Posts Page - CloudCentric

Sierra Wireless AirLink with ALEOS firmware

Written by on December 7, 2023. Posted in CISA-Published Industrial Control System Vulnerabilities.

1. EXECUTIVE SUMMARY

CVSS v3 8.1
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Sierra Wireless
Equipment: AirLink
Vulnerabilities: Infinite Loop, NULL Pointer Dereference, Cross-site Scripting, Reachable Assertion, Use of Hard-coded Credentials, Use of Hard-coded Cryptographic Key

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to perform remote code execution to take full control of the device, steal credentials through a cross site scripting attack, or crash the device being accessed through a denial-of-service attack.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of Sierra Wireless AirLink router with ALEOS firmware are affected:

AirLink ALEOS firmware: All versions prior to 4.9.9
AirLink ALEOS firmware: All versions prior to 4.17.0

3.2 Vulnerability Overview

3.2.1 LOOP WITH UNREACHABLE EXIT CONDITION (‘INFINITE LOOP’) CWE-835

Loop with Unreachable Exit Condition (‘Infinite Loop’) vulnerability in Sierra Wireless, Inc ALEOS could potentially allow a remote attacker to trigger a Denial-of-Service (DoS) condition for ACEManager without impairing other router functions. This condition is cleared by restarting the device.

CVE-2023-40458 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

3.2.2 NULL POINTER DEREFERENCE CWE-476

The ACEManager component of ALEOS 4.16 and earlier does not adequately perform input sanitization during authentication, which could potentially result in a Denial-of-Service (DoS) condition for ACEManager without impairing other router functions. ACEManager recovers from the DoS condition by restarting within ten seconds of becoming unavailable.

CVE-2023-40459 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

3.2.3 IMPROPER NEUTRALIZATION OF INPUT DURING WEB PAGE GENERATION (‘CROSS-SITE SCRIPTING’) CWE-79

The ACEManager component of ALEOS 4.16 and earlier does not validate uploaded file names and types, which could potentially allow an authenticated user to perform client-side script execution within ACEManager, altering the device functionality until the device is restarted.

CVE-2023-40460 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.1 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L).

3.2.4 IMPROPER NEUTRALIZATION OF INPUT DURING WEB PAGE GENERATION (‘CROSS-SITE SCRIPTING’) CWE-79

The ACEManager component of ALEOS 4.16 and earlier allows an authenticated user with Administrator privileges to access a file upload field which does not fully validate the file name, creating a Stored Cross-Site Scripting condition.

CVE-2023-40461 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.1 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H).

3.2.5 REACHABLE ASSERTION CWE-617

The ACEManager component of ALEOS 4.16 and earlier does not perform input sanitization during authentication, which could potentially result in a Denial-of-Service (DoS) condition for ACEManager without impairing other router functions. ACEManager recovers from the DoS condition by restarting within ten seconds of becoming unavailable.

CVE-2023-40462 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

3.2.6 USE OF HARD-CODED CREDENTIALS CWE-798

When configured in debugging mode by an authenticated user with administrative privileges, ALEOS 4.16 and earlier store the SHA512 hash of the common root password for that version in a directory accessible to a user with root privileges or equivalent access.

CVE-2023-40463 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.1 has been calculated; the CVSS vector string is (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).

3.2.7 USE OF HARD-CODED CRYPTOGRAPHIC KEY CWE-321

Several versions of ALEOS, including ALEOS 4.16.0, use a hardcoded SSL certificate and private key. An attacker with access to these items could potentially perform a man in the middle attack between the ACEManager client and ACEManager server.

CVE-2023-40464 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.1 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Commercial Facilities, Communications, Emergency Services, Energy, Government Facilities, Transportation Systems, Water and Wastewater Systems
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Canada

3.4 RESEARCHER

Daniel dos Santos and Stanislav Dashevskyi of Forescout Technologies reported these vulnerabilities to CISA.

4. MITIGATIONS

Sierra Wireless has released the following software fixes and recommends users update their devices:

AirLink ALEOS firmware: Version 4.9.9
AirLink ALEOS firmware: Version 4.17.0

For more information, please see Sierra Wireless’ security advisory.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY

December 07, 2023: Initial Publication

Johnson Controls Metasys and Facility Explorer

Written by on December 7, 2023. Posted in CISA-Published Industrial Control System Vulnerabilities.

View CSAF

1. EXECUTIVE SUMMARY

CVSS v3 7.5
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Johnson Controls
Equipment: Metasys and Facility Explorer
Vulnerability: Uncontrolled Resource Consumption

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to cause a denial-of-service by sending invalid credentials.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of Johnson Controls Metasys and Facility Explorer are affected:

Metasys NAE55 engines: Versions prior to 12.0.4
Metasys SNE engines: Versions prior to 12.0.4
Metasys SNC engines: Versions prior to 12.0.4
Facility Explorer F4-SNC: Versions prior to 11.0.6
Facility Explorer F4-SNC: Versions prior to 12.0.4

3.2 Vulnerability Overview

3.2.1 UNCONTROLLED RESOURCE CONSUMPTION CWE-400

Under certain circumstances, invalid authentication credentials could be sent to the login endpoint of Johnson Controls Metasys and Facility Explorer products to cause denial-of-service.

CVE-2023-4486 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Ireland

3.4 RESEARCHER

Johnson Controls reported this vulnerability to CISA.

4. MITIGATIONS

Johnson Controls recommends users update the products to the latest versions:

Update Metasys NAE55 engines to version 12.0.4
Update Metasys SNE engines to version 12.0.4
Update Metasys SNC engines to version 12.0.4
Update Facility Explorer F4-SNC engine to version 11.0.6
Update Facility Explorer F4-SNC engine to version 12.0.4

For more information, contact your local Johnson Controls office or Authorized Building Control Specialists (ABCS).

For more detailed mitigation instructions, please see Johnson Controls Product Security Advisory JCI-PSA-2023-08 v1.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

December 07, 2023: Initial Publication

Schweitzer Engineering Laboratories SEL-411L

Written by on December 7, 2023. Posted in CISA-Published Industrial Control System Vulnerabilities.

View CSAF

1. EXECUTIVE SUMMARY

CVSS v3 4.3
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Schweitzer Engineering Laboratories
Equipment: SEL-411L
Vulnerability: Improper Restriction of Rendered UI Layers or Frames

2. RISK EVALUATION

Successful exploitation of this vulnerability could expose authorized users to clickjacking attacks.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of the Schweitzer Engineering Laboratories SEL-411L are affected:

R118: V0 – V4
R119: V0 – V5
R120: V0 – V6
R121: V0 – V3
R122: V0 – V3
R123: V0 – V3
R124: V0 – V3
R125: V0 – V3
R126: V0 – V4
R127: V0 – V2
R128: V0 – V1
R129: V0 – V1

3.2 Vulnerability Overview

3.2.1 IMPROPER RESTRICTION OF RENDERED UI LAYERS OR FRAMES CWE-1021

An Improper Restriction of Rendered UI Layers or Frames in the Schweitzer Engineering Laboratories SEL-411L could allow an unauthenticated attacker to perform clickjacking-based attacks against an authenticated and authorized user.

CVE-2023-2265 has been assigned to this vulnerability. A CVSS v3.1 base score of 4.3 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Energy
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER

Sushant Mane, Parul Sindhwad, Imran Jamadar, and Dr. Faruk Kazi of CoE-CNDS Lab, VJTI, Mumbai, India reported this vulnerability to Schweitzer Engineering Laboratories.

4. MITIGATIONS

Schweitzer Engineering Laboratories has distributed patches to appropriate asset owners. Please refer to their security advisory for more information.

Schweitzer Engineering Laboratories also recommends users see product Instruction Manual Appendix A dated 20230830 for more details.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

December 07, 2023: Initial Publication

Zebra ZTC Industrial ZT400 and ZTC Desktop GK420d

Written by on December 5, 2023. Posted in CISA-Published Industrial Control System Vulnerabilities.

View CSAF

1. EXECUTIVE SUMMARY

CVSS v3 5.4
ATTENTION: Exploitable with adjacent access/low attack complexity
Vendor: Zebra Technologies
Equipment: ZTC Industrial ZT410, ZTC Desktop GK420d
Vulnerability: Authentication Bypass Using an Alternate Path or Channel

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to send specially crafted packets to change credentials without any prior authentication.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of Zebra ZTC industrial and desktop printers are affected:

ZTC Industrial ZT410: All versions
ZTC Desktop GK420d: All versions

3.2 Vulnerability Overview

3.2.1 Authentication Bypass Using an Alternate Path or Channel CWE-288

A vulnerability of authentication bypass has been found in Zebra Technologies ZTC Industrial ZT410 and ZTC Desktop GK420d. This vulnerability allows an attacker that is in the same network as the printer to change the username and password for the web page by sending a specially crafted POST request to the setvarsResults.cgi file. For this vulnerability to be exploitable, the printer’s protected mode must be disabled.

CVE-2023-4957 has been assigned to this vulnerability. A CVSS v3 base score of 5.4 has been calculated; the CVSS vector string is (AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER

Phosphorus Cybersecurity reported this vulnerability to CISA.

4. MITIGATIONS

Zebra printers running Link-OS v6.0 and later have a protected mode that protects the printer from this vulnerability. Activating this mode disables unauthorized changes and locks the current configuration until an administrator authorizes updates. By default, the secure mode is disabled as it is necessary to generate a password first.

For more information about the protected mode and to apply it to Zebra printer products that may be affected, see the Link-OS Printer Administration Guide.

NOTE: The ZT410 industrial printer was discontinued on Oct 1st, 2020. The service and support discontinuation dates are in September and December, 2025, depending on region. Further information regarding security settings and best practices, including “Protected Mode,” can be found in the references of the product.

NOTE: the GK420d desktop printer was discontinued on Jan 31, 2022. The service and support discontinuation date is April 30, 2025.

For more information on the product resources, see GK420d Desktop Printer Support Manual.

For more information on this vulnerability, see INCIBE-CERT’s Security Advisory.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

December 5, 2023: Initial Publication

PTC KEPServerEx

Written by on November 30, 2023. Posted in CISA-Published Industrial Control System Vulnerabilities.

View CSAF

1. EXECUTIVE SUMMARY

CVSS v3 9.1
ATTENTION: Exploitable remotely/low attack complexity
Vendor: PTC
Equipment: KEPServerEX, ThingWorx, OPC-Aggregator
Vulnerabilities: Heap-based Buffer Overflow, Improper Validation of Certificate with Host Mismatch

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker gaining Windows SYSTEM-level code execution on the service host and may cause the product to crash, leak sensitive information, or connect to the product without proper authentication.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following PTC Kepware products, are affected:

KEPServerEX: v6.14.263.0 and prior
ThingWorx Kepware Server: v6.14.263.0 and prior
ThingWorx Industrial Connectivity: All versions
OPC-Aggregator: v6.14 and prior
ThingWorx Kepware Edge: v1.7 and prior
Rockwell Automation KEPServer Enterprise: Versions v6.14.263.0 and prior
GE Digital Industrial Gateway Server: Versions v7.614 and prior
Software Toolbox TOP Server: Versions v6.14.263.0 and prior

3.2 Vulnerability Overview

3.2.1 HEAP-BASED BUFFER OVERFLOW CWE-122

KEPServerEX is vulnerable to a buffer overflow which may allow an attacker to crash the product being accessed or leak information.

CVE-2023-5908 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.1 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H).

3.2.2 IMPROPER VALIDATION OF CERTIFICATE WITH HOST MISMATCH CWE-297

KEPServerEX does not properly validate certificates from clients which may allow unauthenticated users to connect.

CVE-2023-5909 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Multiple
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER

Shawn Hoffman reported these vulnerabilities to PTC.

4. MITIGATIONS

PTC has released and recommends users update to the following versions:

KEPServerEX should upgrade to v6.15 or later
ThingWorx Kepware Server should upgrade to v6.15 or later
ThingWorx Industrial Connectivity should upgrade to ThingWorx Kepware Server v6.15 or later
OPC-Aggregator should upgrade to v6.15 or later
ThingWorx Kepware Edge: Upgrade to v1.8 or later

Refer to secure configuration guide here.

If additional questions remain, please contact PTC Technical Support.

For more information, see PTC’s advisory.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY

November 30, 2023: Initial Publication

Mitsubishi Electric FA Engineering Software Products

Written by on November 30, 2023. Posted in CISA-Published Industrial Control System Vulnerabilities.

View CSAF

1. EXECUTIVE SUMMARY

CVSS v3 7.8
ATTENTION: Low attack complexity
Vendor: Mitsubishi Electric
Equipment: FA Engineering Software Products
Vulnerability: External Control of File Name or Path

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow a malicious attacker to execute malicious code by tricking legitimate users to open a specially crafted project file, which could result in information disclosure, tampering and deletion, or a denial-of-service condition.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

Mitsubishi Electric reports the following versions of FA Engineering Software Products are affected:

GX Works3: All versions
MELSOFT iQ AppPortal: All versions
MELSOFT Navigator: All versions
Motion Control Setting (Software packaged with GX Works3): All versions

3.2 Vulnerability Overview

3.2.1 External Control of File Name or Path CWE-73

Malicious code execution vulnerability due to external control of file name or path exists in multiple FA engineering software products. This vulnerability could allow an attacker to execute a malicious code by having legitimate users open a specially crafted project file, which could result in information disclosure, tampering and deletion, or a denial-of-service condition.

CVE-2023-5247 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Japan

3.4 RESEARCHER

01dGu0 of ZHEJIANG QIAN INFORMATION & TECHNOLOGY CO., LTD reported this vulnerability to Mitsubishi Electric.

4. MITIGATIONS

Mitsubishi Electric recommends that users take the following mitigation measures to minimize the risk of exploiting this vulnerability:

Install antivirus software in computers using the affected product.
Use computers with the affected product within the LAN and block remote login from untrusted networks, hosts, and users.
When connecting computers with the affected product to the Internet, use a firewall, virtual private network (VPN), etc., to prevent unauthorized access, and allow only trusted users to remote login.
Don’t open untrusted files or click untrusted links.

For additional information see Mitsubishi Electric advisory 2023-016.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

Do not click web links or open attachments in unsolicited email messages.
Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability is not exploitable remotely.

5. UPDATE HISTORY

November 30, 2023: Initial Publication

Yokogawa STARDOM

Written by on November 30, 2023. Posted in CISA-Published Industrial Control System Vulnerabilities.

View CSAF

1. EXECUTIVE SUMMARY

CVSS v3 5.3
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Yokogawa
Equipment: STARDOM FCN/FCJ
Vulnerability: Uncontrolled Resource Consumption

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow a remote attacker to cause a denial-of-service condition to the FCN/FCJ controller by sending a specially crafted packet.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of Yokogawa STARDOM FCN/FCJ, a network control system, are affected:

STARDOM FCN/FCJ: versions R1.01 through R4.31

3.2 Vulnerability Overview

3.2.1 UNCONTROLLED RESOURCE CONSUMPTION CWE-400

This vulnerability may allow to a remote attacker to cause a denial-of-service condition to the FCN/FCJ controller by sending a crafted packet. While sending the packet, the maintenance homepage of the controller could not be accessed. Therefore, functions of the maintenance homepage, changing configuration, viewing logs, etc. are not available. But the controller’s operation is not stopped by the condition.

CVE-2023-5915 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.3 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Multiple
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Japan

3.4 RESEARCHER

Roman Ezhov of Kaspersky reported this vulnerability to Yokogawa.

4. MITIGATIONS

Yokogawa has released the following mitigations for users to implement:

By using the packet filter function* of the FCN/FCJ controller, only allow connection from trusted hosts.
Take measures against the network so that an attacker cannot send a malicious packet.

Yokogawa strongly recommends all users to establish and maintain a full security program, not only for the vulnerability identified in this YSAR. Security program components are: Patch updates, Anti-virus, Backup and recovery, zoning, hardening, whitelisting, firewall, etc. Yokogawa can assist in setting up and running the security program continuously. For considering the most effective risk mitigation plan, as a starting point, Yokogawa can perform a security risk assessment.

*Revision up FCN/FCJ basic software to R4.20 or later for using the function.

More details can also be found in Yokogawa’s security advisory report number YSAR-23-0003.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

November 30, 2023: Initial Publication

Delta Electronics DOPSoft

Written by on November 30, 2023. Posted in CISA-Published Industrial Control System Vulnerabilities.

View CSAF

1. EXECUTIVE SUMMARY

CVSS v3 7.8
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Delta Electronics
Equipment: DOPSoft
Vulnerability: Stack-Based Buffer Overflow

2. RISK EVALUATION

Successful exploitation of this vulnerability could lead to remote code execution.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of Delta Electronics products are affected:

DOPSoft: All versions

3.2 Vulnerability Overview

3.2.1 STACK-BASED BUFFER OVERFLOW CWE-121

The affected product is vulnerable to a stack-based buffer overflow which may allow to remote code execution if an attacker can lead a legitimate user to execute a specially crafted file.

CVE-2023-5944 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Energy
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Taiwan

3.4 RESEARCHER

Natnael Samson working with Trend Micro Zero Day Initiative reported this vulnerability to CISA.

4. MITIGATIONS

Delta Electronics has declared DOPSoft as end-of-life and recommends users to use DIAScreen instead. This vulnerability does not exist on the newest version of DIAScreen.

Users may download the DIAScreen v1.3.1 (or newer) on the DIAStudio download center

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

November 30, 2023: Initial Publication

Mitsubishi Electric GX Works2

Written by on November 28, 2023. Posted in CISA-Published Industrial Control System Vulnerabilities.

View CSAF

1. EXECUTIVE SUMMARY

CVSS v3 2.9
ATTENTION: Exploitable locally
Vendor: Mitsubishi Electric Corporation
Equipment: GX Works2
Vulnerability: Denial-of-Service

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow a Denial-of-service (DoS) due to improper input validation in the simulation function of GX Works2 by sending specially crafted packets.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

GX Works2: all versions

3.2 Vulnerability Overview

3.2.1 Improper Input Validation CWE-20

An attacker may be able to cause denial-of-service (DoS) condition on the function by sending specially crafted packets. However, the attacker would need to send the packets from within the same personal computer where the function is running.

CVE-2023-5274 has been assigned to this vulnerability. A CVSS v3.1 base score of 2.9 has been calculated; the CVSS vector string is (AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L).

3.2.2 Improper Input Validation CWE-20

CVE-2023-5275 has been assigned to this vulnerability. A CVSS v3.1 base score of 2.9 has been calculated; the CVSS vector string is (AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Japan

3.4 RESEARCHER

joker63 of ZheJiangQiAnTechnology reported these vulnerabilities to Mitsubishi Electric.

4. MITIGATIONS

Mitsubishi Electric recommends that users take the following mitigation measures to minimize the risk of exploiting this vulnerability:

Install an antivirus software in your personal computer using the affected product.

Use your personal computer with the affected product within the LAN and block remote login from untrusted networks, hosts, and users.

When connecting your personal computer with the affected product to the Internet, use a firewall, virtual private network (VPN), etc., to prevent unauthorized access, and allow only trusted users to remote login.

Don’t open untrusted files or click untrusted links.

For more information, see the Mitsubishi security advisory.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time. These vulnerabilities are not exploitable remotely. These vulnerabilities have a high attack complexity.

5. UPDATE HISTORY

November 28, 2023: Initial Publication

Franklin Electric Fueling Systems Colibri

Written by on November 28, 2023. Posted in CISA-Published Industrial Control System Vulnerabilities.

View CSAF

1. EXECUTIVE SUMMARY

CVSS v3 6.5
ATTENTION: Exploitable remotely/low attack complexity/public exploits are available
Vendor: Franklin Electric Fueling Systems
Equipment: Colibri
Vulnerability: Path Traversal

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to obtain login credentials for other users.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of FFS Colibri, a discontinued fuel inventory monitoring system, are affected:

FFS Colibri: all versions.

3.2 Vulnerability Overview

3.2.1 Path Traversal CWE-35

The discontinued FFS Colibri product allows a remote user to access files on the system including files containing login credentials for other users.

CVE-2023-5885 has been assigned to this vulnerability. A CVSS v3 base score of 6.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Energy
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER

Momen Eldawakhly Samurai Digital Security Ltd. reported this vulnerability to CISA.

4. MITIGATIONS

Franklin Electric Fueling Systems determined that the vulnerability only affects the Colibri product which has not been sold since 2020 and does not affect the current EVO product lines. They created a firmware update for Colibri to address the issue. Users can download the update at from the Franklin Electric website. Franklin Electric is working with distributors to make sure all known users are aware that the update is available for installation.

For further information, please contact Franklin Electric Fueling Systems.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as virtual private networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.
Exercise principles of least privilege.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

November 28, 2023: Initial Publication