Skip to main content
(844) 422-7000

​Siemens JT Open, JT Utilities, and Parasolid

Written by on . Posted in CISA-Published Industrial Control System Vulnerabilities.

1. EXECUTIVE SUMMARY

​CVSS v3 7.8
​ATTENTION: Low attack complexity
​Vendor: Siemens
​Equipment: JT Open, JT Utilities, and Parasolid
​Vulnerabilities: Out-of-bounds Read

2. RISK EVALUATION

​Successful exploitation of these vulnerabilities could allow an attacker to execute code in the context of the current process.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

​The following products from Siemens are affected:

​JT Open: All versions prior to v11.4
​JT Utilities: All versions prior to v13.4
​Parasolid v34.0: All versions prior to v34.0.253
​Parasolid v34.1: All versions prior to v34.1.243
​Parasolid v35.0: All versions prior to v35.0.177
​Parasolid v35.1: All versions prior to v35.1.073

3.2 VULNERABILITY OVERVIEW

3.2.1 ​OUT-OF-BOUNDS READ CWE-125

​The affected applications contain an out-of-bounds read past the end of an allocated structure while parsing specially crafted JT files. This could allow an attacker to execute code in the context of the current process.

CVE-2023-30795 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

3.2.2 ​OUT-OF-BOUNDS READ CWE-125

​The affected applications contain an out-of-bounds read past the end of an allocated structure while parsing specially crafted JT files. This could allow an attacker to execute code in the context of the current process.

CVE-2023-30796 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

3.3 BACKGROUND

​CRITICAL INFRASTRUCTURE SECTORS: Multiple Sectors
​COUNTRIES/AREAS DEPLOYED: Worldwide
​COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

​Michael Heinzl reported these vulnerabilities to Siemens.

4. MITIGATIONS

Siemens released updates for the affected products and recommends updating to the latest versions: 

​Parasolid V35.1: Update to V35.1.073 or later version.
​Parasolid V35.0: Update to V35.0.177 or later version.
​Parasolid V34.1: Update to V34.1.243 or later version.
​Parasolid V34.0: Update to V34.0.253 or later version.
​JT Utilities: Update to V13.4 or later version.
​JT Open: Update to V11.4 or later version.

​Siemens identified the following specific workarounds and users can apply to reduce risk: 

​Do not open untrusted files using Parasolid, JT Open Toolkit, or JT Utilities.

​As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to the Siemens’ operational guidelines for industrial security and following recommendations in the product manuals.

​Additional information on Siemens industrial security can be found on the Siemens industrial security webpage

​For further inquiries on security vulnerabilities in Siemens products and solutions, please contact the Siemens ProductCERT.

​For more information, see the associated Siemens security advisory SSA-001569 in HTML and CSAF.

​CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. Specifically, users should:

​Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet.
​Locate control system networks and remote devices behind firewalls and isolate them from business networks.
​When remote access is required, use secure methods, such as virtual private networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices.

​CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

​CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

​Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

​Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

​No known public exploits specifically target these vulnerabilities. These vulnerabilities are not exploitable remotely.

​Siemens Solid Edge SE2023

Written by on . Posted in CISA-Published Industrial Control System Vulnerabilities.

1. EXECUTIVE SUMMARY

​CVSS v3 7.8
ATTENTION: Low attack complexity
​Vendor: Siemens
​Equipment: Solid Edge
​Vulnerabilities: Out-of-bounds Write, Out-of-bounds Read

2. RISK EVALUATION

​Successful exploitation of these vulnerabilities could allow an attacker to crash the application or execute arbitrary code.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

​The following products from Siemens are affected: 

​Solid Edge SE2023: All versions prior to V223.0 Update 7

3.2 VULNERABILITY OVERVIEW

3.2.1 ​OUT-OF-BOUNDS WRITE CWE-787

​The affected application contains an out-of-bounds write past the end of an allocated buffer while parsing a specially crafted PAR file. This could allow an attacker to execute code in the context of the current process.

CVE-2023-39181 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

3.2.2 ​OUT-OF-BOUNDS READ CWE-125

​The affected applications contain an out-of-bounds read past the end of an allocated structure while parsing specially crafted DFT files. This could allow an attacker to execute code in the context of the current process.

CVE-2023-39182 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

3.2.3 ​OUT-OF-BOUNDS READ CWE-125

​The affected applications contain an out-of-bounds read past the end of an allocated structure while parsing specially crafted PSM files. This could allow an attacker to execute code in the context of the current process.

CVE-2023-39183 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

3.2.4 ​OUT-OF-BOUNDS READ CWE-125

​The affected applications contain an out-of-bounds read past the end of an allocated structure while parsing specially crafted PSM files. This could allow an attacker to execute code in the context of the current process.

CVE-2023-39184 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

3.2.5 ​OUT-OF-BOUNDS READ CWE-125

​The affected applications contain an out-of-bounds read past the end of an allocated structure while parsing specially crafted PAR files. This could allow an attacker to execute code in the context of the current process.

CVE-2023-39185 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

3.2.6 ​OUT-OF-BOUNDS READ CWE-125

​The affected applications contain an out-of-bounds read past the end of an allocated structure while parsing specially crafted DFT files. This could allow an attacker to execute code in the context of the current process.

CVE-2023-39186 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

3.2.7 ​OUT-OF-BOUNDS READ CWE-125

​The affected applications contain an out of bounds read past the end of an allocated structure while parsing specially crafted DFT files. This could allow an attacker to execute code in the context of the current process.

CVE-2023-39187 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

3.2.8 ​OUT-OF-BOUNDS READ CWE-125

​The affected applications contain an out-of-bounds read past the end of an allocated structure while parsing specially crafted DFT files. This could allow an attacker to execute code in the context of the current process.

CVE-2023-39188 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

3.2.9 OUT-OF-BOUNDS WRITE CWE-787

​The affected applications contain an out-of-bounds write past the end of an allocated structure while parsing specially crafted DFT files. This could allow an attacker to execute code in the context of the current process.

CVE-2023-39419 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Multiple
​COUNTRIES/AREAS DEPLOYED: Worldwide
​COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

​Siemens reported these vulnerabilities to CISA.

4. MITIGATIONS

​Siemens has released an update V223.0 Update 7 for Solid Edge SE2023 and recommends updating to the latest version.

​Siemens has identified the following specific workarounds and mitigations users can apply to reduce risk:

​Avoid to open untrusted files from unknown sources in Solid Edge.

​As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens’ operational guidelines for industrial security and following recommendations in the product manuals.

​Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage.

​For more information see the associated Siemens security advisory SSA-811403 in HTML and CSAF.

​CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

​CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

​Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

​Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

​CISA also recommends users take the following measures to protect themselves from social engineering attacks:

​Do not click web links or open attachments in unsolicited email messages.
​Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
​Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

​No known public exploits specifically target these vulnerabilities. These vulnerabilities are not exploitable remotely.

​Resource Allocation in Siemens RUGGEDCOM

Written by on . Posted in CISA-Published Industrial Control System Vulnerabilities.

1. EXECUTIVE SUMMARY

​CVSS v3 7.5
​ATTENTION: Exploitable remotely/low attack complexity
​Vendor: Siemens
​Equipment: RUGGEDCOM
​Vulnerability: Allocation of Resources without Limits or Throttling

2. RISK EVALUATION

​Successful exploitation of this vulnerability could allow an unauthorized attacker to cause total loss of availability in the affected devices’ web server.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following products from Siemens are affected:

​RUGGEDCOM i800: All versions prior to V4.3.8
​RUGGEDCOM i800NC: All versions prior to V4.3.8
​RUGGEDCOM i801: All versions prior to V4.3.8
​RUGGEDCOM i801NC: All versions prior to V4.3.8
​RUGGEDCOM i802: All versions prior to V4.3.8
​RUGGEDCOM i802NC: All versions prior to V4.3.8
​RUGGEDCOM i803: All versions prior to V4.3.8
​RUGGEDCOM i803NC: All versions prior to V4.3.8
​RUGGEDCOM M2100: All versions prior to V4.3.8
​RUGGEDCOM M2100F: All versions
​RUGGEDCOM M2100NC: All versions prior to V4.3.8
​RUGGEDCOM M2200: All versions prior to V4.3.8
​RUGGEDCOM M2200F: All versions
​RUGGEDCOM M2200NC: All versions prior to V4.3.8
​RUGGEDCOM M969: All versions prior to V4.3.8
​RUGGEDCOM M969F: All versions
​RUGGEDCOM M969NC: All versions prior to V4.3.8
​RUGGEDCOM RMC30: All versions prior to V4.3.8
​RUGGEDCOM RMC30NC: All versions prior to V4.3.8
​RUGGEDCOM RMC8388 V4.X: All versions prior to V4.3.8
​RUGGEDCOM RMC8388 V5.X: All versions
​RUGGEDCOM RMC8388NC V4.X: All versions prior to V4.3.8
​RUGGEDCOM RMC8388NC V5.X: All versions
​RUGGEDCOM RP110: All versions prior to V4.3.8
​RUGGEDCOM RP110NC: All versions prior to V4.3.8
​RUGGEDCOM RS1600: All versions prior to V4.3.8
​RUGGEDCOM RS1600F: All versions prior to V4.3.8
​RUGGEDCOM RS1600FNC: All versions prior to V4.3.8
​RUGGEDCOM RS1600NC: All versions prior to V4.3.8
​RUGGEDCOM RS1600T: All versions prior to V4.3.8
​RUGGEDCOM RS1600TNC: All versions prior to V4.3.8
​RUGGEDCOM RS400: All versions prior to V4.3.8
​RUGGEDCOM RS400F: All versions
​RUGGEDCOM RS400NC: All versions prior to V4.3.8
​RUGGEDCOM RS401: All versions prior to V4.3.8
​RUGGEDCOM RS401NC: All versions prior to V4.3.8
​RUGGEDCOM RS416: All versions prior to V4.3.8
​RUGGEDCOM RS416F: All versions
​RUGGEDCOM RS416NC: All versions prior to V4.3.8
​RUGGEDCOM RS416NC v2: All versions
​RUGGEDCOM RS416P: All versions prior to V4.3.8
​RUGGEDCOM RS416PF: All versions
​RUGGEDCOM RS416PNC: All versions prior to V4.3.8
​RUGGEDCOM RS416PNC v2: All versions
​RUGGEDCOM RS416Pv2: All versions
​RUGGEDCOM RS416v2: All versions
​RUGGEDCOM RS8000: All versions prior to V4.3.8
​RUGGEDCOM RS8000A: All versions prior to V4.3.8
​RUGGEDCOM RS8000ANC: All versions prior to V4.3.8
​RUGGEDCOM RS8000H: All versions prior to V4.3.8
​RUGGEDCOM RS8000HNC: All versions prior to V4.3.8
​RUGGEDCOM RS8000NC: All versions prior to V4.3.8
​RUGGEDCOM RS8000T: All versions prior to V4.3.8
​RUGGEDCOM RS8000TNC: All versions prior to V4.3.8
​RUGGEDCOM RS900: All versions prior to V4.3.8
​RUGGEDCOM RS900 (32M) V4.X: All versions prior to V4.3.8
​RUGGEDCOM RS900 (32M) V5.X: All versions
​RUGGEDCOM RS900F: All versions
​RUGGEDCOM RS900G: All versions prior to V4.3.8
​RUGGEDCOM RS900G (32M) V4.X: All versions prior to V4.3.8
​RUGGEDCOM RS900G (32M) V5.X: All versions
​RUGGEDCOM RS900GF: All versions
​RUGGEDCOM RS900GNC: All versions prior to V4.3.8
​RUGGEDCOM RS900GNC(32M) V4.X: All versions prior to V4.3.8
​RUGGEDCOM RS900GNC(32M) V5.X: All versions
​RUGGEDCOM RS900GP: All versions prior to V4.3.8
​RUGGEDCOM RS900GPF: All versions
​RUGGEDCOM RS900GPNC: All versions prior to V4.3.8
​RUGGEDCOM RS900L: All versions prior to V4.3.8
​RUGGEDCOM RS900LNC: All versions prior to V4.3.8
​RUGGEDCOM RS900M-GETS-C01: All versions prior to V4.3.8
​RUGGEDCOM RS900M-GETS-XX: All versions prior to V4.3.8
​RUGGEDCOM RS900M-STND-C01: All versions prior to V4.3.8
​RUGGEDCOM RS900M-STND-XX: All versions prior to V4.3.8
​RUGGEDCOM RS900MNC-GETS-C01: All versions prior to V4.3.8
​RUGGEDCOM RS900MNC-GETS-XX: All versions prior to V4.3.8
​RUGGEDCOM RS900MNC-STND-XX: All versions prior to V4.3.8
​RUGGEDCOM RS900MNC-STND-XX-C01: All versions prior to V4.3.8 
​RUGGEDCOM RS900NC: All versions prior to V4.3.8
​RUGGEDCOM RS900NC (32M) V4.X: All versions prior to V4.3.8
​RUGGEDCOM RS900NC (32M) V5.X: All versions
​RUGGEDCOM RS900W: All versions prior to V4.3.8
​RUGGEDCOM RS910: All versions prior to V4.3.8
​RUGGEDCOM RS910L: All versions prior to V4.3.8
​RUGGEDCOM RS910LNC: All versions prior to V4.3.8
​RUGGEDCOM RS910NC: All versions prior to V4.3.8
​RUGGEDCOM RS910W: All versions prior to V4.3.8
​RUGGEDCOM RS920L: All versions prior to V4.3.8
​RUGGEDCOM RS920LNC: All versions prior to V4.3.8
​RUGGEDCOM RS920W: All versions prior to V4.3.8
​RUGGEDCOM RS930L: All versions prior to V4.3.8
​RUGGEDCOM RS930LNC: All versions prior to V4.3.8
​RUGGEDCOM RS930W: All versions prior to V4.3.8
​RUGGEDCOM RS940G: All versions prior to V4.3.8
​RUGGEDCOM RS940GF: All versions
​RUGGEDCOM RS940GNC: All versions prior to V4.3.8
​RUGGEDCOM RS969: All versions prior to V4.3.8
​RUGGEDCOM RS969NC: All versions prior to V4.3.8
​RUGGEDCOM RSG2100: All versions prior to V4.3.8
​RUGGEDCOM RSG2100 (32M) V4.X: All versions prior to V4.3.8
​RUGGEDCOM RSG2100 (32M) V5.X: All versions
​RUGGEDCOM RSG2100F: All versions
​RUGGEDCOM RSG2100NC: All versions prior to V4.3.8
​RUGGEDCOM RSG2100NC (32M) V4.X: All versions prior to V4.3.8
​RUGGEDCOM RSG2100NC (32M) V5.X: All versions
​RUGGEDCOM RSG2100P: All versions prior to V4.3.8
​RUGGEDCOM RSG2100PF: All versions
​RUGGEDCOM RSG2100PNC: All versions prior to V4.3.8
​RUGGEDCOM RSG2200: All versions prior to V4.3.8
​RUGGEDCOM RSG2200F: All versions
​RUGGEDCOM RSG2200NC: All versions prior to V4.3.8
​RUGGEDCOM RSG2288 V4.X: All versions prior to V4.3.8
​RUGGEDCOM RSG2288 V5.X: All versions
​RUGGEDCOM RSG2288NC V4.X: All versions prior to V4.3.8
​RUGGEDCOM RSG2288NC V5.X: All versions
​RUGGEDCOM RSG2300 V4.X: All versions prior to V4.3.8
​RUGGEDCOM RSG2300 V5.X: All versions
​RUGGEDCOM RSG2300F: All versions
​RUGGEDCOM RSG2300NC V4.X: All versions prior to V4.3.8
​RUGGEDCOM RSG2300NC V5.X: All versions
​RUGGEDCOM RSG2300P V4.X: All versions prior to V4.3.8
​RUGGEDCOM RSG2300P V5.X: All versions
​RUGGEDCOM RSG2300PF: All versions
​RUGGEDCOM RSG2300PNC V4.X: All versions prior to V4.3.8
​RUGGEDCOM RSG2300PNC V5.X: All versions
​RUGGEDCOM RSG2488 V4.X: All versions prior to V4.3.8
​RUGGEDCOM RSG2488 V5.X: All versions
​RUGGEDCOM RSG2488F: All versions
​RUGGEDCOM RSG2488NC V4.X: All versions prior to V4.3.8
​RUGGEDCOM RSG2488NC V5.X: All versions
​RUGGEDCOM RSG907R: All versions
​RUGGEDCOM RSG908C: All versions
​RUGGEDCOM RSG909R: All versions
​RUGGEDCOM RSG910C: All versions
​RUGGEDCOM RSG920P V4.X: All versions prior to V4.3.8
​RUGGEDCOM RSG920P V5.X: All versions
​RUGGEDCOM RSG920PNC V4.X: All versions prior to V4.3.8
​RUGGEDCOM RSG920PNC V5.X: All versions
​RUGGEDCOM RSL910: All versions
​RUGGEDCOM RSL910NC: All versions
​RUGGEDCOM RST2228: All versions
​RUGGEDCOM RST2228P: All versions
​RUGGEDCOM RST916C: All versions
​RUGGEDCOM RST916P: All versions

3.2 VULNERABILITY OVERVIEW

3.2.1 ​ALLOCATION OF RESOURCES WITHOUT LIMITS OR THROTTLING CWE-770

​The affected devices’ web server contains a vulnerability that could lead to a denial-of-service condition. An attacker could cause total loss of web server availability, which could recover after the attack.

CVE-2023-39269 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

3.3 BACKGROUND

​CRITICAL INFRASTRUCTURE SECTORS: Multiple
​COUNTRIES/AREAS DEPLOYED: Worldwide
​COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

​Siemens reported this vulnerability to CISA.

4. MITIGATIONS

​Siemens released updates for several affected products and recommends updating to the latest versions. Siemens is preparing further updates and recommends countermeasures for products where updates are not or are not currently available:

Update to V4.3.8 or later versions.
​RUGGEDCOM i800: Update to V4.3.8 or later versions.
​RUGGEDCOM i800NC: Update to V4.3.8 or later versions.
​RUGGEDCOM i801: Update to V4.3.8 or later versions.
​RUGGEDCOM i801NC: Update to V4.3.8 or later versions.
​RUGGEDCOM i802: Update to V4.3.8 or later versions.
​RUGGEDCOM i802NC: Update to V4.3.8 or later versions.
​RUGGEDCOM i803: Update to V4.3.8 or later versions.
​RUGGEDCOM i803NC: Update to V4.3.8 or later versions.
​RUGGEDCOM M2100: Update to V4.3.8 or later versions.
​RUGGEDCOM M2100F: Currently no fix is planned.
​RUGGEDCOM M2100NC: Update to V4.3.8 or later versions.
​RUGGEDCOM M2200: Update to V4.3.8 or later versions.
​RUGGEDCOM M2200F: Currently no fix is planned.
​RUGGEDCOM M2200NC: Update to V4.3.8 or later versions.
​RUGGEDCOM M969: Update to V4.3.8 or later versions.
​RUGGEDCOM M969F: Currently no fix is planned.
​RUGGEDCOM M969NC: Update to V4.3.8 or later versions.
​RUGGEDCOM RMC30: Update to V4.3.8 or later versions.
​RUGGEDCOM RMC30NC: Update to V4.3.8 or later versions.
​RUGGEDCOM RMC8388 V4.X: Update to V4.3.8 or later versions.
​RUGGEDCOM RMC8388 V5.X: Currently no fix is available.
​RUGGEDCOM RMC8388NC V4.X: Update to V4.3.8 or later versions.
​RUGGEDCOM RMC8388NC V5.X: Currently no fix is available.
​RUGGEDCOM RP110: Update to V4.3.8 or later versions.
​RUGGEDCOM RP110NC: Update to V4.3.8 or later versions.
​RUGGEDCOM RS1600: Update to V4.3.8 or later versions.
​RUGGEDCOM RS1600F: Update to V4.3.8 or later versions.
​RUGGEDCOM RS1600FNC: Update to V4.3.8 or later versions.
​RUGGEDCOM RS1600NC: Update to V4.3.8 or later versions.
​RUGGEDCOM RS1600T: Update to V4.3.8 or later versions.
​RUGGEDCOM RS1600TNC: Update to V4.3.8 or later versions.
​RUGGEDCOM RS400: Update to V4.3.8 or later versions.
​RUGGEDCOM RS400F: Currently no fix is planned.
​RUGGEDCOM RS400NC: Update to V4.3.8 or later versions.
​RUGGEDCOM RS401: Update to V4.3.8 or later versions.
​RUGGEDCOM RS401NC: Update to V4.3.8 or later versions.
​RUGGEDCOM RS416: Update to V4.3.8 or later versions.
​RUGGEDCOM RS416F: Currently no fix is planned.
​RUGGEDCOM RS416NC: Update to V4.3.8 or later versions.
​RUGGEDCOM RS416NC v2: Currently no fix is available.
​RUGGEDCOM RS416P: Update to V4.3.8 or later versions.
​RUGGEDCOM RS416PF: Currently no fix is planned.
​RUGGEDCOM RS416PNC: Update to V4.3.8 or later versions.
​RUGGEDCOM RS416PNC v2: Currently no fix is available.
​RUGGEDCOM RS416Pv2: Currently no fix is available.
​RUGGEDCOM RS416v2: Currently no fix is available.
​RUGGEDCOM RS8000: Update to V4.3.8 or later versions.
​RUGGEDCOM RS8000A: Update to V4.3.8 or later versions.
​RUGGEDCOM RS8000ANC: Update to V4.3.8 or later versions.
​RUGGEDCOM RS8000H: Update to V4.3.8 or later versions.
​RUGGEDCOM RS8000HNC: Update to V4.3.8 or later versions.
​RUGGEDCOM RS8000NC: Update to V4.3.8 or later versions.
​RUGGEDCOM RS8000T: Update to V4.3.8 or later versions.
​RUGGEDCOM RS8000TNC: Update to V4.3.8 or later versions.
​RUGGEDCOM RS900: Update to V4.3.8 or later versions.
​RUGGEDCOM RS900 (32M) V4.X: Update to V4.3.8 or later versions.
​RUGGEDCOM RS900 (32M) V5.X: Currently no fix is available.
​RUGGEDCOM RS900F: Currently no fix is planned.
​RUGGEDCOM RS900G: Update to V4.3.8 or later versions.
​RUGGEDCOM RS900G (32M) V4.X: Update to V4.3.8 or later versions.
​RUGGEDCOM RS900G (32M) V5.X: Currently no fix is available.
​RUGGEDCOM RS900GF: Currently no fix is planned.
​RUGGEDCOM RS900GNC: Update to V4.3.8 or later versions.
​RUGGEDCOM RS900GNC(32M) V4.X: Update to V4.3.8 or later versions.
​RUGGEDCOM RS900GNC(32M) V5.X: Currently no fix is available.
​RUGGEDCOM RS900GP: Update to V4.3.8 or later versions.
​RUGGEDCOM RS900GPF: Currently no fix is planned.
​RUGGEDCOM RS900GPNC: Update to V4.3.8 or later versions.
​RUGGEDCOM RS900L: Update to V4.3.8 or later versions.
​RUGGEDCOM RS900LNC: Update to V4.3.8 or later versions.
​RUGGEDCOM RS900M-GETS-C01: Update to V4.3.8 or later versions.
​RUGGEDCOM RS900M-GETS-XX: Update to V4.3.8 or later versions.
​RUGGEDCOM RS900M-STND-C01: Update to V4.3.8 or later versions.
​RUGGEDCOM RS900M-STND-XX: Update to V4.3.8 or later versions.
​RUGGEDCOM RS900MNC-GETS-C01: Update to V4.3.8 or later versions.
​RUGGEDCOM RS900MNC-GETS-XX: Update to V4.3.8 or later versions.
​RUGGEDCOM RS900MNC-STND-XX: Update to V4.3.8 or later versions.
​RUGGEDCOM RS900MNC-STND-XX-C01: Update to V4.3.8 or later versions.
​RUGGEDCOM RS900NC: Update to V4.3.8 or later versions.
​RUGGEDCOM RS900NC(32M) V4.X: Update to V4.3.8 or later versions.
​RUGGEDCOM RS900NC(32M) V5.X: Currently no fix is available.
​RUGGEDCOM RS900W: Update to V4.3.8 or later versions.
​RUGGEDCOM RS910: Update to V4.3.8 or later versions.
​RUGGEDCOM RS910L: Update to V4.3.8 or later versions.
​RUGGEDCOM RS910LNC: Update to V4.3.8 or later versions.
​RUGGEDCOM RS910NC: Update to V4.3.8 or later versions
​RUGGEDCOM RS910W: Update to V4.3.8 or later versions.
​RUGGEDCOM RS920L: Update to V4.3.8 or later versions.
​RUGGEDCOM RS920LNC: Update to V4.3.8 or later versions.
​RUGGEDCOM RS920W: Update to V4.3.8 or later versions.
​RUGGEDCOM RS930L: Update to V4.3.8 or later versions.
​RUGGEDCOM RS930LNC: Update to V4.3.8 or later versions.
​RUGGEDCOM RS930W: Update to V4.3.8 or later versions.
​RUGGEDCOM RS940G: Update to V4.3.8 or later versions.
​RUGGEDCOM RS940GF: Currently no fix is planned.
​RUGGEDCOM RS940GNC: Update to V4.3.8 or later versions.
​RUGGEDCOM RS969: Update to V4.3.8 or later versions.
​RUGGEDCOM RS969NC: Update to V4.3.8 or later versions.
​RUGGEDCOM RSG2100: Update to V4.3.8 or later versions.
​RUGGEDCOM RSG2100 (32M) V4.X: Update to V4.3.8 or later versions.
​RUGGEDCOM RSG2100 (32M) V5.X: Currently no fix is available.
​RUGGEDCOM RSG2100F: Currently no fix is planned.
​RUGGEDCOM RSG2100NC: Update to V4.3.8 or later versions.
​RUGGEDCOM RSG2100NC(32M) V4.X: Update to V4.3.8 or later versions.
​RUGGEDCOM RSG2100NC(32M) V5.X: Currently no fix is available.
​RUGGEDCOM RSG2100P: Update to V4.3.8 or later versions.
​RUGGEDCOM RSG2100PF: Currently no fix is planned.
​RUGGEDCOM RSG2100PNC: Update to V4.3.8 or later versions.
​RUGGEDCOM RSG2200: Update to V4.3.8 or later versions.
​RUGGEDCOM RSG2200F: Currently no fix is planned.
​RUGGEDCOM RSG2200NC: Update to V4.3.8 or later versions.
​RUGGEDCOM RSG2288 V4.X: Update to V4.3.8 or later versions.
​RUGGEDCOM RSG2288 V5.X: Currently no fix is available.
​RUGGEDCOM RSG2288NC V4.X: Update to V4.3.8 or later versions.
​RUGGEDCOM RSG2288NC V5.X: Currently no fix is available.
​RUGGEDCOM RSG2300 V4.X: Update to V4.3.8 or later versions.
​RUGGEDCOM RSG2300 V5.X: Currently no fix is available.
​RUGGEDCOM RSG2300F: Currently no fix is planned.
​RUGGEDCOM RSG2300NC V4.X: Update to V4.3.8 or later versions.
​RUGGEDCOM RSG2300NC V5.X: Currently no fix is available.
​RUGGEDCOM RSG2300P V4.X: Update to V4.3.8 or later versions.
​RUGGEDCOM RSG2300P V5.X: Currently no fix is available.
​RUGGEDCOM RSG2300PF: Currently no fix is planned.
​RUGGEDCOM RSG2300PNC V4.X: Update to V4.3.8 or later versions.
​RUGGEDCOM RSG2300PNC V5.X: Currently no fix is available.
​RUGGEDCOM RSG2488 V4.X: Update to V4.3.8 or later versions.
​RUGGEDCOM RSG2488 V5.X: Currently no fix is available.
​RUGGEDCOM RSG2488F: Currently no fix is planned.
​RUGGEDCOM RSG2488NC V4.X: Update to V4.3.8 or later versions.
​RUGGEDCOM RSG2488NC V5.X: Currently no fix is available.
​RUGGEDCOM RSG907R: Currently no fix is available.
​RUGGEDCOM RSG908C: Currently no fix is available.
​RUGGEDCOM RSG909R: Currently no fix is available.
​RUGGEDCOM RSG910C: Currently no fix is available.
​RUGGEDCOM RSG920P V4.X: Update to V4.3.8 or later versions.
​RUGGEDCOM RSG920P V5.X: Currently no fix is available.
​RUGGEDCOM RSG920PNC V4.X: Update to V4.3.8 or later versions.
​RUGGEDCOM RSG920PNC V5.X: Currently no fix is available.
​RUGGEDCOM RSL910: Currently no fix is available.
​RUGGEDCOM RSL910NC: Currently no fix is available.
​RUGGEDCOM RST2228: Currently no fix is available.
​RUGGEDCOM RST2228P: Currently no fix is available.
​RUGGEDCOM RST916C: Currently no fix is available.
​RUGGEDCOM RST916P: Currently no fix is available.
​Restrict access to Port 80/tcp and 443/tcp to trusted IP addresses only.
​Deactivate the webserver if not required and if the product supports deactivation.

​As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to the Siemens’ operational guidelines for industrial security and following recommendations in the product manuals.

​Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage.

​For more information see the associated Siemens security advisory SSA-770902 in HTML and CSAF.

​CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should:

​Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet.
​Locate control system networks and remote devices behind firewalls and isolate them from business networks.
​When remote access is required, use secure methods, such as virtual private networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices.

​CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

​CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

​Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

​Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

​No known public exploits specifically target this vulnerability.

Siemens RUGGEDCOM CROSSBOW

Written by on . Posted in CISA-Published Industrial Control System Vulnerabilities.

1. EXECUTIVE SUMMARY

​CVSS v3 9.8
​ATTENTION: Exploitable remotely/low attack complexity
​Vendor: Siemens
​Equipment: RUGGEDCOM CROSSBOW
​Vulnerabilities: Out-of-bounds Read, Improper Privilege Management, SQL Injection, Missing Authentication for Critical Function

2. RISK EVALUATION

​Successful exploitation of these vulnerabilities could allow an attacker to execute arbitrary database queries via SQL injection attacks, create a denial-of-service condition, or write arbitrary files to the application’s file system.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

​Siemens reports that the following server application is affected: 

​RUGGEDCOM CROSSBOW: Versions prior to V5.4

3.2 VULNERABILITY OVERVIEW

3.2.1 ​OUT-OF-BOUNDS READ CWE-125

​An issue found in SQLite3 v.3.35.4 that could allow a remote attacker to cause a denial of service via the appendvfs.c function.

CVE-2021-31239 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

3.2.2 ​IMPROPER PRIVILEGE MANAGEMENT CWE-269

​Microsoft Windows Defender has an elevation of privilege vulnerability. An attacker who successfully exploited this vulnerability could gain specific limited SYSTEM privileges. This vulnerability could allow an attacker to delete data, which could include data that results in the service being unavailable.

CVE-2022-37971 has been assigned to this vulnerability. A CVSS v3 base score of 7.1 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H).

3.2.3 ​SQL INJECTION CWE-89

​The affected application is vulnerable to SQL injection. This could allow an authenticated remote attacker to execute arbitrary SQL queries on the server database and escalate privileges.

CVE-2023-27411 has been assigned to this vulnerability. A CVSS v3 base score of 8.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

3.2.4 ​SQL INJECTION CWE-89

​The affected application is vulnerable to SQL injection. This could allow an unauthenticated remote attacker to execute arbitrary SQL queries on the server database.

CVE-2023-37372 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

3.2.5 ​MISSING AUTHENTICATION FOR CRITICAL FUNCTION CWE-306 

​The affected application accepts unauthenticated file write messages. An unauthenticated remote attacker could write arbitrary files to the affected application’s file system.

CVE-2023-37373 has been assigned to this vulnerability. A CVSS v3 base score of 5.3 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N).

3.3 BACKGROUND

​CRITICAL INFRASTRUCTURE SECTORS: Multiple Sectors
​COUNTRIES/AREAS DEPLOYED: Worldwide
​COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

​National Cyber Security Centre (NCSC) reported these vulnerabilities to Siemens.

4. MITIGATIONS

iemens has released an update for RUGGEDCOM CROSSBOW and recommends updating to the latest version:

​RUGGEDCOM CROSSBOW: Update to V5.4 or later versions.

​As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to the Siemens’ operational guidelines for industrial security and following product manual recommendations.

​Additional information on Siemens industrial security can be found on the Siemens industrial security webpage.

​For further inquiries on security vulnerabilities in Siemens products and solutions, please contact the Siemens ProductCERT.

​For more information, see the associated Siemens security advisory SSA-472630 in HTML and CSAF.

​CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. Specifically, users should:

​Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet.
​Locate control system networks and remote devices behind firewalls and isolate them from business networks.
​When remote access is required, use secure methods, such as virtual private networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices.

​CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

​CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

​Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

​Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

​CISA also recommends users take the following measures to protect themselves from social engineering attacks:

​Do not click web links or open attachments in unsolicited email messages.
​Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
​Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

​No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time. These vulnerabilities are exploitable remotely. These vulnerabilities have low attack complexity.

Siemens Parasolid Installer

Written by on . Posted in CISA-Published Industrial Control System Vulnerabilities.

1. EXECUTIVE SUMMARY

​CVSS v3 7.8
​ATTENTION: Low attack complexity
​Vendor: Siemens
​Equipment: Parasolid
​Vulnerability: Incorrect Permission Assignment for Critical Resource

2. RISK EVALUATION

​Successful exploitation of this vulnerability could allow an attacker to misuse the vulnerability and escalate privileges.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

​The following products from Siemens are affected if installed with Parasolid installer:

​Parasolid V35.0: All versions
​Parasolid V35.1: All versions

3.2 VULNERABILITY OVERVIEW

3.2.1 INCORRECT PERMISSION ASSIGNMENT FOR CRITICAL RESOURCE CWE-732

​Nullsoft Scriptable Install System (NSIS) before v3.09 creates an “uninstall directory” with insufficient access control. This could allow an attacker to misuse the vulnerability and escalate privileges.

CVE-2023-37378 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

3.3 BACKGROUND

​CRITICAL INFRASTRUCTURE SECTORS: Multiple Sectors
​COUNTRIES/AREAS DEPLOYED: Worldwide
​COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

​Siemens reported this vulnerability to CISA.

4. MITIGATIONS

nly systems on which Parasolid is installed with a Parasolid installer is impacted. Siemens recommends uninstalling impacted Parasolid instances and reinstalling with the latest available installer:

​Parasolid v35.0: Latest installer.
​Parasolid v35.1: Latest installer.

​Siemens identified the following specific workarounds and mitigations users can apply to reduce risk:

​Scan each computer on which Parasolid has ever been installed with an up-to-date anti-virus program and follow its recommendations.
​Ensure only trusted persons have access to the system and avoid the configuration of additional accounts.

​As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens’ operational guidelines for industrial security and following product manual recommendations.

​Additional information on Siemens industrial security can be found on the Siemens industrial security webpage.

​For further inquiries on security vulnerabilities in Siemens products and solutions, please contact the Siemens ProductCERT.

​For more information see the associated Siemens security advisory SSA-116172 in HTML and CSAF.

​CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should:

​Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet.
​Locate control system networks and remote devices behind firewalls and isolate them from business networks.
​When remote access is required, use secure methods, such as virtual private networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices.

​CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

​CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

​Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

​Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

​No known public exploits specifically target this vulnerability. This vulnerability is not exploitable remotely.

​Schneider Electric IGSS

Written by on . Posted in CISA-Published Industrial Control System Vulnerabilities.

1. EXECUTIVE SUMMARY

​CVSS v3 7.8
​ATTENTION: low attack complexity
​Vendor: Schneider Electric
​Equipment: IGSS (Interactive Graphical SCADA System)
​Vulnerability: Deserialization of Untrusted Data

2. RISK EVALUATION

​Successful exploitation of this vulnerability may allow arbitrary code execution or loss of control of the SCADA system.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

​Schneider Electric reports this vulnerability affects the following IGSS (Interactive Graphical SCADA System) products:  

​IGSS Dashboard (DashBoard.exe): v16.0.0.23130 and prior

3.2 VULNERABILITY OVERVIEW

3.2.1 DESERIALIZATION OF UNTRUSTED DATA CWE-502

​A deserialization of untrusted data vulnerability exists in the Dashboard module that could cause an interpretation of malicious payload data, potentially leading to arbitrary code execution when an attacker gets the user to open a malicious file.

CVE-2023-3001 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

3.3 BACKGROUND

​CRITICAL INFRASTRUCTURE SECTORS: Commercial Facilities, Critical Manufacturing, Energy
​COUNTRIES/AREAS DEPLOYED: Worldwide
​COMPANY HEADQUARTERS LOCATION: France

3.4 RESEARCHER

​Sina Kheirkhah (@SinSinology) of Summoning Team (@SummoningTeam) working with Trend Micro Zero Day Initiative reported this vulnerability to Schneider Electric and CISA.

4. MITIGATIONS

​Schneider Electric has provided version 16.0.0.23131 of Dashboard to address these vulnerabilities. The update is available for download through IGSS Master > Update IGSS Software or from the Schneider Electric support page.

​If users choose not to apply the remediation provided above, they should immediately apply the following mitigations to reduce the risk of exploit:

​Review and implement the security guideline for IGSS on securing an IGSS SCADA installation.
​Follow the general security recommendation below and verify that devices are isolated on a private network and that firewalls are configured with strict boundaries for devices that require remote access.

​For more information, see the Schneider Electric security notification SEVD-2023-164-02.

​Schneider Electric recommends the following industry cybersecurity best practices.

​Locate control and safety system networks and remote devices behind firewalls and isolate them from the business network.
​Install physical controls so no unauthorized personnel can access your industrial control and safety systems, components, peripheral equipment, and networks.
​Place all controllers in locked cabinets and never leave them in the “Program” mode.
​Never connect programming software to any network other than the network intended for that device.
​Scan all methods of mobile data exchange with the isolated network such as CDs, USB drives, etc. before use in the terminals or any node connected to these networks.
​Never allow mobile devices that have connected to any other network besides the intended network to connect to the safety or control networks without proper sanitation.
​Minimize network exposure for all control system devices and systems and ensure that they are not accessible from the internet.
​When remote access is required, use secure methods, such as virtual private networks (VPNs). Recognize that VPNs may have vulnerabilities and should be updated to the most current version available. Also, understand that VPNs are only as secure as the connected devices.

​CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

​CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

​Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

​Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

​CISA also recommends users take the following measures to protect themselves from social engineering attacks:

​Do not click web links or open attachments in unsolicited email messages.
​Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
​Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

​No known public exploits specifically target this vulnerability. This vulnerability is not exploitable remotely. This vulnerability has low attack complexity.

​Hitachi Energy RTU500 series

Written by on . Posted in CISA-Published Industrial Control System Vulnerabilities.

1. EXECUTIVE SUMMARY

​CVSS v3 7.5
​ATTENTION: Exploitable remotely/low attack complexity
​Vendor: Hitachi Energy
​Equipment: RTU500 series
​Vulnerabilities: Stack-based Buffer Overflow

2. RISK EVALUATION

​Successful exploitation of these vulnerabilities could cause a buffer overflow and reboot of the product.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

​Hitachi Energy reports these vulnerabilities affect the following RTU500 series products:

​RTU500 series CMU: Firmware versions 13.3.1–13.3.2

3.2 VULNERABILITY OVERVIEW

3.2.1 STACK-BASED BUFFER OVERFLOW CWE-121

​A vulnerability exists in the HCI IEC 60870-5-104 function included in certain versions of the RTU500 series product. The vulnerability can only be exploited if the HCI 60870-5-104 is configured with IEC 62351-5 support and the CMU contains the license feature ‘Advanced security’ which must be ordered separately. If these preconditions are fulfilled, an attacker could exploit the vulnerability by sending a specially crafted message to the RTU500, causing the targeted RTU500 CMU to reboot. The vulnerability is caused by a missing input data validation, which eventually, if exploited, could cause an internal buffer to overflow in the HCI IEC 60870-5-104 function.

CVE-2022-2502 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

3.2.2 ​ STACK-BASED BUFFER OVERFLOW CWE-121

​A vulnerability exists in HCI IEC 60870-5-104 function included in certain versions of the RTU500 series product. The vulnerability can only be exploited if the HCI 60870-5-104 is configured with support for IEC 62351-3. After session resumption interval is expired, an RTU500 initiated update of session parameters could cause an unexpected restart due to a stack overflow.

CVE-2022-4608 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

3.3 BACKGROUND

​CRITICAL INFRASTRUCTURE SECTORS: Energy
​COUNTRIES/AREAS DEPLOYED: Worldwide
​COMPANY HEADQUARTERS LOCATION: Switzerland

3.4 RESEARCHER

​Hitachi Energy reported these vulnerabilities to CISA.

4. MITIGATIONS

​Hitachi Energy recommends users update to CMU Firmware versions 13.3.3 or 13.4.1.

​The reported vulnerabilities affect only the RTU500 series with HCI IEC 60870-5-104 and IEC62351-5 or IEC 62351-5 configured and enabled. A possible mitigation is to disable the HCI IEC 60870-5-104 function or its IEC 62351-3 and IEC 62351-5 features if they are not used. By default, the HCI IEC 60870-5-104 and its IEC 62351-3 or IEC 62351-5 support are disabled.

​Hitachi Energy recommends the following general mitigations:

​Recommended security practices and firewall configurations can help protect a process control network from attacks originating from outside the network.
​Physically protect process control systems from direct access by unauthorized personnel.
​Ensure process control systems have no direct connections to the internet and are separated from other networks via a firewall system with minimal exposed ports.
​Do not use process control systems for internet surfing, instant messaging, or receiving emails.
​Scan portable computers and removable storage media for malware prior connection to a control system.
​Enforce proper password policies and processes.

​For more information, see Hitachi Energy’s Security Advisory: 8DBD000121.

​CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

​CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

​Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

​Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

​No known public exploits specifically target these vulnerabilities. These vulnerabilities are exploitable remotely. These vulnerabilities have low attack complexity.

​Sensormatic Electronics VideoEdge

Written by on . Posted in CISA-Published Industrial Control System Vulnerabilities.

1. EXECUTIVE SUMMARY

​CVSS v3 7.1
​ATTENTION: Low attack complexity
​Vendor: Sensormatic Electronics, LLC, a subsidiary of Johnson Controls Inc.
​Equipment: VideoEdge
​Vulnerability: Acceptance of Extraneous Untrusted Data with Trusted Data

2. RISK EVALUATION

​Successful exploitation of this vulnerability could allow a local user to edit the VideoEdge configuration file and interfere with VideoEdge operation.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

​The following Sensormatic Electronics, a subsidiary of Johnson Controls Inc, products are affected: 

​VideoEdge: Versions prior to 6.1.1

3.2 VULNERABILITY OVERVIEW

3.2.1 ​ACCEPTANCE OF EXTRANEOUS UNTRUSTED DATA WITH TRUSTED DATA CWE-349

​In Sensormatic VideoEdge versions prior to 6.1.1, a local user could edit the VideoEdge configuration file and interfere with VideoEdge operation.

CVE-2023-3749 has been assigned to this vulnerability. A CVSS v3 base score of 7.1 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H).

3.3 BACKGROUND

​CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
​COUNTRIES/AREAS DEPLOYED: Worldwide
​COMPANY HEADQUARTERS LOCATION: Ireland

3.4 RESEARCHER

​Johnson Controls, Inc. reported this vulnerability to CISA.

4. MITIGATIONS

​Sensormatic Electronics recommends users take the following action to apply proper mitigations:

​Update VideoEdge to version 6.1.1. The update can be downloaded from http://www.americandynamics.net under Support/Software Downloads/Network Video Recorders.

​For more detailed mitigation instructions, please see Johnson Controls Product Security Advisory JCI-PSA-2023-07 v1 at the following location: https://www.johnsoncontrols.com/cyber-solutions/security-advisories

​Further ICS security notices and product security guidance are located at our product security website.

​CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should:

​Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet.
​Locate control system networks and remote devices behind firewalls and isolate them from business networks.
​When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices.

​CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

​CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

​Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

​Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

​No known public exploits specifically target this vulnerability. This vulnerability is not exploitable remotely.

TEL-STER TelWin SCADA WebInterface

Written by on . Posted in CISA-Published Industrial Control System Vulnerabilities.

1. EXECUTIVE SUMMARY

CVSS v3 7.5
ATTENTION: Exploitable remotely/low attack complexity
Vendor: TEL-STER Sp. z o. o.
Equipment: TelWin SCADA WebInterface
Vulnerability: Path Traversal

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an unauthenticated attacker to read files on the system.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

TEL-STER reports this vulnerability affects the following versions of TelWin SCADA WebInterface:

TelWin SCADA WebInterface: versions 3.2 to 6.1
TelWin SCADA WebInterface: versions 7.0 to 7.1
TelWin SCADA WebInterface: versions 8.0 and 9.0

3.2 VULNERABILITY OVERVIEW

3.2.1 PATH TRAVERSAL CWE-35

External input could be used on TEL-STER TelWin SCADA WebInterface to construct paths to files and directories without properly neutralizing special elements within the pathname, which could allow an unauthenticated attacker to read files on the system.

CVE-2023-0956 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Multiple sectors
COUNTRIES/AREAS DEPLOYED: Poland
COMPANY HEADQUARTERS LOCATION: Poland

3.4 RESEARCHER

Marcin Dudek of CERT.PL reported this vulnerability to TEL-STER.

4. MITIGATIONS

TEL-STER recommends that users update WebInterface module to one of the following versions: 6.2, 7.2, 8.1, 9.1, or 10.0. Please note that the WebInterface is part of the TelWin SCADA software and is usually updated with the software. TEL-STER only currently supports and updates TelWin SCADA 7.8 (WebInteraface 6.x) upwards TEL-STER does not have any updates planned for versions using older vulnerable WebInterface (lower than 6.0), and users are recommended to update TelWin SCADA to one of the supported versions. For more information, please contact TEL-STER.

More information about this issue and the associated mitigation can be found at TEL-STER advisory or CERT.PL advisory.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should:

Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet.
Locate control system networks and remote devices behind firewalls and isolate them from business networks.
When remote access is required, use secure methods, such as virtual private networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploits specifically target this vulnerability. This vulnerability is exploitable remotely. This vulnerability has low attack complexity.

​Mitsubishi Electric GOT2000 and GOT SIMPLE

Written by on . Posted in CISA-Published Industrial Control System Vulnerabilities.

1. EXECUTIVE SUMMARY

​CVSS v3 5.9
​ATTENTION: Exploitable remotely
​Vendor: Mitsubishi Electric
​Equipment: GOT2000 Series and GOT SIMPLE Series
​Vulnerability: Predictable Exact Value from Previous Values

2. RISK EVALUATION

​Successful exploitation of this vulnerability could allow an attacker to hijack data connections or prevent legitimate users from establishing data connections.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

​Mitsubishi Electric reports this vulnerability affects the following HMIs when using the “FTP server” function:

​GOT2000 Series, GT21 model: versions 01.49.000 and prior
​GOT SIMPLE, GS21 model: versions 01.49.000 and prior

3.2 VULNERABILITY OVERVIEW

3.2.1 ​PREDICTABLE EXACT VALUE FROM PREVIOUS VALUES CWE-342

​A denial-of-service and spoofing (session hijacking of data connections) vulnerability exists in the FTP server function on GOT2000 series and GOT SIMPLE series because the port number of a data connection can be easily guessed due to predictable exact value from previous values.

CVE-2023-3373 has been assigned to this vulnerability. A CVSS v3 base score of 5.9 has been calculated; the CVSS vector string is (AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:L).

3.3 BACKGROUND

​CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
​COUNTRIES/AREAS DEPLOYED: Worldwide
​COMPANY HEADQUARTERS LOCATION: Japan

3.4 RESEARCHER

​Mitsubishi Electric reported this vulnerability to CISA.

4. MITIGATIONS

Mitsubishi Electric has created the following versions to fix this issue: 

​GOT2000 Series, GT21 model version 01.50.000 or later
​GOT SIMPLE, GS21 model version 01.50.000 or later

​Mitsubishi Electric recommends the following steps to update:

Please contact your local Mitsubishi Electric representative to download the fixed version of GT Designer3 Version1 (GOT2000) and install on a personal computer. 
​Start the GT Designer3 Version1 (GOT2000) and open the project data used in affected products. 
​Select [Write to GOT] from [Communication] menu to write the required package data to the GOT. ​Please refer to the GT Designer3 Version1 (GOT2000) Screen Design Manual (SH-081220ENG). ​“4. COMMUNICATING WITH GOT” 
​After writing the required package data to the GOT, refer to the and check that the software has been updated to the fixed versions. 

​The fixed versions are shipped with GT Designer3 Version1(GOT2000) Ver. 1.300 N or later.

​Mitsubishi Electric recommends that customers take the following mitigations or workarounds to minimize the risk of exploiting this vulnerability:

​Restrict physical access to the product and the LAN to which it is connected.
​When Internet access is required, use a virtual private network (VPN) or other means to prevent unauthorized access.
​Use the products within a LAN and block access from untrusted networks and hosts.
​Install antivirus software on your computer that can access the affected product.
​Use the IP filter function to restrict the accessible IP addresses.
​GT Designer3 (GOT2000) Screen Design Manual (SH-081220ENG). “5.4.3 Setting the IP filter”

​Review whether the FTP server function is required or not, and if not, disable the FTP server function.

​Users should refer to Mitsubishi Electric’s security advisory for further information.

​CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

​CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

​Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

​Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

​CISA also recommends users take the following measures to protect themselves from social engineering attacks:

​Do not click web links or open attachments in unsolicited email messages.
​Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams. 
​Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

​No known public exploits specifically target this vulnerability. This vulnerability is exploitable remotely. This vulnerability has high attack complexity.