1. EXECUTIVE SUMMARY

CVSS v3 7.3
ATTENTION: Low attack complexity
Vendor: Advantech
Equipment: WebAccess/SCADA
Vulnerabilities: Insufficient Type Distinction

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker full control over the supervisory control and data acquisition (SCADA) server.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

Advantech reports this vulnerability affect the following WebAccess/SCADA product:

WebAccess/SCADA: version 8.4.5

3.2 VULNERABILITY OVERVIEW

3.2.1 INSUFFICIENT TYPE DISTINCTION CWE-351 

If an attacker can trick an authenticated user into loading a maliciously crafted .zip file onto Advantech WebAccess version 8.4.5, a web shell could be used to give the attacker full control of the SCADA server. 

CVE-2023-2866 has been assigned to this vulnerability. A CVSS v3 base score of 7.3 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H). 

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing, Energy, Water and Wastewater Systems 
COUNTRIES/AREAS DEPLOYED: East Asia, Europe, United States
COMPANY HEADQUARTERS LOCATION: Taiwan

3.4 RESEARCHER

Marlon Luis Petry reported this vulnerability to CISA.

4. MITIGATIONS

Advantech recommends users locate and delete the “WADashboardSetup.msi” file to avoid this issue.

If users wish to remedy this problem in version 8.4.5, they can uninstall “WebAccess Dashboard” from the control panel. Delete all the files:

InetpubwwwrootbroadwebWADashboard

WebAccessNodeWADashboardSetup.msi

Advantech released a new version V9.1.4 to address the problem by not including these files.

CISA recommends users take the following measures to protect themselves from social engineering attacks:

Do not click web links or open attachments in unsolicited email messages.
Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploits specifically target this vulnerability. This vulnerability is not exploitable remotely.

1. EXECUTIVE SUMMARY

CVSS v3 9.8 
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Moxa
Equipment: MXsecurity Series
Vulnerabilities: Command Injection and Use of Hard-Coded Credentials

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an unauthorized user to bypass authentication or to execute arbitrary commands on the device.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

Moxa reports these vulnerabilities affect the following MXsecurity Series:

MXsecurity Series: Software v1.0

3.2 VULNERABILITY OVERVIEW

3.2.1 COMMAND INJECTION CWE-77

A remote attacker, who has gained authorization privileges, could execute arbitrary commands on the device.

CVE-2023-33235 has been assigned to this vulnerability. A CVSS v3 base score of 7.2 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).

3.2.2 USE OF HARD-CODED CREDENTIALS CWE-798

An attacker could bypass authentication for web-based application programmable interfaces (APIs).

CVE-2023-33236 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Multiple Sectors
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Taiwan

3.4 RESEARCHER

Simon Janz, working with Trend Micro Zero Day Initiative, reported these vulnerabilities to CISA.

4. MITIGATIONS

Moxa has developed a solution to address these vulnerabilities. Users should upgrade to software v1.0.1 or higher.

Users are encouraged to visit Moxa’s security advisory MPSA-230301 for more information.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. Specifically, users should:

Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet.
Locate control system networks and remote devices behind firewalls and isolate them from business networks.
When remote access is required, use secure methods, such as virtual private networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploits specifically target these vulnerabilities. These vulnerabilities are exploitable remotely. These vulnerabilities have low attack complexity.

1. EXECUTIVE SUMMARY

CVSS v3 8.1 
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Hitachi Energy
Equipment: AFS65x, AFS67x, AFR67x and AFF66x series products
Vulnerabilities: Use After Free

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to disclose sensitive information or lead to a Denial-of-Service (DoS).  

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of Hitachi Energy’s AFS65x, AFS67x, AFR67x and AFF66x series products, are affected: 

AFS660/665S, AFS660/665C, AFS670v2: Firmware 7.1.05 and earlier 
AFS670/675, AFR67x: Firmware 9.1.07 and earlier 
AFF660/665: Firmware 03.0.02 and earlier 
AFS65x: All versions  

3.2 VULNERABILITY OVERVIEW

3.2.1 USE AFTER FREE CWE-416 

The libexpat library is incorporated in the AFS, AFR and AFF products family. Versions of libexpat before 2.4.9 have a use-after-free in the do-Content function in xmlparse.c. Successful exploitation of this vulnerability could lead to disclosure of sensitive information, addition or modification of data, or a denial-of-service condition.  

CVE-2022-40674 has been assigned to this vulnerability. A CVSS v3 base score of 8.1 has been assigned; the CVSS vector string is (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H). 

3.2.2 USE AFTER FREE CWE-416 

The libexpat library is incorporated in the AFS, AFR and AFF products family. In versions of libexpat through 2.4.9, there is a use-after free caused by overeager destruction of a shared DTD in XML_ExternalEntityParserCreate in out-of-memory situations. Successful exploitation of this vulnerability could lead to a denial-of-service condition. 

CVE-2022-43680 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). 

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Energy
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Switzerland

3.4 RESEARCHER

Hitachi Energy reported these vulnerabilities to CISA. 

4. MITIGATIONS

Hitachi Energy has released the following mitigations/fixes:  

AFS660/665S, AFS660/665C, AFS670v2: Apply mitigation strategy as described in General Mitigation Factors Section or update to upcoming 7.1.08 when available. 
AFS670/675, AFR67x: Apply mitigation strategy as described in General Mitigation Factors Section or update to 9.1.08. 
AFS65x: EoL product – only mitigation available, no remediation expected. Apply mitigation strategy as described in General Mitigation Factors Section. 
AFF660/665: Apply mitigation strategy as described in General Mitigation Factors Section or update to upcoming release. 

Hitachi Energy also recommends general mitigations: 

Recommended security practices and firewall configurations can help protect a process control network from attacks originating from outside the network.  
Physically protect process control systems from direct access by unauthorized personnel. 
Ensure process control systems have no direct connections to the internet and are separated from other networks by a firewall system with a minimal number of exposed ports. 
Do not use process control systems for internet surfing, instant messaging, or receiving emails. 
Scan portable computers and removable storage media for malware prior connection to a control system.  

For more information, see Hitachi Energy’s Security Advisory: 8DBD000149. 

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. Specifically, users should: 

When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices. 

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. 

CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies. 

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies. 

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. 

No known public exploits specifically target these vulnerabilities.  

1. EXECUTIVE SUMMARY

CVSS v3 7.8 
ATTENTION: Low attack complexity
Vendor: Horner Automation
Equipment: Cscape, Cscape EnvisionRV
Vulnerabilities: Stack-based Buffer Overflow, Out-of-bounds Read, Use After Free, Access of Uninitialized Pointer, Improper Restriction of Operations within the Bounds of a Memory Buffer

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to disclose information and to execute arbitrary code. 

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of Horner Automation’s Cscape are affected: 

Cscape: v9.90 SP8 
Cscape EnvisionRV: v4.70 

3.2 VULNERABILITY OVERVIEW

3.2.1 STACK-BASED BUFFER OVERFLOW CWE-121 

The affected application lacks proper validation of user-supplied data when parsing project files (e.g., CSP). This could lead to a stack-based buffer overflow. An attacker could leverage this vulnerability to execute arbitrary code in the context of the current process. 

CVE-2023-29503 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H). 

3.2.2 OUT-OF-BOUNDS READ CWE-125 

The affected application lacks proper validation of user-supplied data when parsing project files (e.g., CSP). This could lead to an out-of-bounds read in the FontManager. An attacker could leverage this vulnerability to execute arbitrary code in the context of the current process. 

CVE-2023-32281 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H). 

3.2.3 OUT-OF-BOUNDS READ CWE-125 

The affected application lacks proper validation of user-supplied data when parsing project files (e.g.., CSP). This could lead to an out-of-bounds read in IO_CFG. An attacker could leverage this vulnerability to execute arbitrary code in the context of the current process. 

CVE-2023-32289 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H). 

3.2.4 OUT-OF-BOUNDS READ CWE-125 

The affected application lacks proper validation of user-supplied data when parsing project files (e.g., CSP). This could lead to an out-of-bounds read in Cscape!CANPortMigration. An attacker could leverage this vulnerability to execute arbitrary code in the context of the current process. 

CVE-2023-32545 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H). 

3.2.5 OUT-OF-BOUNDS READ CWE-125 

The affected application lacks proper validation of user-supplied data when parsing font files (e.g., FNT). This could lead to an out-of-bounds read. An attacker could leverage this vulnerability to potentially execute arbitrary code in the context of the current process. 

CVE-2023-27916 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H). 

3.2.6 USE AFTER FREE CWE-416 

The affected application lacks proper validation of user-supplied data when parsing project files (e.g., CSP). This could lead to a use-after-free vulnerability. An attacker could leverage this vulnerability to execute arbitrary code in the context of the current process. 

CVE-2023-28653 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H). 

3.2.7 ACCESS OF UNINITIALIZED POINTER CWE-824 

The affected product does not properly validate user-supplied data. If a user opens a maliciously formed CSP file, then an attacker could execute arbitrary code within the current process by accessing an uninitialized pointer. 

CVE-2023-31244 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H). 

3.2.8 IMPROPER RESTRICTION OF OPERATIONS WITHIN THE BOUNDS OF A MEMORY BUFFER CWE-119 

The affected application lacks proper validation of user-supplied data when parsing project files (e.g., HMI). This could lead to an out-of-bounds write at CScape_EnvisionRV+0x2e374b. An attacker could leverage this vulnerability to execute arbitrary code in the context of the current process. 

CVE-2023-32203 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H). 

3.2.9 IMPROPER RESTRICTION OF OPERATIONS WITHIN THE BOUNDS OF A MEMORY BUFFER CWE-119 

The affected application lacks proper validation of user-supplied data when parsing project files (e.g., HMI). This could lead to an out-of-bounds write at CScape_EnvisionRV+0x2e3c04. An attacker could leverage this vulnerability to potentially execute arbitrary code in the context of the current process. 

CVE-2023-32539 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H). 

3.2.10 IMPROPER RESTRICTION OF OPERATIONS WITHIN THE BOUNDS OF A MEMORY BUFFER CWE-119 

The affected application lacks proper validation of user-supplied data when parsing project files (e.g., HMI). This could lead to an out-of-bounds read. An attacker could leverage this vulnerability to potentially execute arbitrary code in the context of the current process. 

CVE-2023-31278 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H). 

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER

Michael Heinzl reported these vulnerabilities to CISA. 

4. MITIGATIONS

Horner Automation recommends upgrading the following software: 

Cscape: Update to v9.90 SP9 
Cscape Envision RV: Update to v4.80 

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. 

CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies. 

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies. 

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. 

CISA also recommends users take the following measures to protect themselves from social engineering attacks: 

Do not click web links or open attachments in unsolicited email messages. 
Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams. 
Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks. 

No known public exploits specifically target these vulnerabilities. These vulnerabilities are not exploitable remotely.  

1. EXECUTIVE SUMMARY

CVSS v3 9.8 
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Hitachi Energy
Equipment: RTU500 Series
Vulnerabilities: Type Confusion, Observable Timing Discrepancy, Out-of-bounds Read, Infinite Loop, Classic Buffer Overflow

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to crash the device being accessed or cause a denial-of-service condition.  

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of Hitachi Energy’s RTU500 Series Product, are affected: 

For CVE-2023-0286, CVE-2022-4304  

RTU500 series CMU Firmware: version 12.0.1 through 12.0.15 
RTU500 series CMU Firmware: version 12.2.1 through 12.2.12  
RTU500 series CMU Firmware: version 12.4.1 through 12.4.12  
RTU500 series CMU Firmware: version 12.6.1 through 12.6.9  
RTU500 series CMU Firmware: version 12.7.1 through 12.7.6  
RTU500 series CMU Firmware: version 13.2.1 through 13.2.6  
RTU500 series CMU Firmware: version 13.3.1 through 13.3.3  
RTU500 series CMU Firmware: version 13.4.1 through 13.4.2 

For CVE-2022-23937, CVE-2022-0778, CVE-2021-3711, CVE-2021-3712  

RTU500 series CMU Firmware: version 12.0.1 through 12.0.14 
RTU500 series CMU Firmware: version 12.2.1 through 12.2.11  
RTU500 series CMU Firmware: version 12.4.1 through 12.4.11  
RTU500 series CMU Firmware: version 12.6.1 through 12.6.8  
RTU500 series CMU Firmware: version 12.7.1 through 12.7.5 
RTU500 series CMU Firmware: version 13.2.1 through 13.2.5  
RTU500 series CMU Firmware: version 13.3.1 through 13.3.3  
RTU500 series CMU Firmware: version 13.4.1 through 13.4.1 

3.2 VULNERABILITY OVERVIEW

3.2.1 ACCESS OF RESOURCE USING INCOMPATIBLE TYPE (‘TYPE CONFUSION’) CWE-843 

There is a type-confusion vulnerability affecting X.400 address processing within an X.509 GeneralName. This vulnerability could allow an attacker to pass arbitrary pointers to a memcmp call, enabling access to read memory contents or cause a denial-of-service condition. X.400 addresses parsed as an ASN1_STRING while the public structure definition for GENERAL_NAME incorrectly specifies the x400Address field type as ASN1_TYPE.  

CVE-2023-0286 has been assigned to this vulnerability. A CVSS v3 base score of 7.4 has been assigned; the CVSS vector string is (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H). 

3.2.2 OBSERVABLE TIMING DISCREPANCY CWE-208 

A timing-based side channel exists in the OpenSSL RSA Decryption implementation. This could allow an attacker sufficient access to recover plaintext across a network to perform a Bleichenbacher style attack. The vulnerability affects all RSA padding modes: PKCS#1 v1.5, RSA-OEAP and RSASVE.  

CVE-2022-4304 has been assigned to this vulnerability. A CVSS v3 base score of 5.9 has been assigned; the CVSS vector string is (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N). 

3.2.3 OUT-OF-BOUNDS READ CWE-125 

A vulnerability exists in the Wind River VxWorks version 6.9 affecting the RTU500 series product versions listed. An attacker could exploit the vulnerability by using a specific crafted packet that could lead to an out-of-bounds read during an IKE initial exchange scenario.  

CVE-2022-23937 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). 

3.2.4 LOOP WITH UNREACHABLE EXIT CONDITION (‘INFINITE LOOP’) CWE-835 

A vulnerability exists in the OpenSSL version 1.0.2 that affects the RTU500 Series product versions listed. An attacker can exploit the BN_mod_sqrt() function to compute a modular square root that contains a bug causing a continual loop for non-prime moduli.  

CVE-2022-0778 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). 

3.2.5 BUFFER COPY WITHOUT CHECKING SIZE OF INPUT (‘CLASSIC BUFFER OVERFLOW’) CWE-120 

A vulnerability exists in the OpenSSL Version 1.0.2 affecting the RTU500 Series product versions listed. An attacker with access to applications and the capability to present SM2 content for decryption could cause a buffer overflow up to a maximum of 62 bytes while altering contents of data present after the buffer. This vulnerability could allow an attacker to change application behavior or cause the application to crash. 

CVE-2021-3711 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). 

3.2.6 OUT-OF-BOUNDS READ CWE-125 

A vulnerability exists in the OpenSSL Version 1.0.2 affecting the RTU500 Series product versions listed. A malicious actor could cause an application to directly construct an ASN1_STRING and then process it through one of the affected OpenSSL functions. Exploiting this vulnerability could create a system crash causing a denial-of-service condition or a disclosure of private memory contents, such as private keys or sensitive plaintext.  

CVE-2021-3712 has been assigned to this vulnerability. A CVSS v3 base score of 7.4 has been assigned; the CVSS vector string is (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H). 

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Energy 
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Switzerland

3.4 RESEARCHER

Hitachi Energy reported these vulnerabilities to CISA. 

4. MITIGATIONS

Hitachi Energy has released the following mitigations/fixes:  

Until the updates are made available, follow the General Mitigation Factors/Workarounds 

Hitachi Energy recommends general mitigation factors/Workarounds: 

Recommended security practices and firewall configurations can help protect a process control network from attacks originating from outside the network including. 
Physically protect process control systems from direct access by unauthorized personnel. 
Do not allow process control systems direct connections to the internet. 
Separate process control systems from other networks by means of a firewall system that has a minimal number of ports exposed.  
Process control systems should not be used for internet surfing, instant messaging, or receiving emails.  
Portable computers and removable storage media should be carefully scanned for viruses before they are connected to a control system. 

For more information, see Hitachi Energy’s Security Advisories: 

8DBD000150  
8DBD000153 

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. Specifically, users should: 

Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet. 
Locate control system networks and remote devices behind firewalls and isolate them from business networks. 
When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices. 

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. 

CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies. 

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies. 

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. 

No known public exploits specifically target these vulnerabilities. 

1. EXECUTIVE SUMMARY

CVSS v3 10.0 
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Mitsubishi Electric Corporation
Equipment: MELSEC Series CPU module
Vulnerabilities: Classic Buffer Overflow

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow a remote attacker to cause a denial-of-service condition or execute malicious code on a target product by sending specially crafted packets. The attacker needs to understand the internal structure of products to execute malicious code. Therefore, it is difficult to execute malicious code.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

Mitsubishi Electric reports this vulnerability affects the following MELSEC Series CPU module:  

MELSEC iQ-F Series FX5U-xMy/z x=32,64,80, y=T,R, z=ES,DS,ESS,DSS: Serial number 17X**** or later, version 1.220 and later 
MELSEC iQ-F Series FX5UC-xMy/z x=32,64,96, y=T, z=D,DSS: Serial number 17X**** or later, version 1.220 and later 
MELSEC iQ-F Series FX5UC-32MT/DS-TS, FX5UC-32MT/DSS-TS, FX5UC-32MR/DS-TS: version 1.220 and later 

3.2 VULNERABILITY OVERVIEW

3.2.1 CLASSIC BUFFER OVERFLOW CWE-120 

A vulnerability, due to copying buffers without checking size of input, exists in affected MELSEC Series CPU modules. Exploitation may allow a denial-of-service condition and malicious code execution. 

CVE-2023-1424 has been assigned to this vulnerability. A CVSS v3 base score of 10.0 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H). 

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Japan

3.4 RESEARCHER

Matt Wiseman of Cisco Talos reported this vulnerability to Mitsubishi Electric. 

4. MITIGATIONS

Mitsubishi Electric has created firmware version 1.290 to address this issue and encourages users to update. The following should be referred to when updating: “5 FIRMWARE UPDATE FUNCTION” in the MELSEC iQ-F FX5 User’s Manual (Application). 

Mitsubishi Electric recommends that users take the following mitigation measures to minimize the risk of exploiting this vulnerability: 

Use a firewall or virtual private network (VPN) etc., to prevent unauthorized access when internet access is required. 
Use the product within a local area network (LAN) and use firewalls to block access from untrusted networks and hosts. 
Use IP filter function to block access from untrusted hosts. 
For details regarding the IP filter function, users can refer to “12.1 IP Filter Function” in the MELSEC iQ-F FX5 User’s Manual (Ethernet Communication). 
Restrict physical access to the LAN that is connected by affected products. 

For specific update instructions and additional details see the Mitsubishi Electric advisory. 

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability.  CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. 

CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies. 

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies. 

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. 

No known public exploits specifically target this vulnerability. This vulnerability is exploitable remotely. This vulnerability has low attack complexity. 

1. EXECUTIVE SUMMARY

CVSS v3 9.8
ATTENTION: Exploitable remotely/low skill level to exploit
Vendor: Rockwell Automation
Equipment: FactoryTalk Diagnostics
Vulnerabilities: Deserialization of Untrusted Data

2. UPDATE OR REPOSTED INFORMATION

This updated advisory is a follow-up to the original advisory titled ICSA-20-051-02-Rockwell Automation FactoryTalk Diagnostics (Update A) that was published February 20, 2020, on the ICS webpage at cisa.gov/ICS.

3. RISK EVALUATION

Successful exploitation of this vulnerability could allow a remote unauthenticated attacker to execute arbitrary code with SYSTEM level privileges.

4. TECHNICAL DETAILS

4.1 AFFECTED PRODUCTS

The following versions of FactoryTalk Diagnostic software, a subsystem of the FactoryTalk Service Platform, are affected:

FactoryTalk Diagnostics software: Versions 2.00 to 6.11

4.2 VULNERABILITY OVERVIEW

4.2.1 DESERIALIZATION OF UNTRUSTED DATA CWE-502 

Factory Talk Diagnostics exposes a .NET Remoting endpoint via RNADiagnosticsSrv.exe at TCPtcp/8082, which can insecurely deserialize untrusted data.

CVE-2020-6967 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

4.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Food and Agriculture, Transportation Systems, Water and Wastewater Systems
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: United States

4.4 RESEARCHER

Trend Micro’s Zero Day Initiative, working with rgod of 9sg, reported this vulnerability to CISA.

5. MITIGATIONS

Rockwell Automation will fully resolve this vulnerability in the next release of the FactoryTalk Service Platform.

Rockwell Automation recommends affected users implement the following compensating controls, based on their needs:

Upgrade to version 6.20 or later for versions that predate version 6.20; this version restricts connection settings to only the local port.

——— Begin Update B Part 1 of 1 ——— 

For FactoryTalk Services Platform version 6.31: Enable Microsoft Windows Commination Foundation (WCF) which avoids the vulnerability.
For FactoryTalk Services Platform version 6.31: Enable .NET Remoting (system default) with connections restricted to a local port; mitigating the vulnerability.

——— End Update B Part 1 of 1 ——— 

Install the patch BF24822 to restrict connections settings to only the local port for versions 2.74, 2.80, 2.81, 2.90, 3.00, 6.10, or 6.11.
Upgrade to a more recent version for versions that predate version 2.74.
Disable the Remote Diagnostics Service if this service is not in use. Disabling this service does not result in data loss.
Use Windows Firewall Configuration to help prevent remote connection to the affected port if the Remote Diagnostics Service is in use.

For more information, please see Rockwell Automation’s security advisory (login required).

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should:

Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet.
Locate control system networks and remote devices behind firewalls, and isolate them from the business network.
Use secure methods, such as Virtual Private Networks (VPNs), when remote access is required. Recognize that VPNs may have vulnerabilities and should be updated to the most current version available; VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on us-cert.gov. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage on us-cert.gov in the Technical Information Paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to CISA for tracking and correlation against other incidents.

No known public exploits specifically target this vulnerability.

1. EXECUTIVE SUMMARY

CVSS v3 6.7 
ATTENTION: Public exploits are available
Vendor: Hitachi Energy
Equipment: MicroSCADA Pro/X SYS600 Products
Vulnerabilities: Permissions, Privileges, and Access Controls

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected product.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of Hitachi Energy’s MicroSCADA Pro/X SYS600 products are affected:

SYS600: 9.4 FP2 Hotfix 5 and earlier
SYS600: 10.1.1 and earlier

3.2 VULNERABILITY OVERVIEW

3.2.1 PERMISSIONS, PRIVILEGES, AND ACCESS CONTROLS CWE-264  

The ActiveBar ActiveX control distributed in ActBar.ocx 1.0.3.8 in SYS600 product does not properly restrict the SetLayoutData method, which could allow attackers to execute arbitrary code via a crafted data argument.

CVE-2011-1207 has been assigned to this vulnerability. A CVSS v3 base score of 6.7 has been calculated; the CVSS vector string is (AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Energy
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Switzerland

3.4 RESEARCHER

Hitachi Energy reported this vulnerability to CISA.

4. MITIGATIONS

Hitachi Energy has released the following mitigations/fixes:

SYS600 9.x: upgrade to at least SYS600 version 10.2 or apply general mitigation factors.
SYS600 10.x update to at least SYS600 version 10.2 or apply general mitigation factors.

Hitachi Energy recommends general mitigation factors and workarounds:

Recommended security practices and firewall configurations can help protect a process control network from attacks originating from outside the network.
Keep process control systems physically protected from direct access by unauthorized personnel.
Ensure process control systems have no direct connections to the internet, are separated from other networks by means of a firewall system that has a minimal number of ports exposed, and other practices that must be evaluated case by case.
Avoid using process control systems for internet surfing, instant messaging, or receiving emails.
Carefully scan portable computers and removable storage media for malware before connection to a control system.
Ensure proper password policies and processes are followed.

Hitachi Energy recommends following the cybersecurity deployment guideline as follows: 1MRK511518 MicroSCADA X Cyber Security Deployment Guideline. 

For more information, see Hitachi Energy cybersecurity advisory 8DBD000142.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should:

Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet.
Locate control system networks and remote devices behind firewalls and isolate them from business networks.
When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

Do not click web links or open attachments in unsolicited email messages.
Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

This vulnerability is not exploitable remotely. This vulnerability has a high attack complexity.

1. EXECUTIVE SUMMARY

CVSS v3 7.5
ATTENTION: Exploitable remotely/low attack complexity/public exploits are available
Vendor: Carlo Gavazzi
Equipment: Powersoft
Vulnerabilities: Path Traversal

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to access and retrieve any file from the server. 

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of Carlo Gavazzi Powersoft, an energy management software, are affected:

Powersoft: Versions 2.1.1.1 and prior

3.2 VULNERABILITY OVERVIEW

3.2.1 IMPROPER LIMITATION OF A PATHNAME TO A RESTRICTED DIRECTORY (‘PATH TRAVERSAL’) CWE-22

Carlo Gavazzi Powersoft versions 2.1.1.1 and prior have a directory traversal vulnerability that can allow an attacker to access and retrieve any file through specially crafted GET requests to the server.

CVE-2017-20184 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Switzerland

3.4 RESEARCHER

CISA discovered a public proof-of-concept as authored by James Fitts.

4. MITIGATIONS

Carlo Gavazzi will not issue a fix as this product is end-of-life.

Users should contact Carlo Gavazzi for more information.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should:

Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet.
Locate control system networks and remote devices behind firewalls and isolate them from business networks.
When remote access is required, use secure methods, such as virtual private networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

1. EXECUTIVE SUMMARY

CVSS v3 10.0 
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Johnson Controls Inc.
Equipment: OpenBlue Enterprise Manager Data Collector
Vulnerabilities: Improper Authentication, Exposure of Sensitive Information to an Unauthorized Actor

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker, under certain circumstances, to make application programming interface (API) calls to the OpenBlue Enterprise Manager Data Collector, which do not require authentication and may expose sensitive information to an unauthorized user.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following Johnson Controls products are affected: 

OpenBlue Enterprise Manager Data Collector: Firmware versions prior to 3.2.5.75

3.2 VULNERABILITY OVERVIEW

3.2.1 IMPROPER AUTHENTICATION CWE-287

Under certain circumstances, API calls to the OpenBlue Enterprise Manager Data Collector do not require authentication.

CVE-2023-2024 has been assigned to this vulnerability. A CVSS v3 base score of 10.0 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N).

3.2.2 EXPOSURE OF SENSITIVE INFORMATION TO AN UNAUTHORIZED ACTOR CWE-200

Under certain circumstances, API calls to the OpenBlue Enterprise Manager Data Collector may expose sensitive information to an unauthorized user.

CVE-2023-2025 has been assigned to this vulnerability. A CVSS v3 base score of 5.0 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Ireland

3.4 RESEARCHER

Rushank Shetty, Security Researcher at Northwestern Mutual, reported this vulnerability to Johnson Controls, Inc.; Johnson Controls, Inc. reported this vulnerability to CISA.

4. MITIGATIONS

Johnson Controls recommends updating OpenBlue Enterprise Manager Data Collector firmware to version 3.2.5.75. Users must contact Johnson Controls to obtain the update.

For more information, refer to Johnson Controls Product Security Advisory JCI-PSA-2023-04 v1

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. Specifically, users should:

Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet.
Locate control system networks and remote devices behind firewalls and isolate them from business networks.
When remote access is required, use secure methods, such as virtual private networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploits specifically target these vulnerabilities.