View CSAF

1. EXECUTIVE SUMMARY

CVSS v3 9.6
ATTENTION: Exploitable remotely/low attack complexity/public exploits are available/known public exploitation
Vendor: Rockwell Automation
Equipment: Connected Components Workbench
Vulnerabilities: Use After Free, Out-of-bounds Write

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to exploit heap corruption via a crafted HTML.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of Rockwell Automation Connected Components Workbench Smart Security Manager are affected:

Connected Components Workbench: versions prior to R21

3.2 Vulnerability Overview

3.2.1 USE AFTER FREE CWE-416

Connected Components Workbench utilizes CefSharp version 81.3.100 that contains a use after free vulnerability in Google Chrome versions before 86.0.4240.198. If exploited, a remote threat actor could potentially perform a sandbox escape via a crafted HTML page.

CVE-2020-16017 has been assigned to this vulnerability. A CVSS v3 base score of 9.6 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H).

3.2.2 USE AFTER FREE CWE-416

Connected Components Workbench utilizes CefSharp version 81.3.100 that contains a use after free vulnerability in Animation within Google Chrome before 98.0.4758.102. This vulnerability could potentially allow a remote threat actor to exploit heap corruption via a crafted HTML page.

CVE-2022-0609 has been assigned to this vulnerability. A CVSS v3 base score of 8.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

3.2.3 OUT-OF-BOUNDS WRITE CWE-787

Connected Components Workbench utilizes CefSharp version 81.3.100 that contains an inappropriate implementation in V8 of Google Chrome before 86.0.4240.18. This vulnerability allows a remote threat actor to potentially exploit heap corruption via a crafted HTML page.

CVE-2020-16009 has been assigned to this vulnerability. A CVSS v3 base score of 8.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

3.2.4 OUT-OF-BOUNDS WRITE CWE-787

Connected Components Workbench utilizes CefSharp version 81.3.100 that contains an inappropriate implementation in V8 of Google Chrome before 86.0.4240.198. This vulnerability allows a remote threat actor to potentially exploit heap corruption via a crafted HTML page.

CVE-2020-16013 has been assigned to this vulnerability. A CVSS v3 base score of 8.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

3.2.5 OUT-OF-BOUNDS WRITE CWE-787

Connected Components Workbench utilizes CefSharp version 81.3.100 that contains a heap buffer overflow vulnerability in Freetype within Google Chrome before 86.0.4240.111. This vulnerability could allow a remote threat actor to potentially exploit heap corruption via a crafted HTML page.

CVE-2020-15999 has been assigned to this vulnerability. A CVSS v3 base score of 8.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Multiple
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER

Rockwell Automation reported these vulnerabilities to CISA.

4. MITIGATIONS

Rockwell Automation recommends users to update to R21 and later.

Users with the affected software are encouraged to apply the risk mitigations, if possible.

Additionally, Rockwell Automation encourages users to implement their suggested security best practices to minimize the risk of vulnerability.

Security Best Practices

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

Do not click web links or open attachments in unsolicited email messages.
Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

5. UPDATE HISTORY

September 21, 2023: Initial Publication

View CSAF

1. EXECUTIVE SUMMARY

CVSS v3 9.8
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Rockwell Automation
Equipment: FactoryTalk View Machine Edition
Vulnerability: Improper Input Validation

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to execute code remotely with specially crafted malicious packets or by using a self-made library to bypass security checks.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following Rockwell Automation products are affected:

FactoryTalk View Machine Edition: v13.0
FactoryTalk View Machine Edition: v12.0 and prior

3.2 Vulnerability Overview

3.2.1 Improper Input Validation CWE-20

FactoryTalk View Machine Edition on the PanelView Plus, improperly verifies user’s input, which allows unauthenticated attacker to achieve remote code executed via crafted malicious packets. The device has the functionality, through a CIP class, to execute exported functions from libraries. There is a routine that restricts it to execute specific functions from two dynamic link library files. By using a CIP class, an attacker can upload a self-made library to the device which allows the attacker to bypass the security check and execute any code written in the function.

CVE-2023-2071 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER

Yuval Gordon, CPS Research, and the Microsoft Threat Intelligence Community reported this vulnerability to Rockwell Automation.

4. MITIGATIONS

Rockwell recommends updating FactoryTalk View Machine Edition with v12.0 & v13.0 patch

Users of the affected versions are encouraged by Rockwell Automation to upgrade to corrected firmware revisions. Users are also strongly encouraged to implement Rockwell Automation’s suggested security best practices to minimize the risk of the vulnerability.

Install the security patches for the respective versions
Security Best Practices

For more information and to see Rockwell’s detection rules, see Rockwell Automation’s Security Advisory.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as virtual private networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

Do not click web links or open attachments in unsolicited email messages.
Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

September 21, 2023: Initial Publication

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens’ ProductCERT Security Advisories (CERT Services | Services | Siemens Global). 

View CSAF

1. EXECUTIVE SUMMARY

CVSS v3 8.2
ATTENTION: Low Attack Complexity
Vendor: Siemens
Equipment: Spectrum Power 7
Vulnerability: Incorrect Permission Assignment for Critical Resource

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow a local attacker to inject arbitrary code to the update script and escalate privileges.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following products of Siemens, are affected:

Spectrum Power 7: versions prior to V23Q3

3.2 Vulnerability Overview

3.2.1 Incorrect Permission Assignment for Critical Resource CWE-732

The affected product assigns improper access rights to the update script. This could allow an authenticated local attacker to inject arbitrary code and escalate privileges.

CVE-2023-38557 has been assigned to this vulnerability. A CVSS v3 base score of 8.2 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Energy
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

Tyler Webb from Dragos Inc. reported this vulnerability to Siemens and CISA.

4. MITIGATIONS

Siemens has released an update for Spectrum Power 7 (V23Q3) and recommends to update to the latest version. For any versions of Spectrum Power 7 prior to V23Q3, please contact Siemens customer support

Operators of critical power systems (e.g. TSOs or DSOs) worldwide are usually required by regulations to build resilience into the power grids by applying multi-level redundant secondary protection schemes. It is therefore recommended that the operators check whether appropriate resilient protection measures are in place. The risk of cyber incidents impacting the grid’s reliability can thus be minimized by virtue of the grid design. Siemens strongly recommends applying the provided security updates using the corresponding tooling and documented procedures made available with the product. If supported by the product, an automated means to apply the security updates across multiple product instances may be used. Siemens strongly recommends prior validation of any security update before being applied, and supervision by trained staff of the update process in the target environment. As a general security measure Siemens strongly recommends to protect network access with appropriate mechanisms (e.g. firewalls, segmentation, VPN). It is advised to configure the environment according to Siemens’ operational guidelines in order to run the devices in a protected IT environment.

For more information see the associated Siemens security advisory SSA-357182 in HTML and CSAF.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

Do not click web links or open attachments in unsolicited email messages.
Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability is not exploitable remotely.

5. UPDATE HISTORY

September 21, 2023: Initial Publication

View CSAF

1. EXECUTIVE SUMMARY

CVSS v3 9.8
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Rockwell Automation
Equipment: 1756-EN2T, 1756-EN2TK, 1756-EN2TXT, 1756-EN2TP, 1756-EN2TPK, 1756-EN2TPXT, 1756-EN2TR, 1756-EN2TRK, 1756-EN2TRXT, 1756-EN2F, 1756-EN2FK, 1756-EN3TR, 1756-EN3TRK
Vulnerability: Stack-based Buffer Overflow

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to achieve remote code execution.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of Rockwell Automation Logix Communication Modules, are affected:

1756-EN2T Series A: versions 5.008 and prior

1756-EN2T Series A: version 5.028

1756-EN2T Series B: versions 5.008 and prior

1756-EN2T Series B: version 5.028

1756-EN2T Series C: versions 5.008 and prior

1756-EN2T Series C: version 5.028

1756-EN2T Series D: versions 11.002 and prior

1756-EN2TK Series A: versions 5.008 and prior

1756-EN2TK Series A: version 5.028

1756-EN2TK Series B: versions 5.008 and prior

1756-EN2TK Series B: version 5.028

1756-EN2TK Series C: versions 5.008 and prior

1756-EN2TK Series C: version 5.028

1756-EN2TK Series D: versions 11.002 and prior

1756-EN2TXT Series A: versions 5.008 and prior

1756-EN2TXT Series A: and version 5.028

1756-EN2TXT Series B: versions 5.008 and prior

1756-EN2TXT Series B: version 5.028

1756-EN2TXT Series C: versions 5.008 and prior

1756-EN2TXT Series C: version 5.028

1756-EN2TXT Series D: versions 11.002 and prior

1756-EN2TP Series A: versions 11.002 and prior

1756-EN2TPK Series A: versions 11.002 and prior

1756-EN2TPXT Series A: versions 11.002 and prior

1756-EN2TR Series A: versions 5.008 and prior

1756-EN2TR Series A: version 5.028

1756-EN2TR Series B: versions 5.008 and prior

1756-EN2TR Series B: version 5.028

1756-EN2TR Series C: versions 11.002 and prior

1756-EN2TRK Series A: versions 5.008 and prior

1756-EN2TRK Series A: version 5.028

1756-EN2TRK Series B: versions 5.008 and prior

1756-EN2TRK Series B: version 5.028

1756-EN2TRK Series C: versions 11.002 and prior

1756-EN2TRXT Series A: versions 5.008 and prior

1756-EN2TRXT Series A: version 5.028

1756-EN2TRXT Series B: versions 5.008 and prior

1756-EN2TRXT Series B: version 5.028

1756-EN2TRXT Series C: versions 11.002 and prior

1756-EN2F Series A: versions 5.008 and prior

1756-EN2F Series A: version 5.028

1756-EN2F Series B: versions 5.008 and prior

1756-EN2F Series B: version 5.028

1756-EN2F Series C: versions 11.002 and prior

1756-EN2FK Series A: versions 5.008 and prior

1756-EN2FK Series A: version 5.028

1756-EN2FK Series B: versions 5.008 and prior

1756-EN2FK Series B: version 5.028

1756-EN2FK Series C: versions 11.002 and prior

1756-EN3TR Series A: versions 5.008 and prior

1756-EN3TR Series A: version 5.028

1756-EN3TR Series B: versions 11.002 and prior

1756-EN3TRK Series A: versions 5.008 and prior

1756-EN3TRK Series A: version 5.028

1756-EN3TRK Series B: versions 11.002 and prior

3.2 Vulnerability Overview

3.2.1 Stack-based Buffer Overflow CWE-121

A buffer overflow vulnerability exists in the 1756 EN2T communication devices. If exploited, a threat actor could potentially leverage this vulnerability to perform a remote code execution. To exploit this vulnerability, a threat actor would have to send a maliciously crafted CIP request to device.

CVE-2023-2262 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Multiple
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER

Rockwell Automation reported this vulnerability to CISA.

4. MITIGATIONS

Rockwell Automation has released the following for users to apply:

1756-EN2T Series A versions 5.008 and prior and version 5.028: Update to 5.009 and 5.029 or later

1756-EN2T Series B versions 5.008 and prior and version 5.028: Update to 5.009 and 5.029 or later

1756-EN2T Series C versions 5.008 and prior and version 5.028: Update to 5.009 and 5.029 or later

1756-EN2T Series D versions 11.002 and prior: Update to 11.003 or later

1756-EN2TK Series A versions 5.008 and prior and version 5.028: Update to 5.009 and 5.029 or later

1756-EN2TK Series B versions 5.008 and prior and version 5.028: Update to 5.009 and 5.029 or later

1756-EN2TK Series C versions 5.008 and prior and version 5.028: Update to 5.009 and 5.029 or later

1756-EN2TK Series D versions 11.002 and prior: Update to 11.003 or later

1756-EN2TXT Series A versions 5.008 and prior and version 5.028: Update to 5.009 and 5.029 or later

1756-EN2TXT Series B versions 5.008 and prior and version 5.028: Update to 5.009 and 5.029 or later

1756-EN2TXT Series C versions 5.008 and prior and version 5.028: Update to 5.009 and 5.029 or later

1756-EN2TXT Series D versions 11.002 and prior: Update to 11.003 or later

1756-EN2TP Series A versions 11.002 and prior: Update to 11.003 or later

1756-EN2TPK Series A versions 11.002 and prior: Update to 11.003 or later

1756-EN2TPXT Series A versions 11.002 and prior: Update to 11.003 or later

1756-EN2TR Series A versions 5.008 and prior and version 5.028: Update to 5.009 and 5.029 or later

1756-EN2TR Series B versions 5.008 and prior and version 5.028: Update to 5.009 and 5.029 or later

1756-EN2TR Series C versions 11.002 and prior: Update to 11.003 or later

1756-EN2TRK Series A versions 5.008 and prior and version 5.028: Update to 5.009 and 5.029 or later

1756-EN2TRK Series B versions 5.008 and prior and version 5.028: Update to 5.009 and 5.029 or later

1756-EN2TRK Series C versions 11.002 and prior: Update to 11.003 or later

1756-EN2TRXT Series A versions 5.008 and prior and version 5.028: Update to 5.009 and 5.029 or later

1756-EN2TRXT Series B versions 5.008 and prior and version 5.028: Update to 5.009 and 5.029 or later

1756-EN2TRXT Series C versions 11.002 and prior: Update to 11.003 or later

1756-EN2F Series A versions 5.008 and prior and version 5.028: Update to 5.009 and 5.029 or later

1756-EN2F Series B versions 5.008 and prior and version 5.028: Update to 5.009 and 5.029 or later

1756-EN2F Series C versions 11.002 and prior: Update to 11.003 or later

1756-EN2FK Series A versions 5.008 and prior and version 5.028: Update to 5.009 and 5.029 or later

1756-EN2FK Series B versions 5.008 and prior and version 5.028: Update to 5.009 and 5.029 or later

1756-EN2FK Series C versions 11.002 and prior: Update to 11.003 or later

1756-EN3TR Series A versions 5.008 and prior and version 5.028: Update to 5.009 and 5.029 or later

1756-EN3TR Series B versions 11.002 and prior: Update to 11.003 or later

1756-EN3TRK Series A versions 5.008 and prior and version 5.028: Update to 5.009 and 5.029 or later

1756-EN3TRK Series B versions 11.002 and prior: Update to 11.003 or later

Customers using the affected software are encouraged to apply the risk mitigations, if possible. Additionally, Rockwell Automation encourages customers to implement their suggested security best practices to minimize the risk of vulnerability.

Restrict traffic to the SMTP port (25), if not needed.
Customers using the EN2/EN3 versions 10.x and higher can disable the email object, if not needed. Instructions can be found in the EtherNet/IP Network Devices User Manual (rockwellautomation.com)

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

September 21, 2023: Initial Publication

View CSAF

1. EXECUTIVE SUMMARY

CVSS v3 9.4
ATTENTION: Exploitable remotely/low attack complexity/public exploits are available
Vendor: Real Time Automation
Equipment: 460MCBS
Vulnerability: Cross-site Scripting

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to run malicious JavaScript content, resulting in cross site scripting (XSS).

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following Real Time Automation products are affected:

460 Series: Versions prior to v8.9.8

3.2 Vulnerability Overview

3.2.1 IMPROPER NEUTRALIZATION OF INPUT DURING WEB PAGE GENERATION (‘CROSS-SITE SCRIPTING’) CWE-79

Real Time Automation 460 Series products with versions prior to v8.9.8 are vulnerable to cross-site scripting, which could allow an attacker to run any JavaScript reference from the URL string. If this were to occur, the gateway’s HTTP interface would redirect to the main page, which is index.htm.

CVE-2023-4523 has been assigned to this vulnerability. A CVSS v3 base score of 9.4 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER

CISA discovered public proof of concept as authored by Yehia Elghaly.

4. MITIGATIONS

Real Time Automation recommends users download and apply the new version of their product. To update the software, contact Real Time Automation directly for assistance.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

Do not click web links or open attachments in unsolicited email messages.
Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

September 21, 2023: Initial Publication

View CSAF

1. EXECUTIVE SUMMARY

CVSS v3 7.8
ATTENTION: Low attack complexity
Vendor: Delta Electronics
Equipment: DIAScreen
Vulnerability: Out-of-bounds Write

2. RISK EVALUATION

Successful exploitation of this vulnerability may allow remote code execution.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

Delta Electronics reports the following versions of DIAScreen, a software configuration tool for Delta devices, are affected:

DIAScreen: versions prior to v1.3.2

3.2 Vulnerability Overview

3.2.1 Out-of-bounds Write CWE-787

Delta Electronics DIAScreen may write past the end of an allocated buffer while parsing a specially crafted input file. This could allow an attacker to execute code in the context of the current process.

CVE-2023-5068 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Energy
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Taiwan

3.4 RESEARCHER

kimiya working with Trend Micro Zero Day Initiative reported this vulnerability to CISA.

4. MITIGATIONS

Delta Electronics has released a new version (v1.3.2) of DIAScreen to address this issue.
Users can download it at the download center of DIAStudio. (Login required)

CISA recommends users take the following measures to protect themselves from social engineering attacks:

Do not click web links or open attachments in unsolicited email messages.
Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability is not exploitable remotely.

5. UPDATE HISTORY

September 21, 2023: Initial Publication

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens’ ProductCERT Security Advisories (CERT Services | Services | Siemens Global). 

View CSAF

1. EXECUTIVE SUMMARY

CVSS v3 5.5
ATTENTION: low attack complexity
Vendor: Siemens
Equipment: SIMATIC PCS neo Administration Console
Vulnerability: Insertion of Sensitive Information into Externally-Accessible File or Directory

2. RISK EVALUATION

Successful exploitation of this vulnerability could get the credentials, and impersonate the admin user, thereby gaining admin access to other Windows systems.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

Siemens reports that the following products are affected:

SIMATIC PCS neo (Administration Console): V4.0
SIMATIC PCS neo (Administration Console): V4.0 Update 1

3.2 Vulnerability Overview

3.2.1 Insertion of Sensitive Information into Externally-Accessible File or Directory CWE-538

The affected application leaks Windows admin credentials. An attacker with local access to the Administration Console could get the credentials, and impersonate the admin user, thereby gaining admin access to other Windows systems.

CVE-2023-38558 has been assigned to this vulnerability. A CVSS v3 base score of 5.5 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Multiple
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

Siemens reported this vulnerability to CISA.

4. MITIGATIONS

Siemens has released Security Patch 01 for the affected products and recommends users install the patch.

Siemens has identified the following specific workarounds and mitigations that
customers can apply to reduce the risk:

Change the password of the Windows accounts used for the remote deployment of AC Agent and avoid to remotely deploy AC Agents

As a general security measure, Siemens strongly recommends protecting network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens’ operational guidelines for industrial security and follow the recommendations in the product manuals.
Additional information on industrial security by Siemens can be found
at: https://www.siemens.com/industrialsecurity

For more information see the associated Siemens security advisory SSA-357182 in HTML and CSAF.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

September 19, 2023: Initial Publication

View CSAF

1. EXECUTIVE SUMMARY

CVSS v3 7.5
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Omron
Equipment: Sysmac CJ/CS/CP Series
Vulnerability: Improper Control of Interaction Frequency

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to obtain sensitive information in memory.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of Omron CJ/CS/CP series, programmable logic controllers, are affected:

Smart Security Manager: Versions 1.4 and prior to 1.31
Smart Security Manager: Versions 1.5 and prior
CJ2H-CPU ** (-EIP): version 1.4 and prior
CJ2M-CPU ** : version 2.0 and prior
CS1H/G-CPU ** H、CJ1G-CPU ** P: version 4.0 and prior
CS1D-CPU ** H / -CPU ** P: version 1.3 and prior
CS1D-CPU ** S: version 2.0 and prior
CP1E-E / -N: version 1.2 and prior

3.2 Vulnerability Overview

3.2.1 IMPROPER CONTROL OF INTERACTION FREQUENCY CWE-799

Omron CJ/CS/CP series programmable logic controllers use the FINS protocol, which is vulnerable to brute-force attacks. The controllers do not enforce any rate limit on password guesses to password-protected memory regions.

CVE-2022-45790 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Japan

3.4 RESEARCHER

Reid Wightman of Dragos reported this vulnerability to CISA.

4. MITIGATIONS

Omron recommends users update their products as soon as possible. Updated versions can be obtained by contacting Omron’s Customer Care Team.

CJ2H-CPU**(-EIP): Update to version 1.5
CJ2M-CPU**: Update to version 2.1
CS1H/G-CPU** H、CJ1G-CPU** P: Update to version 4.1
CS1D-CPU** H / -CPU** P: Update to version 1.4
CS1D-CPU** S: Update to version 2.1
CP1E-E / -N: Update to version 1.3

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

September 19, 2023: Initial Publication

View CSAF

1. EXECUTIVE SUMMARY

CVSS v3 5.5
ATTENTION: Low attack complexity
Vendor: Omron
Equipment: Sysmac Studio
Vulnerability: Improper Authorization

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of Omron engineering software are affected:

Sysmac Studio: version 1.54 and prior

3.2 Vulnerability Overview

3.2.1 IMPROPER AUTHORIZATION CWE-285

Omron engineering applications install executables with low privileged user “write” permissions. This could allow an attacker to alter the files to execute arbitrary code.

CVE-2022-45793 has been assigned to this vulnerability. A CVSS v3 base score of 5.5 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Japan

3.4 RESEARCHER

Reid Wightman of Dragos reported this vulnerability to CISA.

4. MITIGATIONS

OMRON recommends the following general mitigation measures to minimize the risk of exploitation of this vulnerability:

Anti-virus protection
Protect any PC with access to the control system against malware and ensure installation and maintenance of up-to-date commercial grade anti-virus software protection.

Security measures to prevent unauthorized access
Minimize connection of control systems and equipment to open networks, so that untrusted devices will be unable to access them.
Implement firewalls (by shutting down unused communications ports, limiting communications hosts) and isolate them from the IT network.
Use a virtual private network (VPN) for remote access to control systems and equipment.
Use strong passwords and change them frequently.
Install physical controls so that only authorized personnel can access control systems and equipment.
Scan for viruses to ensure safety of any USB drives or similar devices before connecting them to systems and devices.
Enforce multifactor authentication of all devices with remote access to control systems and equipment whenever possible.

Data input and output protection
Perform process validation, such as backup validation or range checks, to cope with unintentional modification of input/output data to control systems and devices.

Data recovery
Periodical data backup and maintenance to prevent data loss

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability is not exploitable remotely.

5. UPDATE HISTORY

September 19, 2023: Initial Publication

View CSAF

1. EXECUTIVE SUMMARY

CVSS v3 5.5
ATTENTION: Low attack complexity
Vendor: Omron
Equipment: Sysmac Studio, NX-IO Configurator
Vulnerability: Path Traversal

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to overwrite files on a system.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of Omron engineering software are affected:

Sysmac Studio: version 1.54 and prior
NX-IO Configurator: version 1.22 and prior

3.2 Vulnerability Overview

3.2.1 IMPROPER LIMITATION OF A PATHNAME TO A RESTRICTED DIRECTORY (‘PATH TRAVERSAL’) CWE-22

DotNetZip.Semvered before 1.11.0 is vulnerable to directory traversal, which could allow attackers to write to arbitrary files via a ../ (dot dot slash) in a Zip archive entry mishandled during extraction. This vulnerability is also known as “Zip-Slip.”

CVE-2018-1002205 has been assigned to this vulnerability. A CVSS v3 base score of 5.5 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Japan

3.4 RESEARCHER

Reid Wightman of Dragos reported this vulnerability to CISA. Michael Heinzl reported the Zip-Slip vulnerability to JPCERT/CC.

4. MITIGATIONS

OMRON recommends the following general mitigation measures to minimize the risk of vulnerability exploitation:

Anti-virus protection:
Protect any PC with access to the control system against malware and ensure installation and maintenance of up-to-date commercial grade anti-virus software protections. 

Security measures to prevent unauthorized access:
Minimize connection of control systems and equipment to open networks so untrusted devices will be
unable to access them.
Implement firewalls (by shutting down unused communications ports, limiting communications hosts,
etc.) and isolate them from the IT network.
Use a virtual private network (VPN) for remote access to control systems and equipment.
Use strong passwords and change them frequently.
Install physical controls so only authorized personnel can access control systems and equipment.
Scan for viruses to ensure safety of any USB drives or similar devices before connecting them to
systems and devices.
Enforce multifactor authentication whenever possible of all devices with remote access to control
systems and equipment.

Data input and output protection:

Perform process validation, such as backup validation or range checks, to cope with unintentional
modification of input/output data to control systems and devices.

Data recovery:

Periodical data backup and maintenance to prevent data loss.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability is not exploitable remotely.

5. UPDATE HISTORY

September 19, 2023: Initial Publication