023-39427 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

3.2.2 OUT-OF-BOUNDS READ CWE-125

In Ashlar-Vellum Graphite v13.0.48, the affected application lacks proper validation of user-supplied data when parsing VC6 files. This could lead to an out-of-bounds read. An attacker could leverage this vulnerability to execute arbitrary code in the context of the current process.

CVE-2023-39936 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Multiple
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER

Michael Heinzl reported these vulnerabilities to CISA.

4. MITIGATIONS

Ashlar-Vellum recommends users apply the following mitigations to help reduce risk:

Install the latest version of Graphite
Cobalt, Xenon, Lithium, and Argon share update v12 Build (1204.78).
Only open files from trusted sources.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

Do not click web links or open attachments in unsolicited email messages.
Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time. These vulnerabilities are not exploitable remotely.

5. UPDATE HISTORY

October 26, 2023: Initial Publication

Rockwell Automation Stratix 5800 and Stratix 5200

View CSAF

1. EXECUTIVE SUMMARY

CVSS v3 10.0
ATTENTION: Exploitable remotely/low attack complexity/known public exploitation
Vendor: Rockwell Automation
Equipment: Stratix 5800 and Stratix 5200
Vulnerabilities: Unprotected Alternate Channel

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an unauthenticated attacker to take control of the affected system.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of Stratix products and the contained Cisco IOS software are affected:

Stratix 5800 (running Cisco IOS XE Software with the Web UI feature enabled): All versions
Stratix 5200 (running Cisco IOS XE Software with the Web UI feature enabled): All versions

3.2 Vulnerability Overview

3.2.1 UNPROTECTED ALTERNATE CHANNEL CWE-420

Rockwell Automation is aware of active exploitation of a previously unknown vulnerability in the web user interface feature of Cisco IOS XE Software when exposed to the internet or to untrusted networks. This vulnerability allows a remote, unauthenticated threat actor to create an account on a vulnerable system with privilege level 15 access. The threat actor could then potentially use that account to gain control of the affected system.

CVE-2023-20198 has been assigned to this vulnerability. A CVSS v3 base score of 10.0 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: United states

3.4 RESEARCHER

Rockwell Automation reported this vulnerability to CISA.

4. MITIGATIONS

Rockwell Automation strongly encourages users to follow guidance disabling Stratix HTTP servers on all internet-facing systems.

To disable the HTTP Server feature, use the no ip http server or no ip http secure-server command in global configuration mode. If both the HTTP server and HTTPS server are in use, both commands are required to disable the HTTP Server feature.
When implementing access controls for these services, be sure to review the controls because there is the potential for an interruption in production services.
Cisco Talos has provided Indicators of Compromise and Snort rules that can be found here.

For more information, see Rockwell Automation’s Security Advisory.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

5. UPDATE HISTORY

October 24, 2023: Initial Publication

CVE-2023-2745

WordPress Core is vulnerable to Directory Traversal in versions up to, and including, 6.2, via the ‘wp_lang’ parameter. This allows unauthenticated attackers to access and load arbitrary translation files. In cases where an attacker is able to upload a crafted translation file onto the site, such as via an upload form, this could be also used to perform a Cross-Site Scripting attack. (CVSS:6.1) (EPSS:0.17%) (Last Update:2023-06-21 01:15:09)

Rockwell Automation FactoryTalk Linx

View CSAF

1. EXECUTIVE SUMMARY

CVSS v3 8.2
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Rockwell Automation
Equipment: FactoryTalk Linx
Vulnerability: Improper Input Validation

2. RISK EVALUATION

Successful exploitation of this vulnerability could lead to information disclosure or a denial-of-service condition.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of Rockwell products are affected:

FactoryTalk Linx: v6.20 and prior

3.2 Vulnerability Overview

3.2.1 IMPROPER INPUT VALIDATION CWE-20

FactoryTalk Linx, in the Rockwell Automation PanelView Plus, allows an unauthenticated threat actor to read data from memory via crafted malicious packets. Sending a size larger than the buffer size results in leakage of data from memory resulting in an information disclosure. If the size is large enough, it causes communications over the common industrial protocol to become unresponsive to any type of packet, resulting in a denial-of-service to FactoryTalk Linx over the common industrial protocol.

CVE-2023-29464 has been assigned to this vulnerability. A CVSS v3 base score of 8.2 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Multiple Sectors
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER

Yuval Gordon, CPS Research, Microsoft Threat Intelligence Community reported this vulnerability to Rockwell Automation.

4. MITIGATIONS

Rockwell Automation recommends users of the affected versions to upgrade to corrected firmware revisions. Users are also strongly encouraged to implement the suggested security best practices to minimize the risk of the vulnerability. Specifically, users should:

Install the security patches for the respective versions.
Security Best Practices

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as virtual private networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

October 17, 2023: Initial Publication

Schneider Electric EcoStruxure Power Monitoring Expert and Power Operation Products

View CSAF

1. EXECUTIVE SUMMARY

CVSS v3 9.8
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Schneider Electric
Equipment: EcoStruxure Power Monitoring Expert, EcoStruxure Power Operation with Advanced Reports, EcoStruxure Power SCADA
Operation with Advanced Reports
Vulnerability: Deserialization of Untrusted Data

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to achieve remote code execution.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following version of Schneider Electric EcoStruxure Power Monitoring Expert and Power Operation Products is affected:

EcoStruxure Power Monitoring Expert: All versions prior to Hotfix-145271
EcoStruxure Power Operation with Advanced Reports: All versions prior to application of Hotfix-145271
EcoStruxure Power SCADA Operation with Advanced Reports: All versions prior to Hotfix-145271

3.2 Vulnerability Overview

3.2.1 DESERIALIZATION OF UNTRUSTED DATA CWE-502

A deserialization of untrusted data vulnerability exists that could allow an attacker to execute arbitrary code on the targeted system by sending a specifically crafted packet to the application.

CVE-2023-5391 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Multiple
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: France

3.4 RESEARCHER

Sina Kheirkhah (@SinSinology) of Summoning Team (@SummoningTeam) working with Trend Micro Zero Day Initiative reported this vulnerability to Schneider Electric.

4. MITIGATIONS

Schneider Electric has released the following mitigations/fixes for the following products:

EcoStruxure Power Monitoring Expert: A Hotfix for this vulnerability is available by contacting Contact Schneider Electric’s Customer Care Center. The Hotfix can be applied to versions PME 2023, 2022, and 2021, the versions currently in support on the date of this disclosure. Previous versions, please contact customer care to inquire about upgrade paths.

EcoStruxure Power Operation with Advanced Reports and EcoStruxure Power SCADA Operation with Advanced Reports: A Hotfix for this vulnerability is available by contacting Contact Schneider Electric’s Customer Care Center. The Hotfix can be applied to versions EPO 2022, and 2021, the versions currently in support on the date of this disclosure. Previous versions, please contact customer care to inquire about upgrade paths.

Schneider Electric also recommends the following cybersecurity best practices:

Locate control and safety system networks and remote devices behind firewalls and isolate them from the business network.
Install physical controls so no unauthorized personnel can access your industrial control and safety systems, components, peripheral equipment, and networks.
Place all controllers in locked cabinets and never leave them in the “Program” mode.
Never connect programming software to any network other than the network intended for that device.
Scan all methods of mobile data exchange with the isolated network such as CDs, USB drives, etc. before use in the terminals or any node connected to these networks.
Never allow mobile devices that have connected to any other network besides the intended network to connect to the safety or control networks without proper sanitation.
Minimize network exposure for all control system devices and systems and ensure that they are not accessible from the Internet.
When remote access is required, use secure methods, such as virtual private networks (VPNs). Recognize that VPNs may have vulnerabilities and should be updated to the most current version available. Also, understand that VPNs are only as secure as the connected devices.

For more information refer to the Schneider Electric Recommended Cybersecurity Best Practices document.

For further information, see Schnieder Electric’s Security Advisory.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

October 17, 2023: Initial Publication

CVE-2023-38000

Auth. Stored (contributor+) Cross-Site Scripting (XSS) vulnerability in WordPress core 6.3 through 6.3.1, from 6.2 through 6.2.2, from 6.1 through 6.1.3, from 6.0 through 6.0.5, from 5.9 through 5.9.7 and Gutenberg plugin