Posts Page - CloudCentric

Mitsubishi Electric MELSEC WS Series

Written by on May 18, 2023. Posted in CISA-Published Industrial Control System Vulnerabilities.

1. EXECUTIVE SUMMARY

CVSS v3 7.5
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Mitsubishi Electric
Equipment: WS0-GETH00200
Vulnerabilities: Active Debug Code

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to bypass authentication and log in by connecting to the module via telnet to reset the module or, if certain conditions are met, either disclose or tamper with the module’s configuration, or rewrite the firmware.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of Mitsubishi Electric MELSEC WS Series, an ethernet interface module, are affected:

WS0-GETH00200: All versions

3.2 VULNERABILITY OVERVIEW

3.2.1 ACTIVE DEBUG CODE CWE-489

In the affected products, the hidden telnet function is enabled by default when shipped from the factory. An authentication bypass vulnerability could allow a remote unauthenticated attacker to log into the affected module by connecting to it via telnet.

CVE-2023-1618 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Japan

3.4 RESEARCHER

Mitsubishi Electric reported this vulnerability to CISA.

4. MITIGATIONS

Mitsubishi Electric has released the following mitigations/workarounds:

Set password for telnet sessions that are difficult for third parties to guess. The password can be up to 15 characters long. Note that “[space]” in the input string represents a single-byte space. Users can change the password for the telnet session of the affected product by using the telnet client and performing:
Password setting:
Enter “telnet[space]” followed by the IP address of the affected product and press the Enter key.
When “Password” is displayed, press the Enter key without entering anything.
When “telnet>” is displayed, enter “password[space]” followed by the desired password string and press the Enter key.
Enter “quit” and press the Enter key.

Confirm the password is set:
After the Password setting process, enter “telnet[space]” followed by the IP address of the affected product and press the Enter key.
When “Password” is displayed, enter the password string set in the Password setting process and press the Enter key.
If “telnet>” is displayed, the password is set correctly.
Enter “quit” and press the Enter key.

Alternatively, Mitsubishi Electric recommends that users take the following mitigation measures to minimize the risk of exploiting this vulnerability:

Use a firewall, virtual private network (VPN), etc. to prevent unauthorized access when Internet access is required.
Use product within a local area network (LAN) and use firewalls to block access from untrusted networks and hosts.
Restrict physical access to prevent untrusted devices from connecting to the LAN.

For more information, see Mitsubishi Electric’s Security Advisory.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploits specifically target this vulnerability.

Snap One OvrC Cloud

Written by on May 16, 2023. Posted in CISA-Published Industrial Control System Vulnerabilities.

1. EXECUTIVE SUMMARY

CVSS v3 8.6
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Snap One
Equipment: OvrC Cloud, OvrC Pro Devices
Vulnerabilities: Improper Input Validation, Observable Response Discrepancy, Improper Access Control, Cleartext Transmission of Sensitive Information, Insufficient Verification of Data Authenticity, Open Redirect, Use of Hard-coded Credentials, Hidden Functionality

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to impersonate and claim devices, execute arbitrary code, and disclose information about the affected device.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following Snap One component is affected:

OvrC Pro version 7.1

3.2 VULNERABILITY OVERVIEW

3.2.1 IMPROPER INPUT VALIDATION CWE-20

The Hub in the Snap One OvrC cloud platform is a device used to centralize and manage nested devices connected to it. A vulnerability exists in which an attacker could impersonate a hub and send device requests to claim already claimed devices. The OvrC cloud platform receives the requests but does not validate if the found devices are already managed by another user.

CVE-2023-28649 has been assigned to this vulnerability. A CVSS v3 base score of 8.6 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H).

3.2.2 OBSERVABLE RESPONSE DISCREPANCY CWE-204

When supplied with a random MAC address, Snap One OvrC cloud servers will return information about the device. The MAC address of devices can be enumerated in an attack and the OvrC cloud will disclose their information.

CVE-2023-28412 has been assigned to this vulnerability. A CVSS v3 base score of 5.3 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).

3.2.3 IMPROPER ACCESS CONTROL CWE-284

Snap One OvrC cloud servers contain a route an attacker can use to bypass requirements and claim devices outright.

CVE-2023-31241 has been assigned to this vulnerability. A CVSS v3 base score of 8.6 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H).

3.2.4 CLEARTEXT TRANSMISSION OF SENSITIVE INFORMATION CWE-319

Snap One OvrC Pro versions prior to 7.3 use HTTP connections when downloading a program from their servers. Because they do not use HTTPS, OvrC Pro devices are susceptible to exploitation.

CVE-2023-31193 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

3.2.5 INSUFFICIENT VERIFICATION OF DATA AUTHENTICITY CWE-345

Snap One OvrC Pro devices versions 7.2 and prior do not validate firmware updates correctly. The device only calculates the MD5 hash of the firmware and does not check using a private-public key mechanism. The lack of complete PKI system firmware signature could allow attackers to upload arbitrary firmware updates, resulting in code execution.

CVE-2023-28386 has been assigned to this vulnerability. A CVSS v3 base score of 8.6 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N).

3.2.6 URL REDIRECTION TO UNTRUSTED SITE (‘OPEN REDIRECT’) CWE-601

Devices using Snap One OvrC cloud are sent to a web address when accessing a web management interface using a HTTP connection. Attackers could impersonate a device and supply malicious information about the device’s web server interface. By supplying malicious parameters, an attacker could redirect the user to arbitrary and dangerous locations on the web.

CVE-2023-31245 has been assigned to this vulnerability. A CVSS v3 base score of 7.1 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L).

3.2.7 USE OF HARD-CODED CREDENTIALS CWE-798

Snap One OvrC Pro versions prior to 7.2 have their own locally running web server accessible both from the local network and remotely. OvrC cloud contains a hidden superuser account =accessible through hard-coded credentials.

CVE-2023-31240 has been assigned to this vulnerability. A CVSS v3 base score of 8.3 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L).

3.2.8 HIDDEN FUNCTIONALITY CWE-912

In Snap One OvrC Pro versions prior to 7.2, when logged into the superuser account, a new functionality appears that could allow users to execute arbitrary commands on the hub device.

CVE-2023-25183 has been assigned to this vulnerability. A CVSS v3 base score of 8.3 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Communications
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER

Uri Katz of Claroty reported these vulnerabilities to CISA.

4. MITIGATIONS

Snap One has released the following updates/fixes for the affected products:

OvrC Pro v7.2 has been automatically pushed out to devices to update via OvrC cloud.
OvrC Pro v7.3 has been automatically pushed out to devices to update via OvrC cloud.
Disable UPnP.

For more information, see Snap One’s Release Notes.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. Specifically, users should:

Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet.
Locate control system networks and remote devices behind firewalls and isolate them from business networks.
When remote access is required, use secure methods, such as virtual private networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

No known public exploits specifically target these vulnerabilities.

Rockwell Automation FactoryTalk Vantagepoint

Written by on May 16, 2023. Posted in CISA-Published Industrial Control System Vulnerabilities.

1. EXECUTIVE SUMMARY

CVSS v3 7.1
ATTENTION: Exploitable remotely
Vendor: Rockwell Automation
Equipment: FactoryTalk Vantagepoint
Vulnerabilities: Insufficient Verification of Data Authenticity

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to impersonate an existing user or execute a cross site request forgery (CSRF) attack.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of Rockwell Automation FactoryTalk Vantagepoint are affected:

FactoryTalk Vantagepoint: All versions prior to 8.40

3.2 VULNERABILITY OVERVIEW

3.2.1 INSUFFICIENT VERIFICATION OF DATA AUTHENTICITY CWE-345

The affected product is vulnerable to a CSRF attack, which could allow an attacker to impersonate a legitimate user.

CVE-2023-2444 has been assigned to this vulnerability. A CVSS v3 base score of 7.1 has been calculated; the CVSS vector string is (AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:H).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER

Rockwell Automation reported this vulnerability to CISA.

4. MITIGATIONS

Rockwell Automation recommends users update to V8.40 or later.

Users of the affected software are also encouraged to implement Rockwell Automation’s suggested Security Best Practices to minimize risk associated with the vulnerability and provide training about social engineering attacks, such as phishing.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

Do not click web links or open attachments in unsolicited email messages.
Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploits specifically target this vulnerability. This vulnerability has a high attack complexity.

Rockwell ArmorStart

Written by on May 16, 2023. Posted in CISA-Published Industrial Control System Vulnerabilities.

1. EXECUTIVE SUMMARY

CVSS v3 7.0
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Rockwell
Equipment: ArmorStart
Vulnerabilities: Improper Input Validation

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow a malicious user to view and modify sensitive data or make the web page unavailable.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of Rockwell ArmorStart are affected:

ArmorStart ST281E: Version 2.004.06 and later
ArmorStart ST284E: All versions
ArmorStart ST280E: All versions

3.2 VULNERABILITY OVERVIEW

3.2.1 IMPROPER INPUT VALIDATION CWE-20

A cross site scripting vulnerability was discovered that could potentially allow a malicious user to view and modify sensitive data or make the web page unavailable. User interaction, such as a phishing attack, is required for successful exploitation of this vulnerability.

CVE-2023-29031 has been assigned to this vulnerability. A CVSS v3 base score of 7.0 has been calculated; the CVSS vector string is (AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H).

3.2.2 IMPROPER INPUT VALIDATION CWE-20

CVE-2023-29030 has been assigned to this vulnerability. A CVSS v3 base score of 7.0 has been calculated; the CVSS vector string is (AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H).

3.2.3 IMPROPER INPUT VALIDATION CWE-20

CVE-2023-29023 has been assigned to this vulnerability. A CVSS v3 base score of 7.0 has been calculated; the CVSS vector string is (AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H).

3.2.4 IMPROPER INPUT VALIDATION CWE-20

CVE-2023-29024 has been assigned to this vulnerability. A CVSS v3 base score of 5.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L).

3.2.5 IMPROPER INPUT VALIDATION CWE-20

A cross site scripting vulnerability was discovered that could potentially allow a malicious user with admin privileges and network access to view user data and modify the web interface. Additionally, a malicious user could potentially cause interruptions to the availability of the web page.

CVE-2023-29025 has been assigned to this vulnerability. A CVSS v3 base score of 4.7 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L).

3.2.6 IMPROPER INPUT VALIDATION CWE-20

CVE-2023-29026 has been assigned to this vulnerability. A CVSS v3 base score of 4.7 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L).

3.2.7 IMPROPER INPUT VALIDATION CWE-20

CVE-2023-29027 has been assigned to this vulnerability. A CVSS v3 base score of 4.7 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L).

3.2.8 IMPROPER INPUT VALIDATION CWE-20

CVE-2023-29028 has been assigned to this vulnerability. A CVSS v3 base score of 4.7 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L).

3.2.9 IMPROPER INPUT VALIDATION CWE-20

CVE-2023-29029 has been assigned to this vulnerability. A CVSS v3 base score of 4.7 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L).

3.2.10 IMPROPER INPUT VALIDATION CWE-20

CVE-2023-29022 has been assigned to this vulnerability. A CVSS v3 base score of 4.7 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER

Rockwell Automation reported these vulnerabilities to CISA.

4. MITIGATIONS

Rockwell Automation recommends users take the following measures to mitigate the risk of these vulnerabilities:

Disable the webserver during normal use. The webserver is disabled by default and should only be enabled to modify configurations. After modifying configurations, the web server should be disabled.
For information on how to mitigate security risks on industrial automation control systems (IACS) networks see the following publications:
System Security Design Guidelines Reference Manual publication, SECURE-RM001
Configure System Security Features User Manual, SECURE-UM001

Additionally, Rockwell Automation encourages customers to implement their suggested security best practices to minimize the risk of the vulnerabilities.

CISA recommends users take defensive measures to minimize the risk of exploitation these vulnerabilities. Specifically, users should:

Locate control system networks and remote devices behind firewalls and isolate them from business networks.
When remote access is required, use secure methods, such as virtual private networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

No known public exploits specifically target these vulnerabilities.

Rockwell Automation ThinManager

Written by on May 11, 2023. Posted in CISA-Published Industrial Control System Vulnerabilities.

1. EXECUTIVE SUMMARY

CVSS v3 7.5
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Rockwell Automation
Equipment: ThinManager
Vulnerabilities: Inadequate Encryption Strength

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to decrypt traffic sent between the client and server application programming interface (API), resulting in unauthorized access to information.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of ThinManager, a software management platform, are affected:

ThinManager: Versions 13.0 to 13.0.1

3.2 VULNERABILITY OVERVIEW

3.2.1 INADEQUATE ENCRYPTION STRENGTH CWE-326

The affected product allows the use of medium-strength ciphers. If the client requests an insecure cipher, then a malicious actor could decrypt traffic sent between the client and server API.

CVE-2023-2443 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER

Rockwell Automation reported this vulnerability to CISA.

4. MITIGATIONS

Users of the affected software are encouraged to apply risk mitigations when possible and implement Rockwell Automation’s suggested security best practices to minimize risk of vulnerability exploitation.

Upgrade to v13.0.2.
Do not use 3DES encryption algorithm.
Reference Recommended Security Guidelines from Rockwell Automation.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should:

Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolate them from business networks.
When remote access is required, use secure methods, such as virtual private networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices at cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

Additional mitigation guidance and recommended practices are publicly available at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploits specifically target this vulnerability.

Rockwell Automation PanelView 800

Written by on May 11, 2023. Posted in CISA-Published Industrial Control System Vulnerabilities.

1. EXECUTIVE SUMMARY

CVSS v3 9.8
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Rockwell Automation
Equipment: PanelView 800
Vulnerabilities: Out-of-bounds Write, Out-of-bounds Read

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow remote code execution.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of PanelView 800, a graphics terminal, are affected:

PanelView 800-2711R-T4T: Version 5.011 to 8.011
PanelView 800-2711R-T7T: Version 5.011 to 8.011
PanelView 800-2711R-T10T: Version 5.011 to 8.011

3.2 VULNERABILITY OVERVIEW

3.2.1 OUT-OF-BOUNDS WRITE CWE-787

The affected product is vulnerable to an out-of-bounds write, which could allow an attacker to accomplish a heap buffer overflow if the user has the email feature enabled in the project file WolfSSL uses. This feature is disabled by default.

CVE-2020-36177 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

3.2.2 OUT-OF BOUNDS READ CWE-125

The affected product is vulnerable to an out-of-bounds read, which could allow an attacker to accomplish a heap buffer overflow if the user has the email feature enabled in the project file WolfSSL uses. This feature is disabled by default.

CVE-2019-16748 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Energy, Water and Wastewater, Telecommunications
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER

Rockwell Automation reported these vulnerabilities to CISA.

4. MITIGATIONS

Users of the affected software are encouraged to apply the following risk mitigations, if possible:

Upgrade to V8.011, which has been patched to mitigate these issues.
Ensure the email feature is disabled (it is disabled by default).
For information on mitigating security risks on industrial automation control systems (IACS) networks, see the following:
System Security Design Guidelines Reference Manual publication, SECURE-RM001
Configure System Security Features User Manual, SECURE-UM001

Rockwell Automation encourages users to implement their suggested security best practices to minimize risk of vulnerability.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. Specifically, users should:

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploits specifically target these vulnerabilities.

Siemens SCALANCE LPE9403

Written by on May 11, 2023. Posted in CISA-Published Industrial Control System Vulnerabilities.

1. EXECUTIVE SUMMARY

CVSS v3 9.9
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Siemens
Equipment: SCALANCE LPE9403
Vulnerabilities: Command Injection, Creation of Temporary File with Insecure Permissions, Path Traversal, Heap-based Buffer Overflow

2. RISK EVALUATION

Successful exploitation these vulnerabilities could allow an attacker to gain access to the device as root or create a denial-of-service condition.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following products from Siemens are affected:

SCALANCE LPE9403 (6GK5998-3GS00-2AC2): Versions prior to 2.1

3.2 VULNERABILITY OVERVIEW

3.2.1 IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS USED IN A COMMAND (‘COMMAND INJECTION’) CWE-77

The web-based management of affected devices does not properly validate user input, making it susceptible to command injection. This could allow an authenticated remote attacker to access the underlying operating system as root.

CVE-2023-27407 has been assigned to this vulnerability. A CVSS v3 base score of 9.9 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).

3.2.2 CREATION OF TEMPORARY FILE WITH INSECURE PERMISSIONS CWE-378

The `i2c` mutex file is created with the permissions bits of `-rw-rw-rw-.` This file is used as a mutex for multiple applications interacting with i2c. This could allow an authenticated attacker with access to the secure shell (SSH) interface on the affected device to interfere with the integrity of the mutex and the data it protects.

CVE-2023-27408 has been assigned to this vulnerability. A CVSS v3 base score of 3.3 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N).

3.2.3 IMPROPER LIMITATION OF A PATHNAME TO A RESTRICTED DIRECTORY (‘PATH TRAVERSAL’) CWE-22

A path traversal vulnerability was found in the `deviceinfo` binary via the `mac` parameter. This could allow an authenticated attacker with access to the SSH interface on the affected device to read the contents of any file named `address.`

CVE-2023-27409 has been assigned to this vulnerability. A CVSS v3 base score of 2.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N).

3.2.4 HEAP-BASED BUFFER OVERFLOW CWE-122

A heap-based buffer overflow vulnerability was found in the `edgebox_web_app` binary. The binary will crash if supplied with a backup password longer than 255 characters. This could allow an authenticated privileged attacker to cause a denial-of-service condition.

CVE-2023-27410 has been assigned to this vulnerability. A CVSS v3 base score of 2.7 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Multiple
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

Siemens reported these vulnerabilities to CISA.

4. MITIGATIONS

Siemens has identified the following specific workaround/mitigation users can apply to reduce risk:

SCALANCE LPE9403 (6GK5998-3GS00-2AC2): Update to V2.1 or later version.

As a general security measure, Siemens strongly recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens’ operational guidelines for Industrial Security, and following the recommendations in the product manuals.

Additional information on industrial security by Siemens can be found on the Siemens Industrial Security webpage.

For further inquiries on security vulnerabilities in Siemens products, users should contact the Siemens ProductCERT.

For more information, see the associated Siemens security advisory SSA-325383 in HTML and CSAF.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. Specifically, users should:

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

No known public exploits specifically target these vulnerabilities.

Rockwell Automation Kinetix 5500

Written by on May 11, 2023. Posted in CISA-Published Industrial Control System Vulnerabilities.

1. EXECUTIVE SUMMARY

CVSS v3 9.4
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Rockwell Automation
Equipment: Kinetix 5500 EtherNet/IP Servo Drive
Vulnerabilities: Improper Access Control

2. RISK EVALUATION

Successful exploitation of this vulnerability could create a denial-of-service condition or allow attackers unauthorized access to the device.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of Kinetix 5500 EtherNet/IP Servo Drive, an industrial control router, are affected:

Kinetix 5500 devices manufactured between May 2022 and January 2023: Version 7.13

3.2 VULNERABILITY OVERVIEW

3.2.1 IMPROPER ACCESS CONTROL CWE-284

Rockwell Automation Kinetix 5500 devices manufactured between May 2022 and January 2023 running Version 7.13 have telnet and file transfer protocol (FTP) ports open by default. This could allow an attacker access to the device.

CVE-2023-1834 has been assigned to this vulnerability. A CVSS v3 base score of 9.4 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Energy, Water and Wastewater, Chemical, Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER

Rockwell Automation reported this vulnerability to CISA.

4. MITIGATIONS

Rockwell Automation recommends users upgrade the firmware of their affected devices to version 7.14 or later.

Rockwell Automation recommends users follow their security best practices.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should:

Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet.
Locate control system networks and remote devices behind firewalls and isolate them from business networks.
When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploits specifically target this vulnerability.

SDG PnPSCADA

Written by on May 11, 2023. Posted in CISA-Published Industrial Control System Vulnerabilities.

1. EXECUTIVE SUMMARY

CVSS v3 9.8
ATTENTION: Exploitable remotely/low attack complexity
Vendor: SDG Technologies
Equipment: PnPSCADA
Vulnerabilities: SQL Injection

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to interact with the database and retrieve critical data.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of SDG PnPSCADA products are affected:

PnPSCADA (cross platforms): v2.*

3.2 VULNERABILITY OVERVIEW

3.2.1 IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS USED IN AN SQL COMMAND (‘SQL INJECTION’) CWE-89

The PnPSCADA system, a product of SDG Technologies CC, is afflicted by a critical unauthenticated error-based PostgreSQL Injection vulnerability. Present within the hitlogcsv.jsp endpoint, this security flaw permits unauthenticated attackers to engage with the underlying database seamlessly and passively. Consequently, malicious actors could gain access to vital information, such as Industrial Control System (ICS) and OT data, alongside other sensitive records like SMS and SMS Logs. The unauthorized database access exposes compromised systems to potential manipulation or breach of essential infrastructure data, highlighting the severity of this vulnerability.

CVE-2023-1934 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Multiple Sectors
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: South Africa

3.4 RESEARCHER

Momen Eldawakhly of Samurai Digital Security Ltd reported this vulnerability to CISA.

4. MITIGATIONS

SDG PnpSCADA is aware of the issue and is currently developing a fix. For more information, contact PnpSCADA by email.

The following workarounds are recommended to help reduce the risk:

Use prepared statements to help prevent SQL injections.
Avoid making assets publicly accessible.
Restrict public access: As a primary mitigation, it is crucial for all PnPSCADA users to avoid exposing their SCADA systems to the internet. By implementing proper network segmentation and isolating the SCADA system from public networks, users can significantly reduce the risk of unauthorized access and exploitation.
Implement strong access controls: Ensure that proper authentication and authorization mechanisms are in place to limit access to sensitive components of the SCADA system. This includes implementing role-based access control and regular audits of user privileges.
Monitor and log activity: Continuously monitor and log all activities within the SCADA environment. This helps with detecting any potential unauthorized access or attempts to exploit the vulnerability, enabling timely response and mitigation.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should:

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

No known public exploits specifically target this vulnerability. This vulnerability is not exploitable remotely.

Teltonika Remote Management System and RUT Model Routers

Written by on May 11, 2023. Posted in CISA-Published Industrial Control System Vulnerabilities.

1. EXECUTIVE SUMMARY

CVSS v3 10.0
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Teltonika
Equipment: Remote Management System and RUT model routers
Vulnerabilities: Observable Response Discrepancy, Improper Authentication, Server-Side Request Forgery, Cross-site Scripting, Inclusion of Web Functionality from an Untrusted Source, External Control of System of Configuration Setting, OS Command Injection

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could expose sensitive device information and device credentials, enable remote code execution, expose connected devices managed on the network, and allow impersonation of legitimate devices.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following Teltonika products are affected:

Remote Management System (RMS): Versions prior to 4.10.0 (affected by CVE-2023-32346, CVE-2023-32347, CVE-2023-32348, CVE-2023-2587, CVE-2023-2588)
Remote Management System (RMS): Versions prior to 4.14.0 (affected by CVE-2023-2586)
RUT model routers: Version 00.07.00 through 00.07.03.4 (affected by CVE-2023-32349)
RUT model routers: Version 00.07.00 through 00.07.03 (affected by CVE-2023-32350)

3.2 VULNERABILITY OVERVIEW

3.2.1 OBSERVABLE RESPONSE DISCREPANCY CWE-204

Teltonika’s Remote Management System versions prior to 4.10.0 contain a function that allows users to claim their devices. This function returns information based on whether the serial number of a device has already been claimed, the MAC address of a device has already been claimed, or whether the attempt to claim a device was successful. An attacker could exploit this to create a list of the serial numbers and MAC addresses of all devices cloud-connected to the Remote Management System.

CVE-2023-32346 has been assigned to this vulnerability. A CVSS v3 base score of 5.3 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).

3.2.2 IMPROPER AUTHENTICATION CWE-287

Teltonika’s Remote Management System versions prior to 4.10.0 use device serial numbers and MAC addresses to identify devices from the user perspective for device claiming and from the device perspective for authentication. If an attacker obtained the serial number and MAC address of a device, they could authenticate as that device and steal communication credentials of the device. This could allow an attacker to enable arbitrary command execution as root by utilizing management options within the newly registered devices.

CVE-2023-32347 has been assigned to this vulnerability. A CVSS v3 base score of 10.0 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).

3.2.3 SERVER-SIDE REQUEST FORGERY (SSRF) CWE-918

Teltonika’s Remote Management System versions prior to 4.10.0 contain a virtual private network (VPN) hub feature for cross-device communication that uses OpenVPN. It connects new devices in a manner that allows the new device to communicate with all Teltonika devices connected to the VPN. The OpenVPN server also allows users to route through it. An attacker could route a connection to a remote server through the OpenVPN server, enabling them to scan and access data from other Teltonika devices connected to the VPN.

CVE-2023-32348 has been assigned to this vulnerability. A CVSS v3 base score of 9.3 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N).

3.2.4 IMPROPER AUTHENTICATION CWE-287

Teltonika’s Remote Management System versions 4.14.0 is vulnerable to an unauthorized attacker registering previously unregistered devices through the RMS platform. If the user has not disabled the “RMS management feature” enabled by default, then an attacker could register that device to themselves. This could enable the attacker to perform different operations on the user’s devices, including remote code execution with ‘root’ privileges (using the ‘Task Manager’ feature on RMS).

CVE-2023-2586 has been assigned to this vulnerability. A CVSS v3 base score of 9.0 has been calculated; the CVSS vector string is (AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H).

3.2.5 IMPROPER NEUTRALIZATION OF INPUT DURING WEB PAGE GENERATION (‘CROSS-SITE SCRIPTING’) CWE-79

Teltonika’s Remote Management System versions prior to 4.10.0 contain a cross-site scripting (XSS) vulnerability in the main page of the web interface. An attacker with the MAC address and serial number of a connected device could send a maliciously crafted JSON file with an HTML object to trigger the vulnerability. This could allow the attacker to execute scripts in the account context and obtain remote code execution on managed devices.

CVE-2023-2587 has been assigned to this vulnerability. A CVSS v3 base score of 8.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

3.2.6 INCLUSION OF WEB FUNCTIONALITY FROM AN UNTRUSTED SOURCE CWE-830

Teltonika’s Remote Management System versions prior to 4.10.0 have a feature allowing users to access managed devices’ local secure shell (SSH)/web management services over the cloud proxy. A user can request a web proxy and obtain a URL in the Remote Management System cloud subdomain. This URL could be shared with others without Remote Management System authentication . An attacker could exploit this vulnerability to create a malicious webpage that uses a trusted and certified domain. An attacker could initiate a reverse shell when a victim connects to the malicious webpage, achieving remote code execution on the victim device.

CVE-2023-2588 has been assigned to this vulnerability. A CVSS v3 base score of 8.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

3.2.7 EXTERNAL CONTROL OF SYSTEM OR CONFIGURATION SETTING CWE-15

Versions 00.07.00 through 00.07.03.4 of Teltonika’s RUT router firmware contain a packet dump utility that contains proper validation for filter parameters. However, variables for validation checks are stored in an external configuration file. An authenticated attacker could use an exposed UCI configuration utility to change these variables and enable malicious parameters in the dump utility, which could result in arbitrary code execution.

CVE-2023-32349 has been assigned to this vulnerability. A CVSS v3 base score of 8.0 has been calculated; the CVSS vector string is (AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

3.2.8 IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS USED IN AN OS COMMAND (‘OS COMMAND INJECTION’) CWE-78

Versions 00.07.00 through 00.07.03 of Teltonika’s RUT router firmware contain an operating system (OS) command injection vulnerability in a Lua service. An attacker could exploit a parameter in the vulnerable function that calls a user-provided package name by instead providing a package with a malicious name that contains an OS command injection payload.

CVE-2023-32350 has been assigned to this vulnerability. A CVSS v3 base score of 8.8 has been calculated; the CVSS vector string is (AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Water and Wastewater, Energy, Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Lithuania

3.4 RESEARCHER

Roni Gavrilov of Otorio and Claroty Team82 reported these vulnerabilities to Teltonika and CISA.

4. MITIGATIONS

Teltonika recommends users update their devices to the latest versions.

RMS services have already been updated to versions, which fix these vulnerabilities.
Users can download the latest version of their respective RUT routers by navigating to the appropriate device on Teltonika’s website.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. Specifically, users should:

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

No known public exploits specifically target these vulnerabilities.