View CSAF

1. EXECUTIVE SUMMARY

CVSS v3 2.9
ATTENTION: Exploitable locally
Vendor: Mitsubishi Electric Corporation
Equipment: GX Works2
Vulnerability: Denial-of-Service

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow a Denial-of-service (DoS) due to improper input validation in the simulation function of GX Works2 by sending specially crafted packets.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

GX Works2: all versions

3.2 Vulnerability Overview

3.2.1 Improper Input Validation CWE-20

An attacker may be able to cause denial-of-service (DoS) condition on the function by sending specially crafted packets. However, the attacker would need to send the packets from within the same personal computer where the function is running.

CVE-2023-5274 has been assigned to this vulnerability. A CVSS v3.1 base score of 2.9 has been calculated; the CVSS vector string is (AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L).

3.2.2 Improper Input Validation CWE-20

An attacker may be able to cause denial-of-service (DoS) condition on the function by sending specially crafted packets. However, the attacker would need to send the packets from within the same personal computer where the function is running.

CVE-2023-5275 has been assigned to this vulnerability. A CVSS v3.1 base score of 2.9 has been calculated; the CVSS vector string is (AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Japan

3.4 RESEARCHER

joker63 of ZheJiangQiAnTechnology reported these vulnerabilities to Mitsubishi Electric.

4. MITIGATIONS

Mitsubishi Electric recommends that users take the following mitigation measures to minimize the risk of exploiting this vulnerability:

Install an antivirus software in your personal computer using the affected product.

Use your personal computer with the affected product within the LAN and block remote login from untrusted networks, hosts, and users.

When connecting your personal computer with the affected product to the Internet, use a firewall, virtual private network (VPN), etc., to prevent unauthorized access, and allow only trusted users to remote login.

Don’t open untrusted files or click untrusted links.

For more information, see the Mitsubishi security advisory.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time. These vulnerabilities are not exploitable remotely. These vulnerabilities have a high attack complexity.

5. UPDATE HISTORY

November 28, 2023: Initial Publication

View CSAF

1. EXECUTIVE SUMMARY

CVSS v3 6.5
ATTENTION: Exploitable remotely/low attack complexity/public exploits are available
Vendor: Franklin Electric Fueling Systems
Equipment: Colibri
Vulnerability: Path Traversal

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to obtain login credentials for other users.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of FFS Colibri, a discontinued fuel inventory monitoring system, are affected:

FFS Colibri: all versions.

3.2 Vulnerability Overview

3.2.1 Path Traversal CWE-35

The discontinued FFS Colibri product allows a remote user to access files on the system including files containing login credentials for other users.

CVE-2023-5885 has been assigned to this vulnerability. A CVSS v3 base score of 6.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Energy
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER

Momen Eldawakhly Samurai Digital Security Ltd. reported this vulnerability to CISA.

4. MITIGATIONS

Franklin Electric Fueling Systems determined that the vulnerability only affects the Colibri product which has not been sold since 2020 and does not affect the current EVO product lines. They created a firmware update for Colibri to address the issue. Users can download the update at from the Franklin Electric website. Franklin Electric is working with distributors to make sure all known users are aware that the update is available for installation.

For further information, please contact Franklin Electric Fueling Systems.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as virtual private networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.
Exercise principles of least privilege.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

Do not click web links or open attachments in unsolicited email messages.
Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

November 28, 2023: Initial Publication

View CSAF

1. EXECUTIVE SUMMARY

CVSS v3 9.8
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Delta Electronics
Equipment: InfraSuite Device Master
Vulnerabilities: Path Traversal, Deserialization of Untrusted Data, Exposed Dangerous Method or Function.

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to remotely execute arbitrary code and obtain plaintext credentials.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following Delta Electronics products are affected:

InfraSuite Device Master: Versions 1.0.7 and prior

3.2 Vulnerability Overview

3.2.1 PATH TRAVERSAL CWE-35

In Delta Electronics InfraSuite Device Master v.1.0.7, a vulnerability exists that allows an attacker to write to any file to any location of the filesystem, which could lead to remote code execution.

CVE-2023-46690 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

3.2.2 DESERIALIZATION OF UNTRUSTED DATA CWE-502

In Delta Electronics InfraSuite Device Master v.1.0.7, a vulnerability exists that allows an unauthenticated attacker to execute code with local administrator privileges.

CVE-2023-47207 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

3.2.3 EXPOSED DANGEROUS METHOD OR FUNCTION CWE-749

In Delta Electronics InfraSuite Device Master v.1.0.7, a vulnerability exists that allows an unauthenticated attacker to execute arbitrary code through a single UDP packet.

CVE-2023-39226 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

3.2.4 PATH TRAVERSAL CWE-35

In Delta Electronics InfraSuite Device Master v.1.0.7, A vulnerability exists that allows an unauthenticated attacker to disclose user information through a single UDP packet, obtain plaintext credentials, or perform NTLM relaying.

CVE-2023-47279 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Taiwan

3.4 RESEARCHER

hir0ot and Piotr Bazydlo (@chudypb) working with Trend Micro Zero Day Initiative reported these vulnerabilities to CISA.

4. MITIGATIONS

Delta Electronics recommends updating their software to v1.0.10 or later.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

Do not click web links or open attachments in unsolicited email messages.
Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY

November 28, 2023: Initial Publication

View CSAF

1. EXECUTIVE SUMMARY

CVSS v3 7.8
ATTENTION: Low attack complexity
Vendor: Fuji Electric
Equipment: Tellus Lite V-Simulator
Vulnerabilities: Stack-based Buffer Overflow, Out-of-bounds Write, Improper Access Control

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could crash the device being accessed, allow remote code execution, or overwrite files.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

Fuji Electric reports that the following versions of Tellus Lite V-Simulator remote monitoring software are affected:

Tellus Lite V-Simulator: versions prior to V4.0.19.0

3.2 Vulnerability Overview

3.2.1 Stack-based Buffer Overflow CWE-121

Stack-based buffer overflow may occur when Fuji Electric Tellus Lite V-Simulator parses a specially-crafted input file.

CVE-2023-35127 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

3.2.2 Out-of-bounds Write CWE-787

When Fuji Electric Tellus Lite V-Simulator parses a specially-crafted input file an out of bounds write may occur.

CVE-2023-40152 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

3.2.3 Improper Access Control CWE-284

A user with a standard account in Fuji Electric Tellus Lite may overwrite files in the system.

CVE-2023-5299 has been assigned to this vulnerability. A CVSS v3 base score of 7.3 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Japan

3.4 RESEARCHER

Fritz Sands and kimiya working with Trend Micro Zero Day Initiative reported these vulnerabilities to CISA.

4. MITIGATIONS

Fuji Electric recommends users update Tellus Lite V-Simulator to version 4.0.19.0.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as virtual private networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

Do not click web links or open attachments in unsolicited email messages.
Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time. These vulnerabilities are not exploitable remotely.

5. UPDATE HISTORY

November 21, 2023: Initial Publication

View CSAF

1. EXECUTIVE SUMMARY

CVSS v3 2.7
ATTENTION: low attack complexity
Vendor: WAGO
Equipment: PFC200 Series
Vulnerability: Externally Controlled Reference to a Resource in Another Sphere

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker with administrative privileges to access sensitive files in an unintended, undocumented way.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

WAGO reports the following products are affected:

Compact Controller CC100: Versions later than FW19, up to and including FW26
Edge Controller: Versions later than FW18, up to and including FW26
PFC100: Versions later than FW16, up to and including FW26
PFC200: Versions later than FW16, up to and including FW26
Touch Panel 600 Advanced Line: Versions later than FW16, up to and including FW26
Touch Panel 600 Marine Line: Versions later than FW16, up to and including FW26
Touch Panel 600 Standard Line: Versions later than FW16, up to and including FW26

3.2 Vulnerability Overview

3.2.1 Externally Controlled Reference to a Resource in Another Sphere CWE-610

On affected Wago products a remote attacker with administrative privileges can access files which they already have access to through an undocumented local file inclusion. This access is logged in a different log file than expected.

CVE-2023-4089 has been assigned to this vulnerability. A CVSS v3.1 base score of 2.7 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Commercial Facilities, Critical Manufacturing, Energy, and Transportation Systems
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

Floris Hendriks of Radboud University reported this vulnerability to CISA.

4. MITIGATIONS

As general security measures strongly WAGO recommends:

Use general security best practices to protect systems from local and network attacks.
Do not allow direct access to the device from untrusted networks.
Update to the latest firmware (FW27) according to the table in VDE-2023-046.

CERT@VDE has published advisory VDE-2023-046 for this vulnerability.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

November 21, 2023: Initial Publication

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens’ ProductCERT Security Advisories (CERT Services | Services | Siemens Global).

View CSAF

1. EXECUTIVE SUMMARY

CVSS v3 7.5
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Siemens
Equipment: OPC UA Modeling Editor (SiOME)
Vulnerability: Improper Restriction of XML External Entity Reference

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to interfere with an application’s processing of XML data and read arbitrary files in the system.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of Siemens OPC UA Modeling Editor (SiOME), are affected:

OPC UA Modelling Editor (SiOME): versions prior to V2.8

3.2 Vulnerability Overview

3.2.1 IMPROPER RESTRICTION OF XML EXTERNAL ENTITY REFERENCE CWE-611

Affected products suffer from a XML external entity (XXE) injection vulnerability. This vulnerability could allow an attacker to interfere with an application’s processing of XML data and read arbitrary files in the system.

CVE-2023-46590 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Multiple
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

Siemens reported this vulnerability to CISA.

4. MITIGATIONS

Siemens has identified the following specific workarounds and mitigations users can apply to reduce risk:

Siemens OPC UA Modelling Editor (SiOME): Update to V2.8 or later version

As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens’ operational guidelines for industrial security and following recommendations in the product manuals.

Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage.

For more information see the associated Siemens security advisory SSA-197270 in HTML and CSAF.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

November 16, 2023: Initial Publication

View CSAF

1. EXECUTIVE SUMMARY

CVSS v3 10.0
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Red Lion
Equipment: Sixnet RTU
Vulnerabilities: Authentication Bypass using an Alternative Path or Channel, Exposed Dangerous Method or Function

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an unauthenticated attacker to execute commands with high privileges.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following Red Lion products are affected:

ST-IPm-8460: Firmware 6.0.202 and later
ST-IPm-6350: Firmware version 4.9.114 and later
VT-mIPm-135-D: Firmware version 4.9.114 and later
VT-mIPm-245-D: Firmware version 4.9.114 and later
VT-IPm2m-213-D: Firmware version 4.9.114 and later
VT-IPm2m-113-D: Firmware version 4.9.114 and later

3.2 Vulnerability Overview

3.2.1 AUTHENTICATION BYPASS USING AN ALTERNATIVE PATH OR CHANNEL CWE-288

Red Lion SixTRAK and VersaTRAK Series RTUs with authenticated users enabled (UDR-A) any Sixnet UDR message will meet an authentication challenge over UDP/IP. When the same message is received over TCP/IP the RTU will simply accept the message with no authentication challenge.

CVE-2023-42770 has been assigned to this vulnerability. A CVSS v3 base score of 10.0 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).

3.2.2 EXPOSED DANGEROUS METHOD OR FUNCTION CWE-749

When user authentication is not enabled the shell can execute commands with the highest privileges. Red Lion SixTRAK and VersaTRAK Series RTUs with authenticated users enabled (UDR-A) any Sixnet UDR message will meet an authentication challenge over UDP/IP. When the same message comes over TCP/IP the RTU will simply accept the message with no authentication challenge.

CVE-2023-40151 has been assigned to this vulnerability. A CVSS v3 base score of 10.0 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER

Nitsan Litov of Claroty Research – Team82 reported these vulnerabilities to CISA.

4. MITIGATIONS

Red Lion recommends users apply the latest patches to their products.

Red Lion recommends users apply additional mitigations to help reduce the risk:

Enable user authentication, see Red Lion instructions.

Blocking all or most Sixnet UDR messages over TCP/IP will eliminate authentication bypass. Sixnet UDR messages over TCP/IP will be ignored.

To block all Sixnet UDR messages over TCP/IP install Patch1_tcp_udr_all_blocked.tar.gz.

ST-IPm-8460 – Install 8313_patch1_tcp_udr_all_blocked.tar.gz
ST-IPm-6350/VT-mIPm-245-D/VT-mIPm-135-D/VT-IPm2m-213-D/VT-IPm2m-113-D – Install 855_patch1_tcp_udr_all_blocked.tar.gz

To block all Sixnet UDR messages except I/O commands over TCP/IP and UDP/IP install Patch2_io_open.tar.gz.

ST-IPm-8460 – Install 8313_patch2_io_open.tar.gz
ST-IPm-6350/VT-mIPm-245-D/VT-mIPm-135-D/VT-IPm2m-213-D/VT-IPm2m-113-D – Install 855_patch2_io_open.tar.gz

To Block all Sixnet UDR messages over TCP/IP:

Enable iptables rules to block TCP/IP traffic.
In the Sixnet I/O Tool Kit go to Configuration>Configuration Station/Module>”Ports” tab>Security.
Select the “Load the this file with each station load” radio button to load a custom rc.firewall configuration file. The rules below will allow all other traffic except Sixnet UDR over TCP/IP. Please Note: Two rules that are added in by default were removed because they will block all traffic going into the interface.

Remove these rules from the default rc.firewall file:

iptables -P INPUT DROP (Drops everything coming in)
iptables -P FORWARD DROP (Drops everything in FORWARD chain)

Add one DROP rule which will drop all TCP/IP packet coming on UDR port 1594 by typing the following commands:

insmodip_tables (Initialization)
insmodiptable_filter (Initialization)
insmodip_conntrack (Initialization)
insmodiptable_nat (Initialization)
iptables -F INPUT (Flushes INPUT chain)
iptables -F OUTPUT (Flushes OUTPUT chain)
iptables -F FORWARD (Flushes FORWARD chain)
iptables -Z (Zero counters)
iptables -P OUTPUT ACCEPT (Drops everything coming in, everything in FORWARD chain, and accepts everything going out)
iptables -A INPUT -p tcp –dport 1594 -j DROP (Allows local traffic and blocks all TCP traffic coming from 1594)

For installation instructions see Red Lion’s support page.

For more information, please refer to Red Lion’s security bulletin.

CISA recommends users take defensive measures to minimize the risk of exploitation of this these vulnerabilities, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

Do not click web links or open attachments in unsolicited email messages.
Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting this these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY

November 16, 2023: Initial Publication

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens’ ProductCERT Security Advisories (CERT Services | Services | Siemens Global).

View CSAF

1. EXECUTIVE SUMMARY

CVSS v3 6.8
ATTENTION: Exploitable remotely
Vendor: Siemens
Equipment: Mendix 7, Mendix 8, Mendix 9, Mendix 10
Vulnerability: Authentication Bypass by Capture-Replay

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow authenticated attackers to access or modify objects without proper authorization or escalate privileges in the context of the vulnerable app.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of Siemens Mendix Applications, are affected:

Mendix Applications using Mendix 7: all versions prior to V7.23.37
Mendix Applications using Mendix 8: all versions prior to V8.18.27
Mendix Applications using Mendix 9: all versions prior to V9.24.10
Mendix Applications using Mendix 10: all versions prior to V10.4.0

3.2 Vulnerability Overview

3.2.1 AUTHENTICATION BYPASS BY CAPTURE-REPLAY CWE-294

A capture-replay flaw in the platform could have an impact to apps built with the platform, if certain preconditions are met that depend on the app’s model and access control design. This could allow authenticated attackers to access or modify objects without proper authorization, or escalate privileges in the context of the vulnerable app.

CVE-2023-45794 has been assigned to this vulnerability. A CVSS v3 base score of 6.8 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Multiple
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

Siemens reported this vulnerability to CISA.

4. MITIGATIONS

Siemens has identified the following specific workarounds and mitigations users can apply to reduce risk:

Mendix Applications using Mendix 7: Update to V7.23.37 or later version and redeploy your application
Mendix Applications using Mendix 8: Update to V8.18.27 or later version and redeploy your application
Mendix Applications using Mendix 9: Update to V9.24.10 or later version and redeploy your application
Mendix Applications using Mendix 10: Update to V10.4.0 or later version and redeploy your application

As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens’ operational guidelines for industrial security and following recommendations in the product manuals.

Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage

For more information see the associated Siemens security advisory SSA-084182 in HTML and CSAF.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability has a high attack complexity.

5. UPDATE HISTORY

November 16, 2023: Initial Publication

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens’ ProductCERT Security Advisories (CERT Services | Services | Siemens Global).

View CSAF

1. EXECUTIVE SUMMARY

CVSS v3 9.8
ATTENTION: Exploitable remotely/Low attack complexity
Vendor: Siemens
Equipment: COMOS
Vulnerabilities: Improper Restriction of XML External Entity Reference, Path Traversal, Out-of-bounds Write, Out-of-bounds Read, Integer Overflow or Wraparound, Use After Free, Heap-based Buffer Overflow, Cleartext Transmission of Sensitive Information, Classic Buffer Overflow, Improper Access Control

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to execute arbitrary code, cause a denial-of-service condition, data infiltration, or perform access control violations.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following products of Siemens are affected:

COMOS: All versions

3.2 Vulnerability Overview

3.2.1 IMPROPER RESTRICTION OF XML EXTERNAL ENTITY REFERENCE CWE-611

MPXJ through 8.1.3 allows XXE attacks. This affects the GanttProjectReader and PhoenixReader components.

CVE-2020-25020 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

3.2.2 IMPROPER LIMITATION OF A PATHNAME TO A RESTRICTED DIRECTORY (‘PATH TRAVERSAL’) CWE-22

common/InputStreamHelper.java in Packwood MPXJ before 8.3.5 allows directory traversal in the zip stream handler flow, leading to the writing of files to arbitrary locations.

CVE-2020-35460 has been assigned to this vulnerability. A CVSS v3 base score of 5.3 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N).

3.2.3 OUT-OF-BOUNDS WRITE CWE-787

Open Design Alliance Drawings SDK before 2022.12.1 mishandles the loading of JPG files. Unchecked input data from a crafted JPG file leads to memory corruption. An attacker can leverage this vulnerability to execute code in the context of the current process.

CVE-2022-23095 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been assigned; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

3.2.4 OUT-OF-BOUNDS READ CWE-125

Open Design Alliance Drawings SDK (all versions prior to 2023.2) is vulnerable to an out-of-bounds read when rendering DWG files after they are opened in the recovery mode. This could allow an attacker to execute code in the context of the current process.

CVE-2022-28807 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been assigned; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

3.2.5 OUT-OF-BOUNDS READ CWE-125

Open Design Alliance Drawings SDK (all versions prior to 2023.3) is vulnerable to an out-of-bounds read when reading DWG files in a recovery mode. This could allow an attacker to execute code in the context of the current process.

CVE-2022-28808 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been assigned; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

3.2.6 OUT-OF-BOUNDS READ CWE-125

Open Design Alliance Drawings SDK (all versions prior to 2023.3) is vulnerable to an out-of-bounds read when reading a DWG file with invalid vertex number in a recovery mode. This could allow an attacker to execute code in the context of the current process.

CVE-2022-28809 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been assigned; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

3.2.7 INTEGER OVERFLOW OR WRAPAROUND CWE-190

Integer overflow in PDFium library used in COMOS allowed a remote attacker to potentially exploit heap corruption via a crafted PDF file.

CVE-2023-0933 has been assigned to this vulnerability. A CVSS v3 base score of 8.8 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

3.2.8 USE AFTER FREE CWE-416

Use after free in PDFium library used in COMOS allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

CVE-2023-1530 has been assigned to this vulnerability. A CVSS v3 base score of 8.8 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

3.2.9 USE AFTER FREE CWE-416

Use after free in PDFium library used in COMOS allowed a remote attacker to potentially exploit heap corruption via a crafted PDF file.

CVE-2023-2931 has been assigned to this vulnerability. A CVSS v3 base score of 8.8 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

3.2.10 USE AFTER FREE CWE-416

Use after free in PDFium library used in COMOS allowed a remote attacker to potentially exploit heap corruption via a crafted PDF file.

CVE-2023-2932 has been assigned to this vulnerability. A CVSS v3 base score of 8.8 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

3.2.11 HEAP-BASED BUFFER OVERFLOW CWE-122

Open Design Alliance Drawings SDK used in affected application is vulnerable to heap-based buffer overflow while parsing specially crafted DWG files. An attacker could leverage this vulnerability to execute code in the context of the current process. (ZDI-CAN-19104)

CVE-2023-22669 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been assigned; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

3.2.12 HEAP-BASED BUFFER OVERFLOW CWE-122

Open Design Alliance Drawings SDK used in affected application is vulnerable to heap-based buffer overflow while parsing specially crafted DXF files. An attacker could leverage this vulnerability to execute code in the context of the current process. (ZDI-CAN-19382)

CVE-2023-22670 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been assigned; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

3.2.13 CLEARTEXT TRANSMISSION OF SENSITIVE INFORMATION CWE-319

Caching system in the affected application leaks sensitive information such as user and project information in cleartext via UDP.

CVE-2023-43503 has been assigned to this vulnerability. A CVSS v3 base score of 3.5 has been assigned; the CVSS vector string is (CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N).

3.2.14 BUFFER COPY WITHOUT CHECKING SIZE OF INPUT (‘CLASSIC BUFFER OVERFLOW’) CWE-120

Ptmcast executable used for testing cache validation service in affected application is vulnerable to Structured Exception Handler (SEH) based buffer overflow. This could allow an attacker to execute arbitrary code on the target system or cause denial of service condition.

CVE-2023-43504 has been assigned to this vulnerability. A CVSS v3 base score of 9.6 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H).

3.2.15 IMPROPER ACCESS CONTROL CWE-284

The affected application lacks proper access controls in SMB shares. This could allow an attacker to access files that the user should not have access to.

CVE-2023-43505 has been assigned to this vulnerability. A CVSS v3 base score of 9.6 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N).

3.2.16 IMPROPER ACCESS CONTROL CWE-284

The affected application lacks proper access controls in making the SQLServer connection. This could allow an attacker to query the database directly to access information that the user should not have access to.

CVE-2023-46601 has been assigned to this vulnerability. A CVSS v3 base score of 9.6 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

Siemens reported these vulnerabilities to CISA.

4. MITIGATIONS

Siemens recommends updating to the latest version the COMOS product:

Update to V10.4.4 or later version.
For CVE-2023-43503, update the COMOS database to version 25. (See “Data maintenance: Modifying the version” in the user manual. Warning: After the update, the database cannot be used by older COMOS versions).
For CVE-2023-43504, delete ptmcast.exe from bin folder of COMOS installation directory. Installations from COMOS V10.4.4 or later version does not contain ptmcast.exe.

Siemens has identified the following specific workarounds and mitigations users can apply to reduce risk:

For CVE-2023-43505 and CVE-2023-46601, use an application server like Citrix which builds an additional layer of access control around COMOS. The file share with the documents folder and the database should be only accessible by the application server. You can find further recommendations in the COMOS manual “Security relevant configuration” in COMOS documentation.
Ensure all files imported into COMOS originate from a trusted source and transmitted are over secure channels.

As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens’ operational guidelines for industrial security and following recommendations in the product manuals.

Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage.

For more information see the associated Siemens security advisory SSA-137900 in HTML and CSAF.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

Do not click web links or open attachments in unsolicited email messages.
Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY

November 16, 2023: Initial Publication