Posts Page - CloudCentric

Siemens Solid Edge

Written by on January 11, 2024. Posted in CISA-Published Industrial Control System Vulnerabilities.

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens’ ProductCERT Security Advisories (CERT Services | Services | Siemens Global).

View CSAF

1. EXECUTIVE SUMMARY

CVSS v3 7.8
ATTENTION: Low attack complexity
Vendor: Siemens
Equipment: Solid Edge
Vulnerabilities: Heap-based Buffer Overflow, Out-of-bounds Read, Out-of-bounds Write, Stack-based Buffer Overflow, Access of Uninitialized Pointer

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to use specially crafted PAR files to execute code in the context of the current process.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following Siemens products, are affected:

Solid Edge SE2023: All versions prior to V223.0 Update 10

3.2 Vulnerability Overview

3.2.1 HEAP-BASED BUFFER OVERFLOW CWE-122

The affected application is vulnerable to heap-based buffer overflow while parsing specially crafted PAR files. This could allow an attacker to execute code in the context of the current process.

CVE-2023-49121 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been assigned; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

3.2.2 HEAP-BASED BUFFER OVERFLOW CWE-122

The affected application is vulnerable to heap-based buffer overflow while parsing specially crafted PAR files. This could allow an attacker to execute code in the context of the current process.

CVE-2023-49122 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been assigned; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

3.2.3 HEAP-BASED BUFFER OVERFLOW CWE-122

The affected application is vulnerable to heap-based buffer overflow while parsing specially crafted PAR files. This could allow an attacker to execute code in the context of the current process.

CVE-2023-49123 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been assigned; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

3.2.4 OUT-OF-BOUNDS READ CWE-125

The affected applications contain an out of bounds read past the end of an allocated structure while parsing specially crafted PAR files. This could allow an attacker to execute code in the context of the current process.

CVE-2023-49124 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been assigned; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

3.2.5 OUT-OF-BOUNDS READ CWE-125

CVE-2023-49126 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been assigned; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

3.2.6 OUT-OF-BOUNDS READ CWE-125

CVE-2023-49127 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been assigned; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

3.2.7 OUT-OF-BOUNDS WRITE CWE-787

The affected application contains an out of bounds write past the end of an allocated buffer while parsing a specially crafted PAR file. This could allow an attacker to execute code in the context of the current process.

CVE-2023-49128 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been assigned; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

3.2.8 STACK-BASED BUFFER OVERFLOW CWE-121

The affected applications contain a stack overflow vulnerability while parsing specially crafted PAR files. This could allow an attacker to execute code in the context of the current process.

CVE-2023-49129 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been assigned; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

3.2.9 ACCESS OF UNINITIALIZED POINTER CWE-824

The affected application is vulnerable to uninitialized pointer access while parsing specially crafted PAR files. An attacker could leverage this vulnerability to execute code in the context of the current process.

CVE-2023-49130 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been assigned; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

3.2.10 ACCESS OF UNINITIALIZED POINTER CWE-824

CVE-2023-49131 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been assigned; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

3.2.11 ACCESS OF UNINITIALIZED POINTER CWE-824

CVE-2023-49132 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been assigned; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

Siemens reported these vulnerabilities to CISA.

4. MITIGATIONS

Siemens has identified the following specific workarounds and mitigations users can apply to reduce risk:

Solid Edge SE2023: Avoid opening untrusted files from unknown sources in Solid Edge
Solid Edge SE2023: Update to V223.0 Update 10 or later version

As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens’ operational guidelines for industrial security and following recommendations in the product manuals.

Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage.

For more information see the associated Siemens security advisory SSA-589891 in HTML and CSAF.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

Do not click web links or open attachments in unsolicited email messages.
Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time. These vulnerabilities are not exploitable remotely.

5. UPDATE HISTORY

January 11, 2024: Initial Publication

Schneider Electric Easergy Studio

Written by on January 11, 2024. Posted in CISA-Published Industrial Control System Vulnerabilities.

View CSAF

1. EXECUTIVE SUMMARY

CVSS v3 7.8
ATTENTION: Low attack complexity
Vendor: Schneider Electric
Equipment: Easergy Studio
Vulnerability: Deserialization of Untrusted Data

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to gain full control of a workstation.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of Schneider Electric Easergy Studio, a power relay protection control software, are affected:

Easergy Studio: Versions prior to v9.3.5

3.2 Vulnerability Overview

3.2.1 DESERIALIZATION OF UNTRUSTED DATA CWE-502

A deserialization of untrusted data vulnerability exists in Schneider Electric Easergy Studio versions prior to v9.3.5 that could allow an attacker logged in with a user level account to gain higher privileges by providing a harmful serialized object.

CVE-2023-7032 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Energy
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: France

3.4 RESEARCHER

Sina Kheirkhah (@SinSinology) of Summoning Team (@SummoningTeam) working with Trend Micro Zero Day Initiative reported this vulnerability to CISA.

4. MITIGATIONS

Schneider Electric has released the following mitigations/fixes for the following products:

Easergy Studio: Version 9.3.6 of Easergy Studio includes a fix for this vulnerability and is available via SESU (Schneider Electric Software Update).

Customers of Schneider Electric should use appropriate patching methodologies when applying these patches to their systems. Schneider Electric strongly recommend the use of back-ups and evaluating the impact of these patches in a Test and Development environment or on an offline infrastructure. Contact Schneider Electric’s Customer Care Center if assistance is needed in removing a patch.

If customers choose not to apply the remediation provided above, they should immediately apply Schneider Electric’s General Security Recommendations to reduce the risk of exploit. For more information, see Schneider Electric SEVD-2024-009-02.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability is not exploitable remotely.

5. UPDATE HISTORY

January 11, 2024: Initial Publication

Rockwell Automation FactoryTalk Activation

Written by on January 4, 2024. Posted in CISA-Published Industrial Control System Vulnerabilities.

View CSAF

1. EXECUTIVE SUMMARY

CVSS v3 9.8
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Rockwell Automation
Equipment: FactoryTalk Activation Manager
Vulnerabilities: Out-of-Bounds Write

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could result in a buffer overflow and allow the attacker to gain full access to the system.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of Factory Talk are affected:

Factory Talk: V4.00 (Utilizes Wibu-Systems CodeMeter <7.60c)

3.2 Vulnerability Overview

3.2.1 OUT-OF-BOUNDS WRITE CWE-787

Rockwell Automation FactoryTalk Activation Manager and Studio 5000 Logix Designer uses the affected Wibu-Systems’ products which internally use a version of libcurl that is vulnerable to a buffer overflow attack if curl is configured to redirect traffic through a SOCKS5 proxy. A malicious proxy can exploit a bug in the implemented handshake to cause a buffer overflow. If no SOCKS5 proxy has been configured, there is no attack surface.

CVE-2023-38545 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

3.2.2 OUT-OF-BOUNDS WRITE CWE-787

Rockwell Automation FactoryTalk Activation Manager and Studio 5000 Logix Designer uses the affected Wibu-Systems’ products which contain a heap buffer overflow vulnerability in Wibu CodeMeter Runtime network service up to Version 7.60b that allows an unauthenticated, remote attacker to achieve RCE and gain full access of the host system.

CVE-2023-3935 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER

An anonymous researcher reported these vulnerabilities to CISA.

4. MITIGATIONS

Users of the affected software are encouraged to apply the risk mitigations, if possible:

Upgrade to FactoryTalk Activation Manager 5.01 which has been patched to mitigate these issues.
For information on how to mitigate security risks on industrial automation control systems see our suggested security best practices.
Rockwell Automation encourages users to implement their suggested security best practices to minimize risk of the vulnerability.

For more information, please see the security advisory from Rockwell Automation

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the Internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

No known public exploits that specifically target these vulnerabilities have been reported to CISA at this time.

5. UPDATE HISTORY

January 4, 2024: Initial Publication

Mitsubishi Electric Factory Automation Products

Written by on January 4, 2024. Posted in CISA-Published Industrial Control System Vulnerabilities.

View CSAF

1. EXECUTIVE SUMMARY

CVSS v3 7.5
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Mitsubishi Electric
Equipment: Multiple Factory Automation Products
Vulnerabilities: Observable Timing Discrepancy, Double Free, Access of Resource Using Incompatible Type (‘Type Confusion’)

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could disclose information in the product or could cause denial-of-service (DoS) condition.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following Factory Automation products are affected:

GT SoftGOT2000: Versions 1.275M to 1.290C (CVE-2023-0286)
OPC UA Data Collector: Versions 1.04E and prior (CVE-2023-0286)
MX OPC Server UA (Software packaged with MC Works64): Versions 3.05F and later (Packaged with MC Works64 Version 4.03D and later) (CVE-2022-4304)
OPC UA Server Unit: All versions (CVE-2022-4304)
FX5-OPC: Versions 1.006 and prior (CVE-2022-4304, CVE-2022-4450)

3.2 Vulnerability Overview

3.2.1 OBSERVABLE TIMING DISCREPANCY CWE-208

The affected products contain an observable timing discrepancy vulnerability in their RSA decryption implementation. By sending specially crafted packets and performing a Bleichenbacher style attack, an attack method to decrypt ciphertext by observing the behavior when a padding error occurs, an attacker could decrypt the ciphertext and disclose sensitive information.

CVE-2022-4304 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.9 has been calculated; the CVSS vector string is (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N).

3.2.2 DOUBLE FREE CWE-415

The affected products contain a double free vulnerability when reading a PEM file. An attacker could cause denial-of-service (DoS) on the product by leading a legitimate user to importing a malicious certificate.

CVE-2022-4450 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

3.2.3 ACCESS OF RESOURCE USING INCOMPATIBLE TYPE (‘TYPE CONFUSION’) CWE-843

The affected products contain a type confusion vulnerability relating to X.400 address
processing inside an X.509 GeneralName. An attacker could disclose sensitive information in memory of the product or cause denial-of-service (DoS) on the product by getting to load a specially crafted certificate revocation list (CRL).

CVE-2023-0286 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.4 has been calculated; the CVSS vector string is (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Japan

3.4 RESEARCHER

Mitsubishi Electric reported these vulnerabilities to CISA.

4. MITIGATIONS

Mitsubishi Electric recommends that users update their products to the following versions:

GT SoftGOT2000: Version 1.295H or later
OPC UA data collector: 1.05F or later
MX OPC Server UA: Use recommended mitigations/workarounds
OPC UA server unit: Use recommended mitigations/workarounds
FX5-OPC: Version 1.010 or later

Mitsubishi Electric recommends that users take the following mitigation measures to minimize the risk of exploiting these vulnerabilities:

GT SoftGOT2000 and OPC UA Data Collector: Do not load untrusted certificate revocation lists (CRLs).
MX OPC Server UA: Use within a LAN and block access from untrusted networks and hosts through firewalls. Restrict physical access to the product, as well as to computers and network devices located within the same network as the product. Use a firewall or virtual private network (VPN), etc. to prevent unauthorized access when Internet access is required.
OPC UA Server Unit: Use within a LAN and block access from untrusted networks and hosts through firewalls. Restrict physical access to the product, as well as to computers and network devices located within the same network as the product. Use a firewall or virtual private network (VPN), etc. to prevent unauthorized access when Internet access is required. Set a security policy other than ‘None’ in security setting function to prevent unauthorized access. For details on security setting function, please refer to the MELSEC iQ-R OPC UA Server Unit User’s Manual (Application), section 1.1 “OPC UA Server Function”.
FX5-OPC: Use within a LAN and block access from untrusted networks and hosts through firewalls. Restrict physical access to the product, as well as to computers and network devices located within the same network as the product. Use a firewall or virtual private network (VPN), etc. to prevent unauthorized access when Internet access is required. Use the IP filter function to block access from untrusted hosts. For details on the IP filter function, please refer to the MELSEC iQ-F FX5 OPC UA Module User’s Manual section 4.4 “IP Filter.” Do not import untrusted certificates.

For additional details, see the [Mitsubishi Electric advisory 2023-018].(https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2023-018_en.pdf).

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY

January 4, 2024: Initial Publication

QNAP VioStor NVR

Written by on December 21, 2023. Posted in CISA-Published Industrial Control System Vulnerabilities.

View CSAF

1. EXECUTIVE SUMMARY

CVSS v3 8.0
ATTENTION: Exploitable remotely/low attack complexity/public exploits are available/known public exploitation
Vendor: QNAP
Equipment: VioStor NVR
Vulnerability: OS Command Injection

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to achieve remote code execution by exploiting NTP settings.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of QNAP VioStor NVR, are affected:

VioStor NVR QVR firmware: All versions prior to 4.x

3.2 Vulnerability Overview

3.2.1 IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS USED IN AN OS COMMAND (‘OS COMMAND INJECTION’) CWE-78

QNAP VioStor NVR versions prior to QVR Firmware 4.x are vulnerable to an OS command injection vulnerability that may allow an attacker to modify NTP settings in the device. This could result in remote code execution.

CVE-2023-47565 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.0 has been calculated; the CVSS vector string is (AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Commercial Facilities
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Taiwan

3.4 RESEARCHER

Chad Seaman and Larry Cashdollar of Akamai Technologies reported this vulnerability to CISA.

4. MITIGATIONS

QNAP has provided that users should download and apply the latest QVR Firmware.

QNAP has stated that QVR Firmware 5.x and 4.x are both end of life.

For more information, see QNAP’s security advisory.

For more information, contact QNAP Support.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA has received reports of this vulnerability being actively exploited.

This advisory contains a vulnerability that has an associated “Known Exploited Vulnerabilities” (KEV) entry. Refer to the following link to view the KEV entry: Known Exploited Vulnerabilities Catalog | CISA

5. UPDATE HISTORY

December 21, 2023: Initial Publication

FXC AE1021/AE1021PE

Written by on December 21, 2023. Posted in CISA-Published Industrial Control System Vulnerabilities.

View CSAF

1. EXECUTIVE SUMMARY

CVSS v3 8.0
ATTENTION: Exploitable remotely/low attack complexity/public exploits are available/known public exploitation
Vendor: FXC
Equipment: AE1021, AE1021PE
Vulnerability: OS Command Injection

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to achieve remote code execution on the device via NTP server settings.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of FXC AE1021, a wireless LAN router, are affected:

AE1021PE firmware: version 2.0.9 and earlier
AE1021 firmware: version 2.0.9 and earlier

3.2 Vulnerability Overview

3.2.1 IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS USED IN AN OS COMMAND (‘OS COMMAND INJECTION’) CWE-78

FXC AE1021/AE1021PE versions 2.0.9 and prior are vulnerable to a code injection that could allow an authenticated user to achieve remote code execution via NTP server settings.

CVE-2023-49897 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.0 has been calculated; the CVSS vector string is (AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Information Technology, Commercial Facilities
COUNTRIES/AREAS DEPLOYED: Japan
COMPANY HEADQUARTERS LOCATION: Japan

3.4 RESEARCHER

Ryu Kuki, Takayuki Sasaki, and Katsunari Yoshioka of Yokohama National University reported this vulnerability to JPCERT/CC.
Chad Seaman and Larry Cashdollar of Akamai Technologies reported this vulnerability to CISA.

4. MITIGATIONS

FXC released the following versions to address this vulnerability:

AE1021PE firmware: version 2.0.10.
AE1021 firmware: version 2.0.10.

FXC recommends users apply the following settings:

Reset “Factory setting” and change the default management screen login password.

For more information, see FXC’s publication.

For more information, see JPCERT/CC’s security advisory.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA has received reports of this vulnerability being actively exploited.

5. UPDATE HISTORY

December 21, 2023: Initial Publication

EFACEC BCU 500

Written by on December 19, 2023. Posted in CISA-Published Industrial Control System Vulnerabilities.

View CSAF

1. EXECUTIVE SUMMARY

CVSS v3 9.6
ATTENTION: Exploitable remotely/low attack complexity
Vendor: EFACEC
Equipment: BCU 500
Vulnerabilities: Uncontrolled Resource Consumption, Cross-site Request Forgery

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to cause a denial-of-service condition on the affected product or compromise the web application through a cross-site request forgery (CSRF) vulnerability.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following version of EFACEC BCU 500, an automation and control IED, is affected:

BCU 500: version 4.07

3.2 Vulnerability Overview

3.2.1 UNCONTROLLED RESOURCE CONSUMPTION CWE-400

Through the exploitation of active user sessions, an attacker could send custom requests to cause a denial-of-service condition on the device.

CVE-2023-50707 has been assigned to this vulnerability. A CVSS v3 base score of 9.6 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:H).

3.2.2 CROSS-SITE REQUEST FORGERY (CSRF) CWE-352

A successful CSRF attack could force the user to perform state changing requests on the application. If the victim is an administrative account, a CSRF attack could compromise the entire web application.

CVE-2023-6689 has been assigned to this vulnerability. A CVSS v3 base score of 8.2 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:H).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Energy, Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Multiple
COMPANY HEADQUARTERS LOCATION: Portugal

3.4 RESEARCHER

Aarón Flecha Menéndez of S21sec reported this vulnerability to CISA.

4. MITIGATIONS

EFACEC released BCU 500 versions 4.08 to mitigate this vulnerability.

For more information, contact EFACEC support.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as virtual private networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY

December 19, 2023: Initial Publication

EuroTel ETL3100 Radio Transmitter

Written by on December 19, 2023. Posted in CISA-Published Industrial Control System Vulnerabilities.

View CSAF

1. EXECUTIVE SUMMARY

CVSS v3 9.8
ATTENTION: Exploitable remotely/low attack complexity/public exploits are available
Vendor: EuroTel
Equipment: ETL3100
Vulnerabilities: Improper Restriction of Excessive Authentication Attempts, Authorization Bypass Through User-Controlled Key, Improper Access Control

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an unauthenticated attacker to gain full access to the system, disclose sensitive information, or access hidden resources.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions EuroTel ETL3100 radio transmitter are affected:

ETL3100: version v01c01
ETL3100: version v01x37

3.2 Vulnerability Overview

3.2.1 IMPROPER RESTRICTION OF EXCESSIVE AUTHENTICATION ATTEMPTS CWE-307

EuroTel ETL3100 versions v01c01 and v01x37 does not limit the number of attempts to guess administrative credentials in remote password attacks to gain full control of the system.

CVE-2023-6928 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

3.2.2 AUTHORIZATION BYPASS THROUGH USER-CONTROLLED KEY CWE-639

EuroTel ETL3100 versions v01c01 and v01x37 are vulnerable to insecure direct object references that occur when the application provides direct access to objects based on user-supplied input. As a result of this vulnerability, attackers can bypass authorization, access the hidden resources on the system, and execute privileged functionalities.

CVE-2023-6929 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

3.2.3 IMPROPER ACCESS CONTROL CWE-284

EuroTel ETL3100 versions v01c01 and v01x37 suffer from an unauthenticated configuration and log download vulnerability. This enables the attacker to disclose sensitive information and assist in authentication bypass, privilege escalation, and full system access.

CVE-2023-6930 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.4 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:H).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Communications
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Italy

3.4 RESEARCHER

CISA discovered a public proof of concept (PoC) as authored by Gjoko Krstic.

4. MITIGATIONS

EuroTel has not responded to requests to work with CISA to mitigate these vulnerabilities. Users of affected versions of ETL3100 are invited to contact EuroTel customer support for additional information.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY

December 19, 2023: Initial Publication

Subnet Solutions Inc. PowerSYSTEM Center

Written by on December 19, 2023. Posted in CISA-Published Industrial Control System Vulnerabilities.

View CSAF

1. EXECUTIVE SUMMARY

CVSS v3 7.8
ATTENTION: Low attack complexity
Vendor: Subnet Solutions Inc.
Equipment: PowerSYSTEM Center
Vulnerability: Unquoted Search Path or Element

2. RISK EVALUATION

Successful exploitation of this vulnerability could result in an attacker achieving arbitrary code execution and privilege escalation through the unquoted service path.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of PowerSYSTEM Center, a multi-function management platform, are affected:

PowerSYSTEM Center: 2020 v5.0.x through 5.16.x

3.2 Vulnerability Overview

3.2.1 UNQUOTED SEARCH PATH OR ELEMENT CWE-428

Subnet Solutions PowerSYSTEM Center versions 2020 v5.0.x through 5.16.x contain a vulnerability that could allow an authorized local user to insert arbitrary code into the unquoted service path and escalate privileges.

CVE-2023-6631 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Multiple
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Canada

3.4 RESEARCHER

Kelly Stich of Subnet Solutions Inc. reported this vulnerability to CISA.

4. MITIGATIONS

Subnet Solutions recommends users upgrade to PowerSYSTEM Center versions 2020 Update 17 or later. To obtain this software, contact Subnet Solution’s Customer Service.

Additionally, Subnet Solutions recommends users apply Application Allowlisting on PowerSYSTEM Center Device Communication Server (DCS) hosts to ensure only trusted executables are able to be run.

If unable to apply PowerSYSTEM Center 2020 Update 17, Subnet Solutions recommends users mitigate risk by logging in to the DCS as administrator, opening the Registry Editor, navigating to HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServices, locating all pscagent.* entries, and modifying the ImagePath key by enclosing it within double quotes (“). Restart computer when complete.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability is not exploitable remotely.

5. UPDATE HISTORY

December 19, 2023: Initial Publication

Open Design Alliance Drawing SDK

Written by on December 19, 2023. Posted in CISA-Published Industrial Control System Vulnerabilities.

View CSAF

1. EXECUTIVE SUMMARY

CVSS v3 7.8
ATTENTION: Low attack complexity
Vendor: Open Design Alliance (ODA)
Equipment: Drawing SDK
Vulnerabilities: Use after Free, Heap-based Buffer Overflow

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow remote attackers to disclose sensitive information on affected installations of ODA Drawing SDK.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of ODA Drawing SDK are affected:

Drawing SDK: Versions prior to 2024.1

3.2 Vulnerability Overview

3.2.1 USE AFTER FREE CWE-416

Open Design Alliance’s Drawing SDK prior to Version 2024.1 is vulnerable to a use after free attack. Exploitation of this vulnerability requires the target to visit a malicious page or open a malicious file. The specific vulnerability exists within the parsing of DWG files. Crafted data in a DWG file can trigger a use after free attack past the end of an allocated buffer. An attacker could leverage this vulnerability in conjunction with other vulnerabilities to execute arbitrary code in the context of the current process.

CVE-2023-26495 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C).

3.2.2 HEAP-BASED BUFFER OVERFLOW CWE-122

Parsing of DWG files in Open Design Alliance Drawings SDK before 2023.6 lacks proper validation of the length of user-supplied XRecord data prior to copying it to a fixed-length heap-based buffer. An attacker could leverage this vulnerability to execute code in the context of the current process.

CVE-2023-22669 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C).

3.2.3 HEAP-BASED BUFFER OVERFLOW CWE-122

A heap-based buffer overflow exists in the DXF file reading procedure in Open Design Alliance Drawings SDK before 2023.6. The specific flaw exists within the parsing of DXF files. The issue results from the lack of proper validation of the length of user-supplied XRecord data prior to copying it to a fixed-length heap-based buffer. An attacker could leverage this vulnerability to execute code in the context of the current process.

CVE-2023-22670 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Multiple
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER

Mat Powell and Jimmy Calderon of Trend Micro Zero Day Initiative reported these vulnerabilities to CISA.

4. MITIGATIONS

Please see ODA security advisory 24.1 and 23.6 for more information.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time. These vulnerabilities are not exploitable remotely.

5. UPDATE HISTORY

December 19, 2023: Initial Publication