Skip to main content
(844) 422-7000

​GE Digital CIMPLICITY

1. EXECUTIVE SUMMARY

​CVSS v3 7.8
​ATTENTION: Low attack complexity
​Vendor: GE Digital
​Equipment: CIMPLICITY
​Vulnerability: Process Control

2. RISK EVALUATION

​Successful exploitation of this vulnerability could allow a low-privileged local attacker to escalate privileges to SYSTEM.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

​The following GE products are affected: 

​GE Digital CIMPLICITY: v2023

3.2 VULNERABILITY OVERVIEW

3.2.1 ​PROCESS CONTROL CWE-114

​GE CIMPLICITY 2023 is by a process control vulnerability, which could allow a local attacker to insert malicious configuration files in the expected web server execution path to escalate privileges and gain full control of the HMI software.

CVE-2023-4487 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

3.3 BACKGROUND

​CRITICAL INFRASTRUCTURE SECTORS: Multiple Sectors
​COUNTRIES/AREAS DEPLOYED: Worldwide
​COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER

​Michael Heinzl reported this vulnerability to CISA.

4. MITIGATIONS

​GE Digital recommends users apply the following mitigations:

​Update CIMPLICITY to v2023 SIM 1 (login is required)

​Please refer to GE Digital’s security bulletin (login is required) for more information.

​CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should:

​Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet.
​Locate control system networks and remote devices behind firewalls and isolate them from business networks.
​When remote access is required, use secure methods, such as virtual private networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices.
​Exercise principles of least privilege.

​CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

​CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

​Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

​Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

​No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability is not exploitable remotely.

​Digi RealPort Protocol

1. EXECUTIVE SUMMARY

​CVSS v3 9.0
​ATTENTION: Exploitable remotely
​Vendor: Digi International, Inc.
​Equipment: Digi RealPort Protocol
​Vulnerability: Use of Password Hash Instead of Password for Authentication

2. RISK EVALUATION

​Successful exploitation of this vulnerability could allow the attacker to access connected equipment.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

​Digi International reports that the following products using Digi RealPort Protocol are affected:

​Digi RealPort for Windows: version 4.8.488.0 and earlier
​Digi RealPort for Linux: version 1.9-40 and earlier
​Digi ConnectPort TS 8/16: versions prior to 2.26.2.4
​Digi Passport Console Server: all versions
​Digi ConnectPort LTS 8/16/32: versions prior to 1.4.9
​Digi CM Console Server: all versions
​Digi PortServer TS: all versions
​Digi PortServer TS MEI: all versions
​Digi PortServer TS MEI Hardened: all versions
​Digi PortServer TS M MEI: all versions
​Digi PortServer TS P MEI: all versions
​Digi One IAP Family: all versions
​Digi One IA: all versions
​Digi One SP IA: all versions
​Digi One SP: all versions
​Digi WR31: all versions
​Digi WR11 XT: all versions
​Digi WR44 R: all versions
​Digi WR21: all versions
​Digi Connect ES: versions prior to 2.26.2.4
​Digi Connect SP: all versions

​Digi International reports that the following products do NOT use Digi RealPort Protocol are NOT affected:

​Digi 6350-SR: all versions
​Digi ConnectCore 8X products: all versions

3.2 VULNERABILITY OVERVIEW

3.2.1 ​USE OF PASSWORD HASH INSTEAD OF PASSWORD FOR AUTHENTICATION CWE-836

​Digi RealPort Protocol is vulnerable to a replay attack that may allow an attacker to bypass authentication to access connected equipment.

CVE-2023-4299 has been assigned to this vulnerability. A CVSS v3 base score of 9.0 has been calculated; the CVSS vector string is (AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H).

3.3 BACKGROUND

​CRITICAL INFRASTRUCTURE SECTORS: Multiple Sectors
​COUNTRIES/AREAS DEPLOYED: Worldwide
​COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER

​Reid Wightman of Dragos, Inc reported this vulnerability to Digi International.

4. MITIGATIONS

​Digi International recommends users acquire and install patches that they have made available for the following products:

​RealPort software for Windows: Fixed in 4.10.490
​Digi ConnectPort TS 8/16: Fixed in firmware version 2.26.2.4
​Digi ConnectPort LTS 8/16/32: Fixed in version 1.4.9
​Digi Connect ES: Fixed in firmware version 2.26.2.4

​For more information, see the customer notification document published by Digi International.

​Dragos recommends restricting access to Digi devices on TCP/771 (default) or TCP/1027 (if encryption is enabled, this is the default port). Only allow the workstations which initiate RealPort connections to communicate to the field equipment on those ports. Note that most of Digi’s devices allow you to change the setting for which TCP port the RealPort service runs on, so end users should consult their device configuration and restrict access to the configured port if it is not the default.

​If using the system in ‘reverse’ mode, where the Digi device calls back to the Windows or Linux workstation, then Dragos recommends restricting access to the workstation on TCP/771 or TCP/1027 to known Digi RealPort devices on your network. This port may be configured by end users, so consult the workstation and device configurations to ensure coverage.

​CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

​CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

​Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

​Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

​​No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability has a high attack complexity.

​ARDEREG Sistemas SCADA

1. EXECUTIVE SUMMARY

​CVSS v3 9.8
​ATTENTION: Exploitable remotely/low attack complexity
​Vendor: ARDEREG
​Equipment: Sistemas SCADA
​Vulnerability: SQL Injection

2. RISK EVALUATION

​Successful exploitation of this vulnerability could allow an attacker to manipulate SQL query logic to extract sensitive information and perform unauthorized actions within the database.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

​The following ARDEREG products are affected: 

​Sistemas SCADA: Versions 2.203 and prior

3.2 VULNERABILITY OVERVIEW

3.2.1 ​IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS USED IN AN SQL COMMAND (‘SQL INJECTION’) CWE-89

​Sistema SCADA Central, a supervisory control and data acquisition (SCADA) system, is designed to monitor and control various industrial processes and critical infrastructure. ARDEREG identified this SCADA system’s login page to be vulnerable to an unauthenticated blind SQL injection attack. An attacker could manipulate the application’s SQL query logic to extract sensitive information or perform unauthorized actions within the database. In this case, the vulnerability could allow an attacker to execute arbitrary SQL queries through the login page, potentially leading to unauthorized access, data leakage, or even disruption of critical industrial processes.

CVE-2023-4485 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

3.3 BACKGROUND

​CRITICAL INFRASTRUCTURE SECTORS: Health, Public Health
​COUNTRIES/AREAS DEPLOYED: South America
​COMPANY HEADQUARTERS LOCATION: Argentina

3.4 RESEARCHER

​Momen Eldawakhly of Samurai Digital Security Ltd. reported this vulnerability to CISA.

4. MITIGATIONS

​ARDEREG is aware of the issue but has not responded to our requests. For more information, contact ARDEREG by email.

​ARDEREG recommends the following workarounds to help reduce the risk:

​Security Awareness and Training: Conduct regular security awareness and training sessions for developers, administrators, and other personnel involved in the management and operation of the SCADA system. Educate about the risks and consequences of SQL injection vulnerabilities and provide guidance on secure coding practices, proper input validation, and best practices for securely interacting with databases.
​Regular Security Assessments: Perform regular security assessments, including penetration testing and code reviews, to identify and address any vulnerabilities in the SCADA system. Conduct internal security audits to evaluate the overall security posture and identify any weaknesses an attacker could exploit through SQL injection or other attack vectors.
​Incident Response Plan: Develop and maintain an incident response plan specifically tailored to address security incidents related to SQL injection and other vulnerabilities in the SCADA system. Establish clear procedures and responsibilities for responding to and mitigating security incidents, including containment, investigation, and recovery steps.
​Vendor and Supply Chain Security: Ensure the vendors and suppliers involved in the development and maintenance of the SCADA system follow secure coding practices and adhere to strict security standards. Regularly evaluate and monitor the security practices to minimize the risk of introducing vulnerabilities through the supply chain.
​System Segmentation: Implement network segmentation to isolate the SCADA system from other less critical systems or public-facing networks. This reduces the attack surface and limits the potential impact of a successful SQL injection attack by containing it within a restricted network segment.

​CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should:

​Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet.
​Locate control system networks and remote devices behind firewalls and isolate them from business networks.
​When remote access is required, use secure methods, such as virtual private networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices.

​CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

​CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

​Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

​Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

​No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

​PTC Codebeamer

1. EXECUTIVE SUMMARY

​CVSS v3 8.8
​ATTENTION: Exploitable remotely/low attack complexity
​Vendor: PTC
​Equipment: Codebeamer
​Vulnerability: Cross site scripting

2. RISK EVALUATION

​Successful exploitation of this vulnerability could allow an attacker to inject arbitrary JavaScript code, which could be executed in the victim’s browser upon clicking on a malicious link.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

​The following versions of PTC Codebeamer, Application Lifecycle Management (ALM) platform for product and software development, are affected:

​Codebeamer: v22.10-SP6 or lower
​Codebeamer: v22.04-SP2 or lower
​Codebeamer: v21.09-SP13 or lower

3.2 VULNERABILITY OVERVIEW

3.2.1 CROSS-SITE SCRIPTING CWE-79

​If an attacker tricks an admin user of PTC Codebeamer into clicking on a malicious link, it may allow the attacker to inject arbitrary code to be executed in the browser on the target device.

CVE-2023-4296 has been assigned to this vulnerability. A CVSS v3 base score of 8.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

3.3 BACKGROUND

​CRITICAL INFRASTRUCTURE SECTORS: Multiple
​COUNTRIES/AREAS DEPLOYED: Worldwide
​COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER

​Niklas Schilling of SEC Consult Vulnerability Lab reported this vulnerability to CISA.

4. MITIGATIONS

​PTC recommends the following:

​Version 22.10.X: upgrade to 22.10-SP7 or newer version
​Version 22.04.X: upgrade to 22.04-SP3 or newer version
​Version 21.09.X: upgrade to 21.09-SP14 or newer version

​Docker Image download: https://hub.docker.com/r/intland/codebeamer/tags

​Codebeamer installers: https://intland.com/codebeamer-download/

​Hosted customers may request an upgrade through the support channel.

​Note that version 2.0 is not impacted by this vulnerability.

​For more information refer to PTC Security Advisory and Resolution.

​CISA recommends users take the following measures to protect themselves from social engineering attacks:

​Do not click web links or open attachments in unsolicited email messages.
​Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
​Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

​CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

​CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

​Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

​Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

​No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

Schneider Electric PowerLogic ION7400 / PM8000 / ION8650 / ION8800 / ION9000 Power Meters

1. EXECUTIVE SUMMARY

CVSS v3 8.8
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Schneider Electric
Equipment: PowerLogic ION7400 / PM8000 / ION8650 / ION8800 / ION9000
Vulnerability: Cleartext Transmission of Sensitive Information

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to cause a disclosure of sensitive information, a denial of service, or modification of data if an attacker is able to intercept network traffic.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following components of Schneider Electric PowerLogic, a power meter, are affected:

PowerLogic ION9000: All versions prior to 4.0.0
PowerLogic ION7400: All versions prior to 4.0.0
PowerLogic PM8000: All versions prior to 4.0.0
PowerLogic ION8650: All versions
PowerLogic ION8800: All versions
Legacy ION products: All versions

3.2 VULNERABILITY OVERVIEW

3.2.1 CLEARTEXT TRANSMISSION OF SENSITIVE INFORMATION CWE-319

A cleartext transmission of sensitive information vulnerability exists that could cause disclosure of sensitive information, denial of service, or modification of data if an attacker is able to intercept network traffic.

CVE-2022-46680 has been assigned to this vulnerability. A CVSS v3 base score of 8.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Commercial Facilities, Critical Manufacturing, Energy
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: France

3.4 RESEARCHER

Jos Wetzels of Forescout Technologies reported these vulnerabilities to Schneider Electric.

4. MITIGATIONS

Schneider Electric has released the following remediations for users to implement:

Update affected components to current firmware versions for available vulnerability fixes:
PowerLogic ION9000: Version 4.0.0 is available for download.
PowerLogic ION7400: Version 4.0.0 is available for download.
PowerLogic PM8000: Version 4.0.0 is available for download.

Users should use appropriate patching methodologies when applying these patches to their systems. Schneider Electric recommends using backups and evaluating the impact of these patches in a “testing and development environment” or on an offline infrastructure.
Users should contact Schneider Electric for assistance in removing a patch.
Schneider Electric recommends that users ensure devices supporting ION protocol are not exposed to the internet or other untrusted networks. Users should apply the best practices for network hardening as documented in the product user guide and the Schneider Electric Recommended Cybersecurity Best Practices.
Additional configuration steps and supporting software are required to utilize the secure ION feature. Please refer to the relevant product documentation or contact customer care for additional details and support.

For more information, see Schneider Electric’s security advisory SEVD-2023-129-03.

Schneider Electric strongly recommends the following industry cybersecurity best practices:

Locate control and safety system networks and remote devices behind firewalls and isolate them from the business network.
Install physical controls so no unauthorized personnel can access your industrial control and safety systems, components, peripheral equipment, and networks.
Place all controllers in locked cabinets and never leave them in the “Program” mode.
Never connect programming software to any network other than the network intended for that device.
Scan all methods of mobile data exchange with the isolated network such as CDs, USB drives, etc. before use in the terminals or any node connected to these networks.
Never allow mobile devices that have connected to any other network besides the intended network to connect to the safety or control networks without proper sanitation.
Minimize network exposure for all control system devices and systems and ensure that they are not accessible from the internet.
When remote access is required, use secure methods, such as virtual private networks (VPNs). Recognize that VPNs may have vulnerabilities and should be updated to the most current version available. Also, understand that VPNs are only as secure as the connected devices.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploits specifically targeting these vulnerabilities have been reported to CISA at this time. 

​Hitachi Energy AFF66x

1. EXECUTIVE SUMMARY

​CVSS v3 9.6
​ATTENTION: Exploitable remotely/low attack complexity
​Vendor: Hitachi Energy
​Equipment: AFF66x
​Vulnerabilities: Cross-site Scripting, Use of Insufficiently Random Values, Origin Validation Error, Integer Overflow or Wraparound, Uncontrolled Resource Consumption, NULL Pointer Dereference

2. RISK EVALUATION

​Successful exploitation of these vulnerabilities could allow an attacker to compromise availability, integrity, and confidentiality of the targeted devices.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

​Hitachi Energy reports these vulnerabilities affect the following AFF660/665 products:

​AFF660/665: Firmware 03.0.02 and prior

3.2 VULNERABILITY OVERVIEW

3.2.1 ​CROSS-SITE SCRIPTING CWE-79

​In uClibc and uClibc-ng before 1.0.39, incorrect handling of special characters in domain names DNS servers returned via gethostbyname, getaddrinfo, gethostbyaddr, and getnameinfo could lead to output of wrong hostnames (leading to domain hijacking) or injection into applications (leading to remote code execution, XSS, applications crashes, etc.). In other words, a validation step, which is expected in any stub resolver, does not occur.

CVE-2021-43523 has been assigned to this vulnerability. A CVSS v3 base score of 9.6 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H).

3.2.2 ​USE OF INSUFFICIENTLY RANDOM VALUES CWE-330

​ntpd in ntp before 4.2.8p14 and 4.3.x before 4.3.100 could allow remote attackers to cause a denial of service (daemon exit or system time change) by predicting transmit timestamps for use in spoofed packets. The victim must rely on unauthenticated IPv4 time sources. There must be an off-path attacker who could query time from the victim’s ntpd instance.

CVE-2020-13817 has been assigned to this vulnerability. A CVSS v3 base score of 7.4 has been calculated; the CVSS vector string is (AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H).

3.2.3 ​ORIGIN VALIDATION ERROR CWE-346

​ntpd in ntp before 4.2.8p14 and 4.3.x before 4.3.100 could allow an off-path attacker to block unauthenticated synchronization via a server mode packet with a spoofed source IP address because transmissions are rescheduled even when a packet lacks a valid origin timestamp.

CVE-2020-11868 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

3.2.4 ​INTEGER OVERFLOW OR WRAPAROUND CWE-190

​TCP_SKB_CB(skb)->tcp_gso_segs value is subject to an integer overflow in the Linux kernel when handling TCP selective acknowledgments (SACKs). A remote attacker could use this to cause a denial of service. This has been fixed in stable kernel releases 4.4.182, 4.9.182, 4.14.127, 4.19.52, 5.1.11, and is fixed in commit.

CVE-2019-11477 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

3.2.5 ​UNCONTROLLED RESOURCE CONSUMPTION CWE-400

​A vulnerability named “non-responsive delegation attack” (NRDelegation attack) has been discovered in various DNS resolving software. The NRDelegation attack works by having a malicious delegation with a considerable number of non-responsive nameservers. The attack starts by querying a resolver for a record that relies on those unresponsive nameservers. The attack could cause a resolver to spend time/resources resolving records under a malicious delegation point where a considerable number of unresponsive NS records reside. It could trigger high CPU usage in some resolver implementations that continually look in the cache for resolved NS records in that delegation, which could lead to degraded performance and eventually denial of service in orchestrated attacks. Unbound does not suffer from high CPU usage, but still requires resources to resolve the malicious delegation. Unbound will continue to try to resolve the record until it reaches hard limits. Based on the nature of the attack and the replies, Unbound could reach different limits. From version 1.16.3 on, Unbound introduces fixes for better performance when under load by cutting opportunistic queries for nameserver discovery and DNSKEY prefetching and limiting the number of times a delegation point can issue a cache lookup for missing records.

CVE-2022-3204 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

3.2.6 ​NULL POINTER DEREFERENCE CWE-476

​snmp_oid_compare in snmplib/snmp_api.c in NetSNMP before 5.8 has a NULL pointer exception bug that an unauthenticated attacker could use to remotely cause the instance to crash via a crafted UDP packet, resulting in denial of service.

CVE-2018-18066 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

3.3 BACKGROUND

​CRITICAL INFRASTRUCTURE SECTORS: Energy
​COUNTRIES/AREAS DEPLOYED: Worldwide
​COMPANY HEADQUARTERS LOCATION: Switzerland

3.4 RESEARCHER

​Hitachi Energy reported these vulnerabilities to CISA.

4. MITIGATIONS

​Hitachi Energy recommends the following actions:

​Update to upcoming AFF660/665 FW 04.6.01 release when available.
​Configure only trusted DNS server(s).
​Configure the NTP service with redundant trustworthy sources of time.
​Restrict TCP/IP-based management protocols to trusted IP addresses.
​Disable the SNMP server (CLI and web interface will continue to function as they use an internal connection).

​Hitachi Energy recommends the following general mitigations:

​Recommended security practices and firewall configurations could help protect a process control network from attacks originating from outside the network.
​Physically protect process control systems from direct access by unauthorized personnel.
​Ensure process control systems have no direct connections to the internet and are separated from other networks via a firewall system with minimal exposed ports.
​Do not use process control systems for internet surfing, instant messaging, or receiving emails.
​Scan portable computers and removable storage media for malware prior connection to a control system.

​For more information, see Hitachi Energy’s Security Advisory: 8DBD000167.

​CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

​CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

​Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

​Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

​No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. These vulnerabilities are exploitable remotely. These vulnerabilities have low attack complexity.

​Trane Thermostats

1. EXECUTIVE SUMMARY

​CVSS v3 6.8
​ATTENTION: Low attack complexity
​Vendor: Trane
​Equipment: XL824, XL850, XL1050, and Pivot thermostats
​Vulnerability: Injection

2. RISK EVALUATION

​Successful exploitation of this vulnerability could allow an attacker to execute arbitrary commands as root using a specially crafted filename.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

​Trane reports this vulnerability affects the following thermostats:

​Trane Technologies XL824 Thermostat: Firmware versions 5.9.8 and earlier
​Trane Technologies XL850 Thermostat: Firmware versions 5.9.8 and earlier 
​Trane Technologies XL1050 Thermostat: Firmware versions 5.9.8 and earlier
​Trane Technologies Pivot Thermostat: Firmware versions 1.8 and earlier

3.2 VULNERABILITY OVERVIEW

3.2.1 ​INJECTION CWE-74

​A command injection vulnerability exists in Trane XL824, XL850, XL1050, and Pivot thermostats allowing an attacker to execute arbitrary commands as root using a specially crafted filename. The vulnerability requires physical access to the device via a USB stick.

CVE-2023-4212 has been assigned to this vulnerability. A CVSS v3 base score of 6.8 has been calculated; the CVSS vector string is (AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

3.3 BACKGROUND

​CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
​COUNTRIES/AREAS DEPLOYED: Worldwide
​COMPANY HEADQUARTERS LOCATION: Ireland

3.4 RESEARCHER

​Houlton McGuinn reported this vulnerability to Trane.

4. MITIGATIONS

​Trane Technologies has pushed the patch out to all devices. The patch is available to all affected devices. As soon as the device is connected to the internet, it will check for a new firmware version. If a new version is available, the device will download and install it. Other than connecting the device to the internet, no user interaction is required.

​If a user wants to verify that they received a patch for this vulnerability, they can verify the firmware version is greater than what is listed above by navigating to the “About” screen on the thermostat. Menu > System Info > About.

​For more information, users may contact their local Trane sales office.

​Trane has published a service database article on their website (login required).

​CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

​CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

​Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

​Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

​No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability is not exploitable remotely.

Rockwell Automation ThinManager ThinServer

1. EXECUTIVE SUMMARY

CVSS v3 9.8
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Rockwell Automation
Equipment: ThinManager ThinServer
Vulnerabilities: Improper Input Validation

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to remotely delete arbitrary files with system privileges.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

Rockwell Automation reports this vulnerability affects the following versions of ThinManager ThinServer, a thin client and remote desktop protocol (RDP) server management software:

ThinManager ThinServer: Versions 11.0.0-11.0.6
ThinManager ThinServer: Versions 11.1.0-11.1.6
ThinManager ThinServer: Versions 11.2.0-11.2.6
ThinManager ThinServer: Versions 12.1.0-12.1.6
ThinManager ThinServer: Versions 12.0.0-12.0.5
ThinManager ThinServer: Versions 13.0.0-13.0.2
ThinManager ThinServer: Version 13.1.0

3.2 VULNERABILITY OVERVIEW

3.2.1 IMPROPER INPUT VALIDATION CWE-20

Due to improper input validation, an integer overflow condition exists in the affected products. When the ThinManager processes incoming messages, a read access violation occurs and terminates the process. A malicious user could exploit this vulnerability by sending a crafted synchronization protocol message.

CVE-2023-2914 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

3.2.2 IMPROPER INPUT VALIDATION CWE-20

Due to improper input validation, a path traversal vulnerability exists when the ThinManager processes a certain function. If exploited, an unauthenticated remote threat actor can delete arbitrary files with system privileges. A malicious user could exploit this vulnerability by sending a specifically crafted synchronization protocol message.

CVE-2023-2915 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

3.2.3 IMPROPER INPUT VALIDATION CWE-20

Due to improper input validation, a path traversal vulnerability exists, via the file name field, when the ThinManager processes a certain function. If exploited, an unauthenticated remote attacker can upload arbitrary files to any directory on the disk drive where ThinServer.exe is installed. A malicious user could exploit this vulnerability by sending a crafted synchronization protocol message.

CVE-2023-2917 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER

Rockwell Automation reported these vulnerabilities to CISA.

4. MITIGATIONS

Rockwell Automation recommends customers apply the following mitigations:

ThinManager ThinServer: Versions 11.0.0-11.2.6: Update to 11.0.7
ThinManager ThinServer: Versions 11.1.0-11.1.6: Update to 11.1.7
ThinManager ThinServer: Versions 11.2.0-11.2.6: Update to 11.2.8
ThinManager ThinServer: Versions 12.1.0-12.1.6: Update to 12.1.7
ThinManager ThinServer: Versions 12.0.0-12.0.5: Update to 12.0.6
ThinManager ThinServer: Versions 13.0.0-13.0.2: Update to 13.0.3
ThinManager ThinServer: Version 13.1.0: Update to 13.1.1

 

Customers using the affected software are encouraged to apply mitigations, if possible. Additionally, Rockwell Automation encourages customers to implement suggested security best practices to minimize the risk of vulnerability.

Update to the corrected software versions.
Limit remote access for TCP Port 2031 to known thin clients and ThinManager servers.
Security Best Practices

For more information, see Rockwell Automation’s Security Advisory.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

CODESYS Development System

1. EXECUTIVE SUMMARY

CVSS v3 3.3 
ATTENTION: low attack complexity 
Vendor: CODESYS, GmbH 
Equipment: CODESYS Development System 
Vulnerability: Improper Restriction of Excessive Authentication Attempts. 

2. RISK EVALUATION

Successful exploitation of this vulnerability could provide a local attacker with account information. 

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

CODESYS reports this vulnerability affects the following versions of CODESYS Development System: 

CODESYS Development System: versions prior to 3.5.19.20 

3.2 VULNERABILITY OVERVIEW

3.2.1 INSUFFICIENT VERIFICATION OF DATA AUTHENTICITY CWE-345 

A missing brute-force protection in CODESYS Development System prior to 3.5.19.20 could allow a local attacker to have unlimited attempts of guessing the password within an import dialog. 

CVE-2023-3669 has been assigned to this vulnerability. A CVSS v3 base score of 3.3 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N). 

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing 
COUNTRIES/AREAS DEPLOYED: Worldwide 
COMPANY HEADQUARTERS LOCATION: Germany 

3.4 RESEARCHER

A user reported this vulnerability. CERT@VDE coordinated the vulnerability. 

4. MITIGATIONS

CODESYS recommends users update the CODESYS Development System to version 3.5.19.20. 

The CODESYS Development System can be downloaded and installed directly with the CODESYS Installer or be downloaded from the CODESYS Store. 

Alternatively, users may find further information on obtaining the software update in the CODESYS Update area

For more information, please see the advisory CERT@VDE published for CODESYS at: 

https://cert.vde.com/en-us/advisories/vde-2023-023 

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. 

CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. 

CISA also recommends users take the following measures to protect themselves from social engineering attacks: 

Do not click web links or open attachments in unsolicited email messages. 
Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams. 
Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks. 

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability is not exploitable remotely. 

​Rockwell Automation Input/Output Modules

1. EXECUTIVE SUMMARY

​CVSS v3 8.6 
​ATTENTION: Exploitable remotely/low attack complexity 
​Vendor: Rockwell Automation  
​Equipment: 1734-AENT/1734-AENTR Series C, 1734-AENT/1734-AENTR Series B, 1738-AENT/ 1738-AENTR Series B, 1794-AENTR Series A, 1732E-16CFGM12QCWR Series A, 1732E-12X4M12QCDR Series A, 1732E-16CFGM12QCR Series A, 1732E-16CFGM12P5QCR Series A, 1732E-12X4M12P5QCDR Series A, 1732E-16CFGM12P5QCWR Series B, 1732E-IB16M12R Series B, 1732E-OB16M12R Series B, 1732E-16CFGM12R Series B, 1732E-IB16M12DR Series B, 1732E-OB16M12DR Series B, 1732E-8X8M12DR Series B, 1799ER-IQ10XOQ10 Series B 
​Vulnerability: Out-of-Bounds Write 

2. RISK EVALUATION

​Successful exploitation of this vulnerability could allow an attacker to cause a denial-of-service on the affected products.  

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

​The following versions of select Input/Output Modules from Rockwell Automation are affected: 

​1734-AENT/1734-AENTR Series C: Versions 7.011 and prior  
​1734-AENT/1734-AENTR Series B: Versions 5.019 and prior  
​1738-AENT/ 1738-AENTR Series B: Versions 6.011 and prior  
​1794-AENTR Series A: Versions 2.011 and prior  
​1732E-16CFGM12QCWR Series A: Versions 3.011 and prior 
​1732E-12X4M12QCDR Series A: Versions 3.011 and prior  
​1732E-16CFGM12QCR Series A: Versions 3.011 and prior  
​1732E-16CFGM12P5QCR Series A: Versions 3.011 and prior  
​1732E-12X4M12P5QCDR Series A: Versions 3.011 and prior 
​1732E-16CFGM12P5QCWR Series B: Versions 3.011 and prior  
​1732E-IB16M12R Series B: Versions 3.011 and prior  
​1732E-OB16M12R Series B: Versions 3.011 and prior  
​1732E-16CFGM12R Series B: Versions 3.011 and prior  
​1732E-IB16M12DR Series B: Versions 3.011 and prior  
​1732E-OB16M12DR Series B: Versions 3.011 and prior  
​1732E-8X8M12DR Series B: Versions 3.011 and prior 
​1799ER-IQ10XOQ10 Series B: Versions 3.011 and prior  

3.2 VULNERABILITY OVERVIEW

3.2.1 ​OUT-OF-BOUNDS WRITE CWE-787 

​Pyramid Solutions’ affected products, the Developer and DLL kits for EtherNet/IP Adapter and EtherNet/IP Scanner may be vulnerable to an out-of-bounds write, which may allow an unauthorized threat actor to send a specially crafted packet that may result in a denial-of-service condition. 

CVE-2022-1737 has been assigned to this vulnerability. A CVSS v3 base score of 8.6 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H). 

3.3 BACKGROUND

​CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing 
​COUNTRIES/AREAS DEPLOYED: Worldwide 
​COMPANY HEADQUARTERS LOCATION: United States 

3.4 RESEARCHER

​Rockwell Automation reported this vulnerability to CISA. 

4. MITIGATIONS

​Rockwell Automation has released and recommends users apply the following mitigations: 

​1734-AENT/1734-AENTR Series C: Versions 7.011 and prior. Upgrade to 7.013 
​1734-AENT/1734-AENTR Series B: Versions 5.019 and prior. Upgrade to 5.021  
​1738-AENT/ 1738-AENTR Series B: Versions 6.011 and prior. Upgrade to 6.013  
​1794-AENTR Series A: Versions 2.011 and prior. Upgrade to 2.012  
​1732E-16CFGM12QCWR Series A: Versions 3.011 and prior. Upgrade to 3.012 
​1732E-12X4M12QCDR Series A: Versions 3.011 and prior. Upgrade to 3.012  
​1732E-16CFGM12QCR Series A: Versions 3.011 and prior. Upgrade to 3.012  
​1732E-16CFGM12P5QCR Series A: Versions 3.011 and prior. Upgrade to 3.012  
​1732E-12X4M12P5QCDR Series A: Versions 3.011 and prior. Upgrade to 3.012 
​1732E-16CFGM12P5QCWR Series B: Versions 3.011 and prior. Upgrade to 3.012  
​1732E-IB16M12R Series B: Versions 3.011 and prior. Upgrade to 3.012  
​1732E-OB16M12R Series B: Versions 3.011 and prior. Upgrade to 3.012  
​1732E-16CFGM12R Series B: Versions 3.011 and prior. Upgrade to 3.012  
​1732E-IB16M12DR Series B: Versions 3.011 and prior. Upgrade to 3.012  
​1732E-OB16M12DR Series B: Versions 3.011 and prior. Upgrade to 3.012  
​1732E-8X8M12DR Series B: Versions 3.011 and prior. Upgrade to 3.012 
​1799ER-IQ10XOQ10 Series B: Versions 3.011 and prior. Upgrade to 3.012 

​Rockwell Automation encourages users of the affected software to apply the risk mitigations below, if possible. Additionally, users are encouraged to implement suggested security best practices to minimize the risk of vulnerability. 

​Users should upgrade to the corrected firmware to mitigate the issues:

Security best practices 

​For more information, see Rockwell Automation’s Security Advisory

​CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. 

​CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies

​Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies

​Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. 

​No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.