Skip to main content
(844) 422-7000

Rockwell Automation PanelView 800

View CSAF

1. EXECUTIVE SUMMARY

CVSS v3 9.8
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Rockwell Automation
Equipment: PanelView 800
Vulnerability: Improper Input Validation

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to disclose sensitive information, modify data, or cause a denial-of-service.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of Rockwell Automation PanelView 800, a graphics terminal, are affected:

PanelView 800 2711R-T10T: V3.011
PanelView 800 2711R-T7T: V3.011
PanelView 800 2711R-T4T: V3.011

3.2 Vulnerability Overview

3.2.1 Improper Input Validation CWE-20

An input/output validation vulnerability exists in a third-party component that the PanelView™ 800 utilizes. Libpng, which is PNG’s reference library, version 1.6.32 and earlier does not properly check the length of chunks against the user limit. Libpng versions prior to 1.6.32 are susceptible to a vulnerability which, when successfully exploited, could potentially lead to a disclosure of sensitive information, addition or modification of data, or a denial-of-service condition.

CVE-2017-12652 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Energy, Water and Wastewater, Telecommunications
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER

Rockwell Automation reported these vulnerabilities to CISA.

4. MITIGATIONS

Customers using the affected software are encouraged to apply risk mitigations, if possible. Additionally,
Rockwell Automation encourages customers to implement their suggested security best practices to minimize the risk of
vulnerability.

Updating to v6.011 or later will mitigate the issue.
Security Best Practices

For more information, see Rockwell Automation’s Security Advisory

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

September 28, 2023: Initial Publication

Hitachi Energy Asset Suite 9

View CSAF

1. EXECUTIVE SUMMARY

CVSS v3 6.9
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Hitachi Energy
Equipment: Asset Suite 9
Vulnerability: Improper Authentication

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an authenticated user to enter an arbitrary password to execute equipment tag out actions.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

Hitachi Energy reports these vulnerabilities affect the following products:

Asset Suite: Versions 9.6.3.11.1 and prior
Asset Suite: Version 9.6.4

3.2 Vulnerability Overview

3.2.1 IMPROPER AUTHENTICATION CWE-287

A vulnerability exists in the Equipment Tag Out authentication, when configured with Single Sign-On (SSO) with password validation in T214. This vulnerability can be exploited by an authenticated user performing an Equipment Tag Out holder action (Accept, Release, and Clear) for another user and entering an arbitrary password in the holder action confirmation dialog box. Despite entering an arbitrary password in the confirmation box, the system will execute the selected holder action.

CVE-2023-4816 has been assigned to this vulnerability. A CVSS v3 base score of 6.9 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:H/UI:R/S:C/C:N/I:H/A:L).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Energy
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Switzerland

3.4 RESEARCHER

Hitachi Energy reported this vulnerability to CISA.

4. MITIGATIONS

Hitachi Energy recommends applying one the following mitigation actions until a fix has been delivered in a patch:

Configure Asset Suite 9 with a different authentication method other than SSO.
Configure Asset Suite security to disallow holder actions to be taken on behalf of other employees by removing authorization for the following security events to all users: T214ACT, T214RLS, and T214CLR.
Set Equipment Tag Out preference ‘C/O HOLDER PSWD’ to ‘N’.

For more information, see Hitachi Energy advisory 8DBD000172

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

Do not click web links or open attachments in unsolicited email messages.
Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

September 26, 2023: Initial Publication

Baker Hughes Bently Nevada 3500

View CSAF

1. EXECUTIVE SUMMARY

CVSS v3 7.5
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Baker Hughes – Bently Nevada
Equipment: Bently Nevada 3500 System
Vulnerabilities: Exposure of Sensitive Information to an Unauthorized Actor, Cleartext Transmission of Sensitive Information, Authentication Bypass by Capture-replay

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to steal sensitive information and gain access to the device.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of the Bently Nevada 3500 System, a real-time monitoring solution, are affected:

Bently Nevada 3500 Rack (TDI Firmware): version 5.05

3.2 Vulnerability Overview

3.2.1 EXPOSURE OF SENSITIVE INFORMATION TO AN UNAUTHORIZED ACTOR CWE-200

Baker Hughes – Bently Nevada 3500 System TDI Firmware version 5.05 has a vulnerability in their password retrieval functionality which could be used by an attacker to access passwords stored on the device.

CVE-2023-34437 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

3.2.2 CLEARTEXT TRANSMISSION OF SENSITIVE INFORMATION CWE-319

Baker Hughes – Bently Nevada 3500 System TDI Firmware version 5.05 authentication secrets, used with the Connect Password, are passed in cleartext with every request to the device. An attacker could steal the authentication secret from communication traffic to the device and reuse it for arbitrary requests.

CVE-2023-34441 has been assigned to this vulnerability. A CVSS v3 base score of 6.8 has been calculated; the CVSS vector string is (AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L).

3.2.3 AUTHENTICATION BYPASS BY CAPTURE-REPLAY CWE-294

Baker Hughes – Bently Nevada 3500 System TDI Firmware version 5.05 accepts out-of-sequence messages from older communications. This could allow an attacker to replay older captured packets of traffic to the device to gain access.

CVE-2023-36857 has been assigned to this vulnerability. A CVSS v3 base score of 5.4 has been calculated; the CVSS vector string is (AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Multiple
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER

Diego Zaffaroni of Nozomi Networks reported these vulnerabilities to CISA.

4. MITIGATIONS

Baker Hughes – Bently Nevada recommends that users follow their hardening guidelines to reduce the risk of exploitation. Customers who have registered for access to Baker Hughes DAM may directly access the hardening guideline at https://dam.bakerhughes.com/media/?mediaId=32F7FC2F-9F22-4C69-BB847565B7834D08.

For customers that do not have access to Baker Hughes DAM may send an email to bentlysupport@bakerhughes.com to request document 106M9733.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY

September 26, 2023: Initial Publication

Advantech EKI-1524-CE series

View CSAF

1. EXECUTIVE SUMMARY

CVSS v3 5.4
ATTENTION: Exploitable remotely/low attack complexity/public exploits are available
Vendor: Advantech
Equipment: EKI-1524-CE, EKI-1522-CE, EKI-1521-CE
Vulnerabilities: Cross-Site Scripting

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to execute code in the context of the session.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following Advantech serial device servers are affected:

EKI-1524-CE series: versions 1.24 and prior
EKI-1522-CE series: versions 1.24 and prior
EKI-1521-CE series: versions 1.24 and prior

3.2 Vulnerability Overview

3.2.1 Cross-Site Scripting CWE-79

Advantech EKI-1524, EKI-1522, EKI-1521 devices through version 1.21 are affected by a stored cross-site scripting vulnerability, which can be triggered by authenticated users in the device name field of the web-interface.

CVE-2023-4202 has been assigned to this vulnerability. A CVSS v3 base score of 5.4 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N).

3.2.2 Cross-Site Scripting CWE-79

Advantech EKI-1524, EKI-1522, EKI-1521 devices through version 1.24 are affected by a stored cross-site scripting vulnerability, which can be triggered by authenticated users in the ping tool of the web-interface.

CVE-2023-4203 has been assigned to this vulnerability. A CVSS v3 base score of 5.4 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Taiwan

3.4 RESEARCHER

These vulnerabilities were discovered during research by R. Haas, A. Resanovic, T. Etzenberger, M. Bineder at St. Plten UAS, supported and coordinated by CyberDanube.

4. MITIGATIONS

Advantech recommends users upgrade to the latest version available (currently v1.26) as shown below:

EKI-1521-CE
EKI-1522-CE
EKI-1524-CE

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as virtual private networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

Do not click web links or open attachments in unsolicited email messages.
Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY

September 26, 2023: Initial Publication

Suprema BioStar 2

View CSAF

1. EXECUTIVE SUMMARY

CVSS v3 6.5
ATTENTION: Exploitable remotely/low attack complexity/public exploits are available/known public exploitation
Vendor: Suprema Inc.
Equipment: BioStar 2
Vulnerability: SQL Injection

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to perform a SQL injection to execute arbitrary commands.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of Suprema BioStar 2, an access control system, are affected:

BioStar 2: version 2.8.16

3.2 Vulnerability Overview

3.2.1 IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS USED IN AN SQL COMMAND (‘SQL INJECTION’) CWE-89

Suprema BioStar 2 v2.8.16 was discovered to contain a SQL injection vulnerability via value parameters.

CVE-2023-27167 has been assigned to this vulnerability. A CVSS v3 base score of 6.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Multiple
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: South Korea

3.4 RESEARCHER

CISA discovered a public proof of concept (PoC) as authored by Yuriy (Vander) Tsarenko and reported it to Exploit-db.

4. MITIGATIONS

SupremaINC has released BioStar 2 2.9.4 to fix this vulnerability.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

5. UPDATE HISTORY

September 26, 2023: Initial Publication

Mitsubishi Electric FA Engineering Software

View CSAF

1. EXECUTIVE SUMMARY

CVSS v3 9.3
ATTENTION: Low attack complexity
Vendor: Mitsubishi Electric
Equipment: FA Engineering Software Products
Vulnerability: Incorrect Default Permissions

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow a local attacker to execute code, which could result in information disclosure, tampering with and deletion of information, or a denial-of-service (DoS) condition.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of Mitsubishi Electric FA Engineering Software Products are affected:

GX Works3: All versions

3.2 Vulnerability Overview

3.2.1 INCORRECT DEFAULT PERMISSIONS CWE-276

In all versions of Mitsubishi Electric GX Works3, code execution is possible due to permission issues. This could allow an attacker to cause information disclosure, tampering with and deletion of information, or a denial-of-service (DoS) condition.

CVE-2023-4088 has been assigned to this vulnerability. A CVSS v3 base score of 9.3 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Japan

3.4 RESEARCHER

01dGu0 of ZHEJIANG QIAN INFORMATION & TECHNOLOGY CO., LTD reported this vulnerability to Mitsubishi Electric.

4. MITIGATIONS

Mitsubishi Electric recommends that customers take the following mitigation measures to minimize the risk of exploiting this vulnerability:

Install the version described in the Mitsubishi Electric advisory into the default installation folder. If it is necessary to change the installation folder from the default, select a folder that only users with Administrator privileges have permission to change.
Install an anti-virus software on the computer using the affected product.
Use your computer with the affected product within the LAN and block remote login from untrusted networks, hosts, and users.
When connecting your computer with the affected product to the Internet, use a firewall, virtual private network (VPN),
etc., and allow only trusted users to remote login.
Don’t open untrusted files or click untrusted links.

For more information, see the Mitsubishi security advisory.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability is not exploitable remotely.

5. UPDATE HISTORY

September 26, 2023: Initial Publication

Rockwell Automation Connected Components Workbench

View CSAF

1. EXECUTIVE SUMMARY

CVSS v3 9.6
ATTENTION: Exploitable remotely/low attack complexity/public exploits are available/known public exploitation
Vendor: Rockwell Automation
Equipment: Connected Components Workbench
Vulnerabilities: Use After Free, Out-of-bounds Write

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to exploit heap corruption via a crafted HTML.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of Rockwell Automation Connected Components Workbench Smart Security Manager are affected:

Connected Components Workbench: versions prior to R21

3.2 Vulnerability Overview

3.2.1 USE AFTER FREE CWE-416

Connected Components Workbench utilizes CefSharp version 81.3.100 that contains a use after free vulnerability in Google Chrome versions before 86.0.4240.198. If exploited, a remote threat actor could potentially perform a sandbox escape via a crafted HTML page.

CVE-2020-16017 has been assigned to this vulnerability. A CVSS v3 base score of 9.6 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H).

3.2.2 USE AFTER FREE CWE-416

Connected Components Workbench utilizes CefSharp version 81.3.100 that contains a use after free vulnerability in Animation within Google Chrome before 98.0.4758.102. This vulnerability could potentially allow a remote threat actor to exploit heap corruption via a crafted HTML page.

CVE-2022-0609 has been assigned to this vulnerability. A CVSS v3 base score of 8.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

3.2.3 OUT-OF-BOUNDS WRITE CWE-787

Connected Components Workbench utilizes CefSharp version 81.3.100 that contains an inappropriate implementation in V8 of Google Chrome before 86.0.4240.18. This vulnerability allows a remote threat actor to potentially exploit heap corruption via a crafted HTML page.

CVE-2020-16009 has been assigned to this vulnerability. A CVSS v3 base score of 8.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

3.2.4 OUT-OF-BOUNDS WRITE CWE-787

Connected Components Workbench utilizes CefSharp version 81.3.100 that contains an inappropriate implementation in V8 of Google Chrome before 86.0.4240.198. This vulnerability allows a remote threat actor to potentially exploit heap corruption via a crafted HTML page.

CVE-2020-16013 has been assigned to this vulnerability. A CVSS v3 base score of 8.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

3.2.5 OUT-OF-BOUNDS WRITE CWE-787

Connected Components Workbench utilizes CefSharp version 81.3.100 that contains a heap buffer overflow vulnerability in Freetype within Google Chrome before 86.0.4240.111. This vulnerability could allow a remote threat actor to potentially exploit heap corruption via a crafted HTML page.

CVE-2020-15999 has been assigned to this vulnerability. A CVSS v3 base score of 8.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Multiple
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER

Rockwell Automation reported these vulnerabilities to CISA.

4. MITIGATIONS

Rockwell Automation recommends users to update to R21 and later.

Users with the affected software are encouraged to apply the risk mitigations, if possible.

Additionally, Rockwell Automation encourages users to implement their suggested security best practices to minimize the risk of vulnerability.

Security Best Practices

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

Do not click web links or open attachments in unsolicited email messages.
Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

5. UPDATE HISTORY

September 21, 2023: Initial Publication

Rockwell Automation FactoryTalk View Machine Edition

View CSAF

1. EXECUTIVE SUMMARY

CVSS v3 9.8
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Rockwell Automation
Equipment: FactoryTalk View Machine Edition
Vulnerability: Improper Input Validation

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to execute code remotely with specially crafted malicious packets or by using a self-made library to bypass security checks.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following Rockwell Automation products are affected:

FactoryTalk View Machine Edition: v13.0
FactoryTalk View Machine Edition: v12.0 and prior

3.2 Vulnerability Overview

3.2.1 Improper Input Validation CWE-20

FactoryTalk View Machine Edition on the PanelView Plus, improperly verifies user’s input, which allows unauthenticated attacker to achieve remote code executed via crafted malicious packets. The device has the functionality, through a CIP class, to execute exported functions from libraries. There is a routine that restricts it to execute specific functions from two dynamic link library files. By using a CIP class, an attacker can upload a self-made library to the device which allows the attacker to bypass the security check and execute any code written in the function.

CVE-2023-2071 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER

Yuval Gordon, CPS Research, and the Microsoft Threat Intelligence Community reported this vulnerability to Rockwell Automation.

4. MITIGATIONS

Rockwell recommends updating FactoryTalk View Machine Edition with v12.0 & v13.0 patch

Users of the affected versions are encouraged by Rockwell Automation to upgrade to corrected firmware revisions. Users are also strongly encouraged to implement Rockwell Automation’s suggested security best practices to minimize the risk of the vulnerability.

Install the security patches for the respective versions
Security Best Practices

For more information and to see Rockwell’s detection rules, see Rockwell Automation’s Security Advisory.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as virtual private networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

Do not click web links or open attachments in unsolicited email messages.
Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

September 21, 2023: Initial Publication

Siemens Spectrum Power 7

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens’ ProductCERT Security Advisories (CERT Services | Services | Siemens Global). 

View CSAF

1. EXECUTIVE SUMMARY

CVSS v3 8.2
ATTENTION: Low Attack Complexity
Vendor: Siemens
Equipment: Spectrum Power 7
Vulnerability: Incorrect Permission Assignment for Critical Resource

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow a local attacker to inject arbitrary code to the update script and escalate privileges.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following products of Siemens, are affected:

Spectrum Power 7: versions prior to V23Q3

3.2 Vulnerability Overview

3.2.1 Incorrect Permission Assignment for Critical Resource CWE-732

The affected product assigns improper access rights to the update script. This could allow an authenticated local attacker to inject arbitrary code and escalate privileges.

CVE-2023-38557 has been assigned to this vulnerability. A CVSS v3 base score of 8.2 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Energy
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

Tyler Webb from Dragos Inc. reported this vulnerability to Siemens and CISA.

4. MITIGATIONS

Siemens has released an update for Spectrum Power 7 (V23Q3) and recommends to update to the latest version. For any versions of Spectrum Power 7 prior to V23Q3, please contact Siemens customer support

Operators of critical power systems (e.g. TSOs or DSOs) worldwide are usually required by regulations to build resilience into the power grids by applying multi-level redundant secondary protection schemes. It is therefore recommended that the operators check whether appropriate resilient protection measures are in place. The risk of cyber incidents impacting the grid’s reliability can thus be minimized by virtue of the grid design. Siemens strongly recommends applying the provided security updates using the corresponding tooling and documented procedures made available with the product. If supported by the product, an automated means to apply the security updates across multiple product instances may be used. Siemens strongly recommends prior validation of any security update before being applied, and supervision by trained staff of the update process in the target environment. As a general security measure Siemens strongly recommends to protect network access with appropriate mechanisms (e.g. firewalls, segmentation, VPN). It is advised to configure the environment according to Siemens’ operational guidelines in order to run the devices in a protected IT environment.

For more information see the associated Siemens security advisory SSA-357182 in HTML and CSAF.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

Do not click web links or open attachments in unsolicited email messages.
Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability is not exploitable remotely.

5. UPDATE HISTORY

September 21, 2023: Initial Publication

Rockwell Automation Select Logix Communication Modules

View CSAF

1. EXECUTIVE SUMMARY

CVSS v3 9.8
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Rockwell Automation
Equipment: 1756-EN2T, 1756-EN2TK, 1756-EN2TXT, 1756-EN2TP, 1756-EN2TPK, 1756-EN2TPXT, 1756-EN2TR, 1756-EN2TRK, 1756-EN2TRXT, 1756-EN2F, 1756-EN2FK, 1756-EN3TR, 1756-EN3TRK
Vulnerability: Stack-based Buffer Overflow

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to achieve remote code execution.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of Rockwell Automation Logix Communication Modules, are affected:

1756-EN2T Series A: versions 5.008 and prior

1756-EN2T Series A: version 5.028

1756-EN2T Series B: versions 5.008 and prior

1756-EN2T Series B: version 5.028

1756-EN2T Series C: versions 5.008 and prior

1756-EN2T Series C: version 5.028

1756-EN2T Series D: versions 11.002 and prior

1756-EN2TK Series A: versions 5.008 and prior

1756-EN2TK Series A: version 5.028

1756-EN2TK Series B: versions 5.008 and prior

1756-EN2TK Series B: version 5.028

1756-EN2TK Series C: versions 5.008 and prior

1756-EN2TK Series C: version 5.028

1756-EN2TK Series D: versions 11.002 and prior

1756-EN2TXT Series A: versions 5.008 and prior

1756-EN2TXT Series A: and version 5.028

1756-EN2TXT Series B: versions 5.008 and prior

1756-EN2TXT Series B: version 5.028

1756-EN2TXT Series C: versions 5.008 and prior

1756-EN2TXT Series C: version 5.028

1756-EN2TXT Series D: versions 11.002 and prior

1756-EN2TP Series A: versions 11.002 and prior

1756-EN2TPK Series A: versions 11.002 and prior

1756-EN2TPXT Series A: versions 11.002 and prior

1756-EN2TR Series A: versions 5.008 and prior

1756-EN2TR Series A: version 5.028

1756-EN2TR Series B: versions 5.008 and prior

1756-EN2TR Series B: version 5.028

1756-EN2TR Series C: versions 11.002 and prior

1756-EN2TRK Series A: versions 5.008 and prior

1756-EN2TRK Series A: version 5.028

1756-EN2TRK Series B: versions 5.008 and prior

1756-EN2TRK Series B: version 5.028

1756-EN2TRK Series C: versions 11.002 and prior

1756-EN2TRXT Series A: versions 5.008 and prior

1756-EN2TRXT Series A: version 5.028

1756-EN2TRXT Series B: versions 5.008 and prior

1756-EN2TRXT Series B: version 5.028

1756-EN2TRXT Series C: versions 11.002 and prior

1756-EN2F Series A: versions 5.008 and prior

1756-EN2F Series A: version 5.028

1756-EN2F Series B: versions 5.008 and prior

1756-EN2F Series B: version 5.028

1756-EN2F Series C: versions 11.002 and prior

1756-EN2FK Series A: versions 5.008 and prior

1756-EN2FK Series A: version 5.028

1756-EN2FK Series B: versions 5.008 and prior

1756-EN2FK Series B: version 5.028

1756-EN2FK Series C: versions 11.002 and prior

1756-EN3TR Series A: versions 5.008 and prior

1756-EN3TR Series A: version 5.028

1756-EN3TR Series B: versions 11.002 and prior

1756-EN3TRK Series A: versions 5.008 and prior

1756-EN3TRK Series A: version 5.028

1756-EN3TRK Series B: versions 11.002 and prior

3.2 Vulnerability Overview

3.2.1 Stack-based Buffer Overflow CWE-121

A buffer overflow vulnerability exists in the 1756 EN2T communication devices. If exploited, a threat actor could potentially leverage this vulnerability to perform a remote code execution. To exploit this vulnerability, a threat actor would have to send a maliciously crafted CIP request to device.

CVE-2023-2262 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Multiple
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER

Rockwell Automation reported this vulnerability to CISA.

4. MITIGATIONS

Rockwell Automation has released the following for users to apply:

1756-EN2T Series A versions 5.008 and prior and version 5.028: Update to 5.009 and 5.029 or later

1756-EN2T Series B versions 5.008 and prior and version 5.028: Update to 5.009 and 5.029 or later

1756-EN2T Series C versions 5.008 and prior and version 5.028: Update to 5.009 and 5.029 or later

1756-EN2T Series D versions 11.002 and prior: Update to 11.003 or later

1756-EN2TK Series A versions 5.008 and prior and version 5.028: Update to 5.009 and 5.029 or later

1756-EN2TK Series B versions 5.008 and prior and version 5.028: Update to 5.009 and 5.029 or later

1756-EN2TK Series C versions 5.008 and prior and version 5.028: Update to 5.009 and 5.029 or later

1756-EN2TK Series D versions 11.002 and prior: Update to 11.003 or later

1756-EN2TXT Series A versions 5.008 and prior and version 5.028: Update to 5.009 and 5.029 or later

1756-EN2TXT Series B versions 5.008 and prior and version 5.028: Update to 5.009 and 5.029 or later

1756-EN2TXT Series C versions 5.008 and prior and version 5.028: Update to 5.009 and 5.029 or later

1756-EN2TXT Series D versions 11.002 and prior: Update to 11.003 or later

1756-EN2TP Series A versions 11.002 and prior: Update to 11.003 or later

1756-EN2TPK Series A versions 11.002 and prior: Update to 11.003 or later

1756-EN2TPXT Series A versions 11.002 and prior: Update to 11.003 or later

1756-EN2TR Series A versions 5.008 and prior and version 5.028: Update to 5.009 and 5.029 or later

1756-EN2TR Series B versions 5.008 and prior and version 5.028: Update to 5.009 and 5.029 or later

1756-EN2TR Series C versions 11.002 and prior: Update to 11.003 or later

1756-EN2TRK Series A versions 5.008 and prior and version 5.028: Update to 5.009 and 5.029 or later

1756-EN2TRK Series B versions 5.008 and prior and version 5.028: Update to 5.009 and 5.029 or later

1756-EN2TRK Series C versions 11.002 and prior: Update to 11.003 or later

1756-EN2TRXT Series A versions 5.008 and prior and version 5.028: Update to 5.009 and 5.029 or later

1756-EN2TRXT Series B versions 5.008 and prior and version 5.028: Update to 5.009 and 5.029 or later

1756-EN2TRXT Series C versions 11.002 and prior: Update to 11.003 or later

1756-EN2F Series A versions 5.008 and prior and version 5.028: Update to 5.009 and 5.029 or later

1756-EN2F Series B versions 5.008 and prior and version 5.028: Update to 5.009 and 5.029 or later

1756-EN2F Series C versions 11.002 and prior: Update to 11.003 or later

1756-EN2FK Series A versions 5.008 and prior and version 5.028: Update to 5.009 and 5.029 or later

1756-EN2FK Series B versions 5.008 and prior and version 5.028: Update to 5.009 and 5.029 or later

1756-EN2FK Series C versions 11.002 and prior: Update to 11.003 or later

1756-EN3TR Series A versions 5.008 and prior and version 5.028: Update to 5.009 and 5.029 or later

1756-EN3TR Series B versions 11.002 and prior: Update to 11.003 or later

1756-EN3TRK Series A versions 5.008 and prior and version 5.028: Update to 5.009 and 5.029 or later

1756-EN3TRK Series B versions 11.002 and prior: Update to 11.003 or later

Customers using the affected software are encouraged to apply the risk mitigations, if possible. Additionally, Rockwell Automation encourages customers to implement their suggested security best practices to minimize the risk of vulnerability.

Restrict traffic to the SMTP port (25), if not needed.
Customers using the EN2/EN3 versions 10.x and higher can disable the email object, if not needed. Instructions can be found in the EtherNet/IP Network Devices User Manual (rockwellautomation.com)

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

September 21, 2023: Initial Publication