1. EXECUTIVE SUMMARY

CVSS v3 10.0
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Socomec
Equipment: MOD3GP-SY-120K
Vulnerabilities: Cross-Site Scripting (XSS), Cross-Site Request Forgery (CSRF), Insecure Storage of Sensitive Information, Reliance on Cookies without Validation and Integrity Checking, Code Injection, Plaintext Storage of a Password

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to execute malicious Javascript code, obtain sensitive information, or steal session cookies.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following Socomec products are affected:

MODULYS GP (MOD3GP-SY-120K): Web firmware v01.12.10

3.2 Vulnerability Overview

3.2.1 IMPROPER NEUTRALIZATION OF INPUT DURING WEB PAGE GENERATION (‘CROSS-SITE SCRIPTING’) CWE-79

Persistent cross-site scripting (XSS) in the web application of MOD3GP-SY-120K allows an authenticated remote attacker to introduce arbitrary JavaScript by injecting an XSS payload into the field MAIL_RCV. When a legitimate user attempts to access to the vulnerable page of the web application, the XSS payload will be executed.

CVE-2023-38582 has been assigned to this vulnerability. A CVSS v3 base score of 6.3 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L).

3.2.2 CROSS-SITE REQUEST FORGERY (CSRF) CWE-352

Thanks to the weaknesses that the web application has at the user management level, an attacker could obtain the information from the headers that is necessary to create specially designed URLs and originate malicious actions when a legitimate user is logged into the web application.

CVE-2023-39446 has been assigned to this vulnerability. A CVSS v3 base score of 8.9 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:H/A:H).

3.2.3 INSECURE STORAGE OF SENSITIVE INFORMATION CWE-922

Sending some requests in the web application of the vulnerable device allows information to be obtained due to the lack of security in the authentication process.

CVE-2023-41965 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

3.2.4 RELIANCE ON COOKIES WITHOUT VALIDATION AND INTEGRITY CHECKING CWE-565

Session management within the web application is incorrect and allows attackers to steal session cookies to perform a multitude of actions that the web app allows on the device.

CVE-2023-41084 has been assigned to this vulnerability. A CVSS v3 base score of 10.0 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).

3.2.5 IMPROPER CONTROL OF GENERATION OF CODE (‘CODE INJECTION’) CWE-94

The absence of filters when loading some sections in the web application of the vulnerable device allows potential attackers to inject malicious code that will be interpreted when a legitimate user accesses the web section (MAIL SERVER) where the information is displayed. Injection can be done on parameter MAIL_RCV. When a legitimate user attempts to review NOTIFICATION/MAIL SERVER, the injected code will be executed.

CVE-2023-40221 has been assigned to this vulnerability. A CVSS v3 base score of 8.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

3.2.6 PLAINTEXT STORAGE OF A PASSWORD CWE-256

The web application that owns the device clearly stores the credentials within the user management section. Obtaining this information can be done remotely due to the incorrect management of the sessions in the web application.

CVE-2023-39452 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

3.2.7 IMPROPER NEUTRALIZATION OF INPUT DURING WEB PAGE GENERATION (‘CROSS-SITE SCRIPTING’) CWE-79

A potential attacker with or without (cookie theft) access to the device would be able to include malicious code (XSS) when uploading new device configuration that could affect the intended function of the device.

CVE-2023-38255 has been assigned to this vulnerability. A CVSS v3 base score of 6.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Multiple Sectors
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: France

3.4 RESEARCHER

Aarón Flecha Menéndez reported these vulnerabilities to CISA.

4. MITIGATIONS

Socomec reports that MODULYS GP (MOD3GP-SY-120K) is an End-of-Life product. Socomec recommends using MODULYS GP2 (M4-S-XXX) instead. MODULYS GP2 (M4-S-XXX) is not affected by the above vulnerabilities.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

Do not click web links or open attachments in unsolicited email messages.
Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting this these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY

September 07, 2023: Initial Publication

1. EXECUTIVE SUMMARY

CVSS v3 9.6
ATTENTION: Exploitable remotely/low attack complexity/public exploits are available
Vendor: Phoenix Contact
Equipment: TC ROUTER and TC CLOUD CLIENT
Vulnerabilities: Cross-site Scripting, XML Entity Expansion

2. RISK EVALUATION

Successful exploitation of this these vulnerabilities could execute code in the context of the user’s browser or cause a denial of service.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

Phoenix contact reports that the following products are affected:

TC ROUTER 3002T-4G: versions prior to 2.07.2
TC ROUTER 3002T-4G ATT: versions prior to 2.07.2
TC ROUTER 3002T-4G VZW: versions prior to 2.07.2
TC CLOUD CLIENT 1002-4G: versions prior to 2.07.2
TC CLOUD CLIENT 1002-4G ATT: versions prior to 2.07.2
TC CLOUD CLIENT 1002-4G VZW: versions prior to 2.07.2
CLOUD CLIENT 1101T-TX/TX: versions prior to 2.06.10

3.2 Vulnerability Overview

3.2.1 Cross-site Scripting CWE-79

In PHOENIX CONTACT TC ROUTER and TC CLOUD CLIENT prior to version 2.07.2 as well as CLOUD CLIENT 1101T-TX/TX prior to version 2.06.10 an unauthenticated remote attacker could use a reflective XSS within the license viewer page of the devices in order to execute code in the context of the user’s browser.

CVE-2023-3526 has been assigned to this vulnerability. A CVSS v3 base score of 9.6 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H).

3.2.2 XML Entity Expansion CWE-776

In PHOENIX CONTACT TC ROUTER and TC CLOUD CLIENT prior to version 2.07.2 as well as CLOUD CLIENT 1101T-TX/TX prior to version 2.06.10 an authenticated remote attacker with admin privileges could upload a crafted XML file which causes a denial of service.

CVE-2023-3569 has been assigned to this vulnerability. A CVSS v3 base score of 4.9 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

A. Resanovic and S. Stockinger at St. Pölten UAS discovered these vulnerabilities. T. Weber of CyberDanube Security Research coordinated the vulnerabilities with Phoenix Contact.

4. MITIGATIONS

Phoenix Contact has made the following fixed versions available and encourages users to download the latest version:

TC ROUTER 3002T-4G
TC ROUTER 3002T-4G ATT
TC ROUTER 3002T-4G VZW
TC CLOUD CLIENT 1002-4G
TC CLOUD CLIENT 1002-4G ATT
TC CLOUD CLIENT 1002-4G VZW
CLOUD CLIENT 1101T-TX/TX

Phoenix Contact recommends operating network-capable devices in closed networks or protected with a suitable firewall. For detailed information on their recommendations for measures to protect network-capable devices, please refer to this application note “Measures to protect network-capable devices with Ethernet connection”

Phoenix Contact published a security advisory

CERT@VDE published VDE-2023-017

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as virtual private networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

Do not click web links or open attachments in unsolicited email messages.
Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY

September 07, 2023: Initial Publication

1. EXECUTIVE SUMMARY

CVSS v3 5.9
ATTENTION: Exploitable remotely
Vendor: Fujitsu Limited
Equipment: Real-time Video Transmission Gear “IP series”
Vulnerability: Use Of Hard-Coded Credentials

2. RISK EVALUATION

Successful exploitation of this vulnerability could result in an attacker logging into the web interface using the obtained credentials. The attacker could initialize or reboot the products, terminating the video transmission.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of Real-time Video Transmission Gear “IP series”, a hosted web application, are affected:

Real-time Video Transmission Gear “IP series” IP-HE950E: firmware versions V01L001 to V01L053
Real-time Video Transmission Gear “IP series” IP-HE950D: firmware versions V01L001 to V01L053
Real-time Video Transmission Gear “IP series” IP-HE900E: firmware versions V01L001 to V01L010
Real-time Video Transmission Gear “IP series” IP-HE900D: firmware versions V01L001 to V01L004
Real-time Video Transmission Gear “IP series” IP-900E / IP-920E: firmware versions V01L001 to V02L061
Real-time Video Transmission Gear “IP series” IP-900D / IP-900ⅡD / IP-920D: firmware versions V01L001 to V02L061
Real-time Video Transmission Gear “IP series” IP-90: firmware versions V01L001 to V01L013
Real-time Video Transmission Gear “IP series” IP-9610: firmware versions V01L001 to V02L007

3.2 Vulnerability Overview

3.2.1 Use Of Hard-Coded Credentials CWE-798

The credentials of Fujitsu Limited Real-time Video Transmission Gear “IP series” for factory testing may be obtained by reverse engineering and other methods.

CVE-2023-38433 has been assigned to this vulnerability. A CVSS v3 base score of 5.9 has been assigned; the CVSS vector string is (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Commercial Facilities, Government Facilities
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Japan

3.4 RESEARCHER

Fujitsu Limited reported this vulnerability to JPCERT/CC.

4. MITIGATIONS

Fujitsu Limited recommends updating the firmware to the latest version, which can be downloaded here.

Fujitsu Limited recommends placing the products on a secure network as a workaround.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability has a high attack complexity.

1. EXECUTIVE SUMMARY

​CVSS v3 7.8
​ATTENTION: Exploitable remotely/low attack complexity
​Vendor: PTC
​Equipment: Kepware KepServerEX
​Vulnerabilities: Uncontrolled Search Path Element, Improper Input Validation, Insufficiently Protected Credentials

2. RISK EVALUATION

​Successful exploitation of these vulnerabilities could allow an attacker to gain elevated privileges, execute arbitrary code, and obtain server hashes and credentials.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

​The following versions of Kepware KepServerEX, an industrial automation control platform, are affected:

​Kepware KepServerEX: version 6.14.263.0 and prior
​ThingWorx Kepware Server: version 6.14.263.0 and prior

3.2 VULNERABILITY OVERVIEW

3.2.1 ​UNCONTROLLED SEARCH PATH ELEMENT CWE-427

​The installer application of KEPServerEX is vulnerable to DLL search order hijacking. This could allow an adversary to repackage the installer with a malicious DLL and trick users into installing the trojanized software. Successful exploitation could lead to code execution with administrator privileges.

​CVE-2023-29444 has been assigned to this vulnerability. A CVSS v3 base score of 6.3 has been assigned; the CVSS vector string is (AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H).

3.2.2 ​UNCONTROLLED SEARCH PATH ELEMENT CWE-427

​KEPServerEX binary is vulnerable to DLL search order hijacking. A locally authenticated adversary could escalate privileges to administrator by planting a malicious DLL in a specific directory.

​CVE-2023-29445 has been assigned to this vulnerability. A CVSS v3 base score of 6.3 has been assigned; the CVSS vector string is (AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H).

3.2.3 ​IMPROPER INPUT VALIDATION CWE-20

​KEPServerEx is vulnerable to UNC path injection via a malicious project file. By tricking a user into loading a project file and clicking a specific button in the GUI, an adversary could obtain Windows user NTLMv2 hashes, and crack them offline.

​CVE-2023-29446 has been assigned to this vulnerability. A CVSS v3 base score of 4.7 has been assigned; the CVSS vector string is (AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N).

3.2.4 ​INSUFFICIENTLY PROTECTED CREDENTIALS CWE-522

​The KEPServerEX Configuration web server uses basic authentication to protect user credentials. An adversary could perform a man-in-the-middle (MitM) attack via ARP spoofing to obtain the web server’s plaintext credentials.

​CVE-2023-29447 has been assigned to this vulnerability. A CVSS v3 base score of 5.7 has been assigned; the CVSS vector string is (AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N).

3.3 BACKGROUND

​CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
​COUNTRIES/AREAS DEPLOYED: Worldwide
​COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER

​Sam Hanson of Dragos reported these vulnerabilities to CISA.

4. MITIGATIONS

​PTC is aware of these vulnerabilities and is developing patches to address them. PTC expects these issues to be addressed by November 2023. This advisory will be updated when these patches are ready.

​PTC recommends users follow the directions in the secure configuration documentation.

​Please refer to PTC’s security advisory on these vulnerabilities for more information.on these vulnerabilities for more information.

​CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. Specifically, users should:

​Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet.
​Locate control system networks and remote devices behind firewalls and isolate them from business networks.
​When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices.

​CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

​CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

​Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

​Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

​CISA also recommends users take the following measures to protect themselves from social engineering attacks:

​Do not click web links or open attachments in unsolicited email messages.
​Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
​Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

​No known public exploitation that specifically targets these vulnerabilities has been reported to CISA at this time.

1. EXECUTIVE SUMMARY

​CVSS v3 7.8
​ATTENTION: Low attack complexity
​Vendor: GE Digital
​Equipment: CIMPLICITY
​Vulnerability: Process Control

2. RISK EVALUATION

​Successful exploitation of this vulnerability could allow a low-privileged local attacker to escalate privileges to SYSTEM.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

​The following GE products are affected: 

​GE Digital CIMPLICITY: v2023

3.2 VULNERABILITY OVERVIEW

3.2.1 ​PROCESS CONTROL CWE-114

​GE CIMPLICITY 2023 is by a process control vulnerability, which could allow a local attacker to insert malicious configuration files in the expected web server execution path to escalate privileges and gain full control of the HMI software.

​CVE-2023-4487 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

3.3 BACKGROUND

​CRITICAL INFRASTRUCTURE SECTORS: Multiple Sectors
​COUNTRIES/AREAS DEPLOYED: Worldwide
​COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER

​Michael Heinzl reported this vulnerability to CISA.

4. MITIGATIONS

​GE Digital recommends users apply the following mitigations:

​Update CIMPLICITY to v2023 SIM 1 (login is required)

​Please refer to GE Digital’s security bulletin (login is required) for more information.

​CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should:

​Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet.
​Locate control system networks and remote devices behind firewalls and isolate them from business networks.
​When remote access is required, use secure methods, such as virtual private networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices.
​Exercise principles of least privilege.

​CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

​CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

​Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

​Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

​No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability is not exploitable remotely.

1. EXECUTIVE SUMMARY

​CVSS v3 9.0
​ATTENTION: Exploitable remotely
​Vendor: Digi International, Inc.
​Equipment: Digi RealPort Protocol
​Vulnerability: Use of Password Hash Instead of Password for Authentication

2. RISK EVALUATION

​Successful exploitation of this vulnerability could allow the attacker to access connected equipment.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

​Digi International reports that the following products using Digi RealPort Protocol are affected:

​Digi RealPort for Windows: version 4.8.488.0 and earlier
​Digi RealPort for Linux: version 1.9-40 and earlier
​Digi ConnectPort TS 8/16: versions prior to 2.26.2.4
​Digi Passport Console Server: all versions
​Digi ConnectPort LTS 8/16/32: versions prior to 1.4.9
​Digi CM Console Server: all versions
​Digi PortServer TS: all versions
​Digi PortServer TS MEI: all versions
​Digi PortServer TS MEI Hardened: all versions
​Digi PortServer TS M MEI: all versions
​Digi PortServer TS P MEI: all versions
​Digi One IAP Family: all versions
​Digi One IA: all versions
​Digi One SP IA: all versions
​Digi One SP: all versions
​Digi WR31: all versions
​Digi WR11 XT: all versions
​Digi WR44 R: all versions
​Digi WR21: all versions
​Digi Connect ES: versions prior to 2.26.2.4
​Digi Connect SP: all versions

​Digi International reports that the following products do NOT use Digi RealPort Protocol are NOT affected:

​Digi 6350-SR: all versions
​Digi ConnectCore 8X products: all versions

3.2 VULNERABILITY OVERVIEW

3.2.1 ​USE OF PASSWORD HASH INSTEAD OF PASSWORD FOR AUTHENTICATION CWE-836

​Digi RealPort Protocol is vulnerable to a replay attack that may allow an attacker to bypass authentication to access connected equipment.

​CVE-2023-4299 has been assigned to this vulnerability. A CVSS v3 base score of 9.0 has been calculated; the CVSS vector string is (AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H).

3.3 BACKGROUND

​CRITICAL INFRASTRUCTURE SECTORS: Multiple Sectors
​COUNTRIES/AREAS DEPLOYED: Worldwide
​COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER

​Reid Wightman of Dragos, Inc reported this vulnerability to Digi International.

4. MITIGATIONS

​Digi International recommends users acquire and install patches that they have made available for the following products:

​RealPort software for Windows: Fixed in 4.10.490
​Digi ConnectPort TS 8/16: Fixed in firmware version 2.26.2.4
​Digi ConnectPort LTS 8/16/32: Fixed in version 1.4.9
​Digi Connect ES: Fixed in firmware version 2.26.2.4

​For more information, see the customer notification document published by Digi International.

​Dragos recommends restricting access to Digi devices on TCP/771 (default) or TCP/1027 (if encryption is enabled, this is the default port). Only allow the workstations which initiate RealPort connections to communicate to the field equipment on those ports. Note that most of Digi’s devices allow you to change the setting for which TCP port the RealPort service runs on, so end users should consult their device configuration and restrict access to the configured port if it is not the default.

​If using the system in ‘reverse’ mode, where the Digi device calls back to the Windows or Linux workstation, then Dragos recommends restricting access to the workstation on TCP/771 or TCP/1027 to known Digi RealPort devices on your network. This port may be configured by end users, so consult the workstation and device configurations to ensure coverage.

​CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

​CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

​Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

​Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

​​No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability has a high attack complexity.

1. EXECUTIVE SUMMARY

​CVSS v3 9.8
​ATTENTION: Exploitable remotely/low attack complexity
​Vendor: ARDEREG
​Equipment: Sistemas SCADA
​Vulnerability: SQL Injection

2. RISK EVALUATION

​Successful exploitation of this vulnerability could allow an attacker to manipulate SQL query logic to extract sensitive information and perform unauthorized actions within the database.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

​The following ARDEREG products are affected: 

​Sistemas SCADA: Versions 2.203 and prior

3.2 VULNERABILITY OVERVIEW

3.2.1 ​IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS USED IN AN SQL COMMAND (‘SQL INJECTION’) CWE-89

​Sistema SCADA Central, a supervisory control and data acquisition (SCADA) system, is designed to monitor and control various industrial processes and critical infrastructure. ARDEREG identified this SCADA system’s login page to be vulnerable to an unauthenticated blind SQL injection attack. An attacker could manipulate the application’s SQL query logic to extract sensitive information or perform unauthorized actions within the database. In this case, the vulnerability could allow an attacker to execute arbitrary SQL queries through the login page, potentially leading to unauthorized access, data leakage, or even disruption of critical industrial processes.

​CVE-2023-4485 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

3.3 BACKGROUND

​CRITICAL INFRASTRUCTURE SECTORS: Health, Public Health
​COUNTRIES/AREAS DEPLOYED: South America
​COMPANY HEADQUARTERS LOCATION: Argentina

3.4 RESEARCHER

​Momen Eldawakhly of Samurai Digital Security Ltd. reported this vulnerability to CISA.

4. MITIGATIONS

​ARDEREG is aware of the issue but has not responded to our requests. For more information, contact ARDEREG by email.

​ARDEREG recommends the following workarounds to help reduce the risk:

​Security Awareness and Training: Conduct regular security awareness and training sessions for developers, administrators, and other personnel involved in the management and operation of the SCADA system. Educate about the risks and consequences of SQL injection vulnerabilities and provide guidance on secure coding practices, proper input validation, and best practices for securely interacting with databases.
​Regular Security Assessments: Perform regular security assessments, including penetration testing and code reviews, to identify and address any vulnerabilities in the SCADA system. Conduct internal security audits to evaluate the overall security posture and identify any weaknesses an attacker could exploit through SQL injection or other attack vectors.
​Incident Response Plan: Develop and maintain an incident response plan specifically tailored to address security incidents related to SQL injection and other vulnerabilities in the SCADA system. Establish clear procedures and responsibilities for responding to and mitigating security incidents, including containment, investigation, and recovery steps.
​Vendor and Supply Chain Security: Ensure the vendors and suppliers involved in the development and maintenance of the SCADA system follow secure coding practices and adhere to strict security standards. Regularly evaluate and monitor the security practices to minimize the risk of introducing vulnerabilities through the supply chain.
​System Segmentation: Implement network segmentation to isolate the SCADA system from other less critical systems or public-facing networks. This reduces the attack surface and limits the potential impact of a successful SQL injection attack by containing it within a restricted network segment.

​CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should:

​Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet.
​Locate control system networks and remote devices behind firewalls and isolate them from business networks.
​When remote access is required, use secure methods, such as virtual private networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices.

​CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

​CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

​Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

​Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

​No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

1. EXECUTIVE SUMMARY

​CVSS v3 8.8
​ATTENTION: Exploitable remotely/low attack complexity
​Vendor: PTC
​Equipment: Codebeamer
​Vulnerability: Cross site scripting

2. RISK EVALUATION

​Successful exploitation of this vulnerability could allow an attacker to inject arbitrary JavaScript code, which could be executed in the victim’s browser upon clicking on a malicious link.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

​The following versions of PTC Codebeamer, Application Lifecycle Management (ALM) platform for product and software development, are affected:

​Codebeamer: v22.10-SP6 or lower
​Codebeamer: v22.04-SP2 or lower
​Codebeamer: v21.09-SP13 or lower

3.2 VULNERABILITY OVERVIEW

3.2.1 CROSS-SITE SCRIPTING CWE-79

​If an attacker tricks an admin user of PTC Codebeamer into clicking on a malicious link, it may allow the attacker to inject arbitrary code to be executed in the browser on the target device.

​CVE-2023-4296 has been assigned to this vulnerability. A CVSS v3 base score of 8.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

3.3 BACKGROUND

​CRITICAL INFRASTRUCTURE SECTORS: Multiple
​COUNTRIES/AREAS DEPLOYED: Worldwide
​COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER

​Niklas Schilling of SEC Consult Vulnerability Lab reported this vulnerability to CISA.

4. MITIGATIONS

​PTC recommends the following:

​Version 22.10.X: upgrade to 22.10-SP7 or newer version
​Version 22.04.X: upgrade to 22.04-SP3 or newer version
​Version 21.09.X: upgrade to 21.09-SP14 or newer version

​Docker Image download: https://hub.docker.com/r/intland/codebeamer/tags

​Codebeamer installers: https://intland.com/codebeamer-download/

​Hosted customers may request an upgrade through the support channel.

​Note that version 2.0 is not impacted by this vulnerability.

​For more information refer to PTC Security Advisory and Resolution.

​CISA recommends users take the following measures to protect themselves from social engineering attacks:

​Do not click web links or open attachments in unsolicited email messages.
​Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
​Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

​CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

​CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

​Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

​Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

​No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

1. EXECUTIVE SUMMARY

CVSS v3 8.8
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Schneider Electric
Equipment: PowerLogic ION7400 / PM8000 / ION8650 / ION8800 / ION9000
Vulnerability: Cleartext Transmission of Sensitive Information

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to cause a disclosure of sensitive information, a denial of service, or modification of data if an attacker is able to intercept network traffic.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following components of Schneider Electric PowerLogic, a power meter, are affected:

PowerLogic ION9000: All versions prior to 4.0.0
PowerLogic ION7400: All versions prior to 4.0.0
PowerLogic PM8000: All versions prior to 4.0.0
PowerLogic ION8650: All versions
PowerLogic ION8800: All versions
Legacy ION products: All versions

3.2 VULNERABILITY OVERVIEW

3.2.1 CLEARTEXT TRANSMISSION OF SENSITIVE INFORMATION CWE-319

A cleartext transmission of sensitive information vulnerability exists that could cause disclosure of sensitive information, denial of service, or modification of data if an attacker is able to intercept network traffic.

CVE-2022-46680 has been assigned to this vulnerability. A CVSS v3 base score of 8.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Commercial Facilities, Critical Manufacturing, Energy
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: France

3.4 RESEARCHER

Jos Wetzels of Forescout Technologies reported these vulnerabilities to Schneider Electric.

4. MITIGATIONS

Schneider Electric has released the following remediations for users to implement:

Update affected components to current firmware versions for available vulnerability fixes:
PowerLogic ION9000: Version 4.0.0 is available for download.
PowerLogic ION7400: Version 4.0.0 is available for download.
PowerLogic PM8000: Version 4.0.0 is available for download.

Users should use appropriate patching methodologies when applying these patches to their systems. Schneider Electric recommends using backups and evaluating the impact of these patches in a “testing and development environment” or on an offline infrastructure.
Users should contact Schneider Electric for assistance in removing a patch.
Schneider Electric recommends that users ensure devices supporting ION protocol are not exposed to the internet or other untrusted networks. Users should apply the best practices for network hardening as documented in the product user guide and the Schneider Electric Recommended Cybersecurity Best Practices.
Additional configuration steps and supporting software are required to utilize the secure ION feature. Please refer to the relevant product documentation or contact customer care for additional details and support.

For more information, see Schneider Electric’s security advisory SEVD-2023-129-03.

Schneider Electric strongly recommends the following industry cybersecurity best practices:

Locate control and safety system networks and remote devices behind firewalls and isolate them from the business network.
Install physical controls so no unauthorized personnel can access your industrial control and safety systems, components, peripheral equipment, and networks.
Place all controllers in locked cabinets and never leave them in the “Program” mode.
Never connect programming software to any network other than the network intended for that device.
Scan all methods of mobile data exchange with the isolated network such as CDs, USB drives, etc. before use in the terminals or any node connected to these networks.
Never allow mobile devices that have connected to any other network besides the intended network to connect to the safety or control networks without proper sanitation.
Minimize network exposure for all control system devices and systems and ensure that they are not accessible from the internet.
When remote access is required, use secure methods, such as virtual private networks (VPNs). Recognize that VPNs may have vulnerabilities and should be updated to the most current version available. Also, understand that VPNs are only as secure as the connected devices.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploits specifically targeting these vulnerabilities have been reported to CISA at this time. 

1. EXECUTIVE SUMMARY

​CVSS v3 9.6
​ATTENTION: Exploitable remotely/low attack complexity
​Vendor: Hitachi Energy
​Equipment: AFF66x
​Vulnerabilities: Cross-site Scripting, Use of Insufficiently Random Values, Origin Validation Error, Integer Overflow or Wraparound, Uncontrolled Resource Consumption, NULL Pointer Dereference

2. RISK EVALUATION

​Successful exploitation of these vulnerabilities could allow an attacker to compromise availability, integrity, and confidentiality of the targeted devices.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

​Hitachi Energy reports these vulnerabilities affect the following AFF660/665 products:

​AFF660/665: Firmware 03.0.02 and prior

3.2 VULNERABILITY OVERVIEW

3.2.1 ​CROSS-SITE SCRIPTING CWE-79

​In uClibc and uClibc-ng before 1.0.39, incorrect handling of special characters in domain names DNS servers returned via gethostbyname, getaddrinfo, gethostbyaddr, and getnameinfo could lead to output of wrong hostnames (leading to domain hijacking) or injection into applications (leading to remote code execution, XSS, applications crashes, etc.). In other words, a validation step, which is expected in any stub resolver, does not occur.

​CVE-2021-43523 has been assigned to this vulnerability. A CVSS v3 base score of 9.6 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H).

3.2.2 ​USE OF INSUFFICIENTLY RANDOM VALUES CWE-330

​ntpd in ntp before 4.2.8p14 and 4.3.x before 4.3.100 could allow remote attackers to cause a denial of service (daemon exit or system time change) by predicting transmit timestamps for use in spoofed packets. The victim must rely on unauthenticated IPv4 time sources. There must be an off-path attacker who could query time from the victim’s ntpd instance.

​CVE-2020-13817 has been assigned to this vulnerability. A CVSS v3 base score of 7.4 has been calculated; the CVSS vector string is (AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H).

3.2.3 ​ORIGIN VALIDATION ERROR CWE-346

​ntpd in ntp before 4.2.8p14 and 4.3.x before 4.3.100 could allow an off-path attacker to block unauthenticated synchronization via a server mode packet with a spoofed source IP address because transmissions are rescheduled even when a packet lacks a valid origin timestamp.

​CVE-2020-11868 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

3.2.4 ​INTEGER OVERFLOW OR WRAPAROUND CWE-190

​TCP_SKB_CB(skb)->tcp_gso_segs value is subject to an integer overflow in the Linux kernel when handling TCP selective acknowledgments (SACKs). A remote attacker could use this to cause a denial of service. This has been fixed in stable kernel releases 4.4.182, 4.9.182, 4.14.127, 4.19.52, 5.1.11, and is fixed in commit.

​CVE-2019-11477 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

3.2.5 ​UNCONTROLLED RESOURCE CONSUMPTION CWE-400

​A vulnerability named “non-responsive delegation attack” (NRDelegation attack) has been discovered in various DNS resolving software. The NRDelegation attack works by having a malicious delegation with a considerable number of non-responsive nameservers. The attack starts by querying a resolver for a record that relies on those unresponsive nameservers. The attack could cause a resolver to spend time/resources resolving records under a malicious delegation point where a considerable number of unresponsive NS records reside. It could trigger high CPU usage in some resolver implementations that continually look in the cache for resolved NS records in that delegation, which could lead to degraded performance and eventually denial of service in orchestrated attacks. Unbound does not suffer from high CPU usage, but still requires resources to resolve the malicious delegation. Unbound will continue to try to resolve the record until it reaches hard limits. Based on the nature of the attack and the replies, Unbound could reach different limits. From version 1.16.3 on, Unbound introduces fixes for better performance when under load by cutting opportunistic queries for nameserver discovery and DNSKEY prefetching and limiting the number of times a delegation point can issue a cache lookup for missing records.

​CVE-2022-3204 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

3.2.6 ​NULL POINTER DEREFERENCE CWE-476

​snmp_oid_compare in snmplib/snmp_api.c in NetSNMP before 5.8 has a NULL pointer exception bug that an unauthenticated attacker could use to remotely cause the instance to crash via a crafted UDP packet, resulting in denial of service.

​CVE-2018-18066 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

3.3 BACKGROUND

​CRITICAL INFRASTRUCTURE SECTORS: Energy
​COUNTRIES/AREAS DEPLOYED: Worldwide
​COMPANY HEADQUARTERS LOCATION: Switzerland

3.4 RESEARCHER

​Hitachi Energy reported these vulnerabilities to CISA.

4. MITIGATIONS

​Hitachi Energy recommends the following actions:

​Update to upcoming AFF660/665 FW 04.6.01 release when available.
​Configure only trusted DNS server(s).
​Configure the NTP service with redundant trustworthy sources of time.
​Restrict TCP/IP-based management protocols to trusted IP addresses.
​Disable the SNMP server (CLI and web interface will continue to function as they use an internal connection).

​Hitachi Energy recommends the following general mitigations:

​Recommended security practices and firewall configurations could help protect a process control network from attacks originating from outside the network.
​Physically protect process control systems from direct access by unauthorized personnel.
​Ensure process control systems have no direct connections to the internet and are separated from other networks via a firewall system with minimal exposed ports.
​Do not use process control systems for internet surfing, instant messaging, or receiving emails.
​Scan portable computers and removable storage media for malware prior connection to a control system.

​For more information, see Hitachi Energy’s Security Advisory: 8DBD000167.

​CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

​CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

​Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

​Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

​No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. These vulnerabilities are exploitable remotely. These vulnerabilities have low attack complexity.