Posts Page - CloudCentric

Rockwell Automation FactoryTalk Edge Gateway

Written by on June 13, 2023. Posted in CISA-Published Industrial Control System Vulnerabilities.

1. EXECUTIVE SUMMARY

CVSS v3 7.1
ATTENTION: Low attack complexity
Vendor: Rockwell Automation
Equipment: FactoryTalk Edge Gateway
Vulnerability: Out-of-bounds Read

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow a local user to cause the program to crash, causing a denial of service.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

Rockwell Automation reports this vulnerability affects the following FactoryTalk Edge Gateway products:

FactoryTalk Edge Gateway: v1.3

3.2 VULNERABILITY OVERVIEW

3.2.1 OUT-OF-BOUNDS READ CWE-125

An out of bounds array read vulnerability was fixed in the apr_time_exp*() function in the Apache Portable Runtime v1.6.3 (CVE-2017-12613). The fix for this issue was not carried forward to the APR 1.7.x branch, and hence version 1.7.0 regressed compared to 1.6.3 and is vulnerable to the same issue.

CVE-2021-35940 has been assigned to this vulnerability. A CVSS v3 base score of 7.1 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Food and Agriculture, Transportation Systems, Water and Wastewater Systems
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER

Rockwell Automation reported this vulnerability to CISA.

4. MITIGATIONS

Rockwell Automation encourages users of the affected software to apply the risk mitigation below, if possible. Additionally, they encourage users to implement their suggested security best practices to minimize the risk.

Update to v1.4
Security Best Practices

Please see the Rockwell Automation publication regarding this issue for more information.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should:

Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet.
Locate control system networks and remote devices behind firewalls and isolate them from business networks.
When remote access is required, use secure methods, such as virtual private networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploits specifically target this vulnerability. This vulnerability is not exploitable remotely.

Datalogics Library Third-Party

Written by on June 13, 2023. Posted in CISA-Published Industrial Control System Vulnerabilities.

1. EXECUTIVE SUMMARY

CVSS v3 5.5
ATTENTION: Low attack complexity
Vendor: Datalogics
Equipment: Library APDFL v18.0.4PlusP1e
Vulnerability: Stack-based buffer overflow

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to crash the device.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following Datalogics library versions are affected:

Library APDFL v18.0.4PlusP1e and prior

3.2 VULNERABILITY OVERVIEW

3.2.1 STACK-BASED BUFFER OVERFLOW CWE-121

The affected product has a stack-based buffer overflow due to documents containing corrupted fonts, which could allow an attack that causes an unhandled crash during the rendering process.

CVE-2023-1709 has been assigned to this vulnerability. A CVSS v3 base score of 5.5 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Multiple
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Italy

3.4 RESEARCHER

Siemens reported this vulnerability to CISA.

4. MITIGATIONS

Datalogics recommends users to update to APDFL v18.0.4PlusP1g. Contact Datalogics for more information on obtaining this update.

For more information, refer to Datalogic’s release notes.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should:

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploits specifically target this vulnerability. This vulnerability is not exploitable remotely.

Rockwell Automation FactoryTalk Transaction Manager

Written by on June 13, 2023. Posted in CISA-Published Industrial Control System Vulnerabilities.

1. EXECUTIVE SUMMARY

CVSS v3 7.5
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Rockwell Automation
Equipment: FactoryTalk Transaction Manager
Vulnerability: Uncontrolled Resource Consumption.

2. RISK EVALUATION

Successful exploitation of this vulnerability could cause the application to crash or experience a high CPU or memory usage condition, causing intermittent application functionality issues. The user would need to restart the application to recover from the denial of service.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

Rockwell Automation reports this vulnerability affects the following FactoryTalk Transaction Manager products:

FactoryTalk Transaction Manager: versions 13.10 and prior

3.2 VULNERABILITY OVERVIEW

3.2.1 UNCONTROLLED RESOURCE CONSUMPTION CWE-400

A denial-of-service vulnerability exists in the affected products. A threat actor could send a modified packet to port 400 exploit this vulnerability. If exploited, the application could crash or experience a high CPU or memory usage condition, causing intermittent application functionality issues. The user would need to restart the application to recover from the denial of service.

CVE-2023-2778 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

3.3 BACKGROUND

3.4 RESEARCHER

Rockwell Automation reported this vulnerability to CISA.

4. MITIGATIONS

Rockwell Automation encourages affected software users to install one of the following security patches to address the associated risk:

v13.00 Security Patch
v13.10 Security Patch

Users who are unable to update are directed towards the risk mitigation strategies provided below and are encouraged, when possible, to implement Rockwell Automation’s suggested security best practices to minimize the risk.

Users should follow the instructions in the Knowledgebase article BF29042 to install the patch to mitigate the issue.
Security Best Practices.

Please see the Rockwell Automation publication regarding this issue for more information.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should:

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploits specifically target this vulnerability. This vulnerability is exploitable remotely. This vulnerability has low attack complexity.

Rockwell Automation FactoryTalk Services Platform

Written by on June 13, 2023. Posted in CISA-Published Industrial Control System Vulnerabilities.

1. EXECUTIVE SUMMARY

CVSS v3 7.3
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Rockwell Automation
Equipment: FactoryTalk Services Platform
Vulnerabilities: Use of Hard-coded Cryptographic Key, Improper Authentication, Origin Validation Error

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to disclose information, load malicious configuration files, or elevate privileges from a user to an administrator.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following Rockwell Automation products are affected:

FactoryTalk Policy Manager: v6.11.0
FactoryTalk System Services: v6.11.0

3.2 VULNERABILITY OVERVIEW

3.2.1 USE OF HARD-CODED CRYPTOGRAPHIC KEY CWE-321

Hard-coded cryptographic key vulnerabilities could lead to privilege escalation. FactoryTalk System Services uses a hard-coded cryptographic key to generate administrator cookies. This vulnerability could allow a local authenticated non-admin user to generate an invalid administrator cookie giving them administrative privileges to the FactoryTalk Policy Manger database. The threat actor could make malicious changes to the database to be deployed when a legitimate FactoryTalk Policy Manager user deploys a security policy model. User interaction is required to successfully exploit this vulnerability.

CVE-2023-2637 has been assigned to this vulnerability. A CVSS v3 base score of 7.3 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:H).

3.2.2 IMPROPER AUTHENTICATION CWE-287

Improper authorization in FTSSBackupRestore.exe could lead to the loading of malicious configuration archives. FactoryTalk System Services does not verify that backup configuration archives are password protected. This vulnerability could allow a local authenticated non-admin user to craft a malicious backup archive without password protection to be loaded by FactoryTalk System Services as a valid backup when a restore procedure takes place. This vulnerability requires user interaction for successful exploitation.

CVE-2023-2638 has been assigned to this vulnerability. A CVSS v3 base score of 5.9 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:L/UI:R/S:C/C:N/I:N/A:H).

3.2.3 ORIGIN VALIDATION ERROR CWE-346

Origin validation errors could lead to information disclosure. The underlying feedback mechanism of FactoryTalk System Services that transfers the FactoryTalk Policy Manager rules to relevant devices on the network does not verify that the origin of the communication is from a legitimate local client device. This could allow a threat actor to craft a malicious website that, when visited, would send a malicious script to connect to the local WebSocket endpoint and wait for events as if it was a valid client device. If successfully exploited, this could allow a threat actor to receive information, including whether FactoryTalk Policy Manager is installed or the entire security policy. User interaction is required for successful vulnerability exploitation.

CVE-2023-2639 has been assigned to this vulnerability. A CVSS v3 base score of 4.1 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Chemical, Commercial Facilities, Critical Manufacturing, Energy, Government Facilities, Water and Wastewater Systems
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER

Sharon Brizinov of Claroty Research – Team82 reported these vulnerabilities to CISA.

4. MITIGATIONS

Rockwell Automation encourages users to upgrade to the latest version:

Upgrade to v6.30.00 or later.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. Specifically, users should:

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploits specifically target these vulnerabilities.

Sensormatic Electronics Illustra Pro Gen 4

Written by on June 8, 2023. Posted in CISA-Published Industrial Control System Vulnerabilities.

1. EXECUTIVE SUMMARY

CVSS v3 8.3
ATTENTION: Exploitable via adjacent network
Vendor: Sensormatic Electronics, a subsidiary of Johnson Controls, Inc.
Equipment: Illustra Pro Gen 4
Vulnerability: Active Debug Code

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to compromise device credentials over a long period of sustained attack.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of Sensormatic Electronics Illustra Pro Gen 4 are affected:

Pro Gen 4 Dome: Up to and including Illustra.SS016.05.09.04.0006
Pro Gen 4 PTZ: Up to and including Illustra.SS010.05.09.04.0022

3.2 VULNERABILITY OVERVIEW

3.2.1 ACTIVE DEBUG CODE CWE-489

Sensormatic Electronics Illustra Pro Gen 4 contains a debug feature that is incorrectly set to enabled on newly manufactured cameras. Under some circumstances, over a long period of sustained attack, this could allow compromise of device credentials.

CVE-2023-0954 has been assigned to this vulnerability. A CVSS v3 base score of 8.3 has been calculated; the CVSS vector string is (AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Ireland

3.4 RESEARCHER

Johnson Controls, Inc. reported this vulnerability to CISA.

4. MITIGATIONS

Sensormatic Electronics has provided the following mitigations:

Update Illustra Pro Gen 4 Dome to version 6.00.00.
Update Illustra Pro Gen 4 PTZ to version 6.00.00.

The camera can be upgraded via the web GUI using firmware Illustra provides, which can be found on www.illustracameras.com. The firmware can also be upgraded using the Illustra Connect tool (Windows based) or Illustra Tools (mobile app) or victor/VideoEdge, which also provides bulk firmware upgrade capability. Refer to the respective application documents for further information.

For additional information, refer to Johnson Controls Product Security Advisory JCI-PSA-2023-02 v1.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should:

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploits specifically target this vulnerability. This vulnerability is not exploitable remotely. This vulnerability has a high attack complexity.

Atlas Copco Power Focus 6000

Written by on June 8, 2023. Posted in CISA-Published Industrial Control System Vulnerabilities.

1. EXECUTIVE SUMMARY

CVSS v3 6.5
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Atlas Copco
Equipment: Power Focus 6000
Vulnerabilities: Cleartext Storage of Sensitive Information, Small Space of Random Values, Cleartext Transmission of Sensitive Information

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could cause a loss of sensitive information and the takeover of a user’s active session.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of Power Focus 6000, a smart connected assembly product, are affected:

Power Focus 6000: All versions

3.2 VULNERABILITY OVERVIEW

3.2.1 CLEARTEXT STORAGE OF SENSITIVE INFORMATION CWE-312

Atlas Copco Power Focus 6000 web server does not sanitize the login information stored by the authenticated user’s browser, which could allow an attacker with access to the user’s computer to gain credential information of the controller.

CVE-2023-1897 has been assigned to this vulnerability. A CVSS v3 base score of 6.5 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N).

3.2.2 SMALL SPACE OF RANDOM VALUES CWE-334

Atlas Copco Power Focus 6000 web server uses a small amount of session Id numbers. An attacker could enter a session Id number to retrieve data for an active user’s session.

CVE-2023-1898 has been assigned to this vulnerability. A CVSS v3 base score of 6.5 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N).

3.2.3 CLEARTEXT TRANSMISSION OF SENSITIVE INFORMATION CWE-319

Atlas Copco Power Focus 6000 web server is not a secure connection by default, which could allow an attacker to gain sensitive information by monitoring network traffic between user and controller.

CVE-2023-1899 has been assigned to this vulnerability. A CVSS v3 base score of 6.5 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Sweden

3.4 RESEARCHER

Chen Porian of OTORIO reported these vulnerabilities to CISA.

4. MITIGATIONS

Atlas Copco has not responded to requests to work with CISA on mitigations for the reported vulnerabilities. Users of the affected products are encouraged to contact Atlas Copco.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. Specifically, users should:

Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet.
Locate control system networks and remote devices behind firewalls and isolate them from business networks.
When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploits specifically target these vulnerabilities. These vulnerabilities have a low attack complexity.

Delta Electronics CNCSoft-B DOPSoft

Written by on June 6, 2023. Posted in CISA-Published Industrial Control System Vulnerabilities.

1. EXECUTIVE SUMMARY

CVSS v3 7.8
ATTENTION: Low attack complexity
Vendor: Delta Electronics
Equipment: CNCSoft-B DOPSoft
Vulnerabilities: Stack-based Buffer Overflow, Heap-based Buffer Overflow

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to exploit a buffer overflow condition and remotely execute arbitrary code.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of CNCSoft-B DOPSoft, a human machine interface (HMI), are affected:

CNCSoft-B DOPSoft: versions 1.0.0.4 and prior

3.2 VULNERABILITY OVERVIEW

3.2.1 STACK-BASED BUFFER OVERFLOW CWE-121

Delta Electronics’ CNCSoft-B DOPSoft versions 1.0.0.4 and prior are vulnerable to stack-based buffer overflow, which could allow an attacker to execute arbitrary code.

CVE-2023-25177 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been assigned; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

3.2.2 HEAP-BASED BUFFER OVERFLOW CWE-122

Delta Electronics’ CNCSoft-B DOPSoft versions 1.0.0.4 and prior are vulnerable to heap-based buffer overflow, which could allow an attacker to execute arbitrary code.

CVE-2023-24014 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been assigned; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Taiwan

3.4 RESEARCHER

Natnael Samson (@NattiSamson), working with Trend Micro’s Zero Day Initiative, reported these vulnerabilities to CISA.

4. MITIGATIONS

Delta Electronics has released and recommends users to download CNCSoft-B DOPSoft v4.0.0.82 or later.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. Specifically, users should:

Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet.
Locate control system networks and remote devices behind firewalls and isolate them from business networks.
When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

Do not click web links or open attachments in unsolicited email messages.
Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploits specifically target these vulnerabilities. These vulnerabilities are not exploitable remotely.

Mitsubishi Electric MELSEC iQ-R Series/iQ-F Series

Written by on June 6, 2023. Posted in CISA-Published Industrial Control System Vulnerabilities.

1. EXECUTIVE SUMMARY

CVSS v3 7.5
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Mitsubishi Electric
Equipment: MELSEC iQ-R Series/iQ-F Series EtherNet/IP Modules and EtherNet/IP Configuration tool
Vulnerabilities: Weak Password Requirements, Use of Hard-coded Password, Missing Password Field Masking, Unrestricted Upload of File with Dangerous Type

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow a remote unauthenticated attacker to connect to the module via FTP and bypass authentication to log in.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

Mitsubishi Electric reports these vulnerabilities affect the following MELSEC iQ-R Series/iQ-F Series EtherNet/IP Modules and EtherNet/IP Configuration tool:

RJ71EIP91: All versions
SW1DNN-EIPCT-BD: All versions
FX5-ENET/IP: All versions
SW1DNN-EIPCTFX5-BD: All versions

3.2 VULNERABILITY OVERVIEW

3.2.1 WEAK PASSWORD REQUIREMENTS CWE-521

Authentication bypass vulnerability in FTP function on EtherNet/IP module due to weak password requirements could allow a remote unauthenticated attacker to access to the module via FTP by dictionary attack or password sniffing.

CVE-2023-2060 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

3.2.2 USE OF HARD-CODED PASSWORD CWE-259

Authentication bypass vulnerability in FTP function on EtherNet/IP module could allow a remote unauthenticated attacker to obtain a hard-coded password and access to the module via FTP.

CVE-2023-2061 has been assigned to this vulnerability. A CVSS v3 base score of 6.2 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

3.2.3 MISSING PASSWORD FIELD MASKING CWE-549

The EtherNet/IP configuration tool that displays unmasked passwords due to missing password field masking results in authentication bypass vulnerability, which could allow a remote unauthenticated attacker to access the module via FTP.

CVE-2023-2062 has been assigned to this vulnerability. A CVSS v3 base score of 6.2 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

3.2.4 UNRESTRICTED UPLOAD OF FILE WITH DANGEROUS TYPE CWE-434

Information disclosure, tampering, deletion, destruction vulnerability exists in the FTP function on EtherNet/IP module via file upload/download due to unrestricted upload of file with dangerous type.

CVE-2023-2063 has been assigned to this vulnerability. A CVSS v3 base score of 6.3 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Japan

3.4 RESEARCHER

Iie Karada reported these vulnerabilities to Mitsubishi Electric.

4. MITIGATIONS

Mitsubishi Electric recommends customers take the following mitigation measures to minimize the risk of a threat actor exploiting these vulnerabilities:

Use a firewall, virtual private network (VPN), etc. to prevent unauthorized access when Internet access is required.
Use within a LAN and block access from untrusted networks and hosts through firewalls.
Restrict physical access to prevent untrusted devices LAN to which the affected product connects.
Avoid uploading/downloading files directly using FTP, and use the EtherNet/IP configuration tool. Do not open the downloaded file with anything other than the EtherNet/IP configuration tool.
For FX5-ENET/IP, use IP filter function to block access from untrusted hosts. For details on the IP filter function, please refer to the following manual: “12.1 IP Filter Function” in the MELSEC iQ-F FX5 User’s Manual (Ethernet Communication).

For specific update instructions and additional details, see the Mitsubishi Electric advisory.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploits specifically target these vulnerabilities. These vulnerabilities are exploitable remotely. These vulnerabilities have low attack complexity.

HID Global SAFE

Written by on June 1, 2023. Posted in CISA-Published Industrial Control System Vulnerabilities.

1. EXECUTIVE SUMMARY

CVSS v3 7.3
ATTENTION: Exploitable remotely/low attack complexity
Vendor: HID Global
Equipment: SAFE
Vulnerabilities: Modification of Assumed-Immutable Data

2. RISK EVALUATION

Successful exploitation of this vulnerability could result in exposure of personal data or create a denial-of-service condition.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of HID’s SAFE, a personnel and access management software, are affected:

HID SAFE using the optional External Visitor Manager portal: Versions 5.8.0 through 5.11.3

3.2 VULNERABILITY OVERVIEW

3.2.1 MODIFICATION OF ASSUMED-IMMUTABLE DATA CWE-471

The External Visitor Manager portal of HID’s SAFE versions 5.8.0 through 5.11.3 are vulnerable to manipulation within web fields in the application programmable interface (API). An attacker could log in using account credentials available through a request generated by an internal user and then manipulate the visitor-id within the web API to access the personal data of other users. There is no limit on the number of requests that can be made to the HID SAFE Web Server, so an attacker could also exploit this vulnerability to create a denial-of-service condition.

CVE-2023-2904 has been assigned to this vulnerability. A CVSS v3 base score of 7.3 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:H).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Government Facilities, Transportation, Commercial Facilities, Healthcare
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER

CISA internal research reported this vulnerability to HID.

4. MITIGATIONS

The External Visitor Management feature is licensed and deployed separately from the HID SAFE core software. Users not using this feature are not affected. According to HID Global, the number of affected systems is limited and all affected systems have been patched.

Please see HID’s security advisory for more information.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploits specifically target this vulnerability.

Advantech WebAccess/SCADA

Written by on June 1, 2023. Posted in CISA-Published Industrial Control System Vulnerabilities.

1. EXECUTIVE SUMMARY

CVSS v3 7.2
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Advantech
Equipment: WebAccess Node
Vulnerabilities: Improper Control of Generation of Code (‘Code Injection’), Unrestricted Upload of File with Dangerous Type

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to arbitrarily overwrite files resulting in remote code execution.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following Advantech products are affected:

WebAccess/SCADA versions 9.1.3 and prior

3.2 VULNERABILITY OVERVIEW

3.2.1 IMPROPER CONTROL OF GENERATION OF CODE (‘CODE INJECTION’) CWE-94

In Advantech WebAccss/SCADA v9.1.3 and prior, there is an arbitrary file overwrite vulnerability, which could allow an attacker to overwrite any file in the operating system (including system files), inject code into an XLS file, and modify the file extension, which could lead to arbitrary code execution.

CVE-2023-32540 has been assigned to this vulnerability. A CVSS v3 base score of 7.2 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).

3.2.2 UNRESTRICTED UPLOAD OF FILE WITH DANGEROUS TYPE CWE-434

In Advantech WebAccss/SCADA v9.1.3 and prior, there is an arbitrary file upload vulnerability that could allow an attacker to upload an ASP script file to a webserver when logged in as manager user, which can lead to arbitrary code execution.

CVE-2023-22450 has been assigned to this vulnerability. A CVSS v3 base score of 7.2 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).

3.2.3 UNRESTRICTED UPLOAD OF FILE WITH DANGEROUS TYPE CWE-434

In Advantech WebAccss/SCADA v9.1.3 and prior, there is an arbitrary file upload vulnerability that could allow an attacker to modify the file extension of a certificate file to ASP when uploading it, which can lead to remote code execution.

CVE-2023-32628 has been assigned to this vulnerability. A CVSS v3 base score of 7.2 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing, Energy, Water and Wastewater Systems
COUNTRIES/AREAS DEPLOYED: East Asia, Europe, United States
COMPANY HEADQUARTERS LOCATION: Tawain

3.4 RESEARCHER

YangLiu from Elex Feigong Research Institute reported these vulnerabilities to CISA.

4. MITIGATIONS

Advantech recommends WebAccess/SCADA users upgrade to v9.1.4.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. Specifically, users should:

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploits specifically target these vulnerabilities. These vulnerabilities are not exploitable remotely.