1. EXECUTIVE SUMMARY

CVSS v3 7.8
ATTENTION: Low attack complexity  
Vendor: Siemens  
Equipment: OPC Foundation Local Discovery Server 
Vulnerability: Improper Input Validation 

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to create a malicious file loaded by OPC Foundation Local Discovery Server (running as a high-privilege user). 

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following software from Siemens is affected: 

OpenPCS 7 V9.1: All versions  
SIMATIC NET PC Software V14: All versions 
SIMATIC NET PC Software V15: All versions 
SIMATIC NET PC Software V16: All versions 
SIMATIC NET PC Software V17: All versions 
SIMATIC NET PC Software V18: All versions 
SIMATIC Process Historian OPC UA Server: All versions 
SIMATIC WinCC: All versions prior to V8.0 
SIMATIC WinCC Runtime Professional: All versions 
SIMATIC WinCC Unified PC Runtime: All versions prior to V18.0 UPD 1 SR 1 
TeleControl Server Basic V3: All versions 

3.2 VULNERABILITY OVERVIEW

3.2.1 IMPROPER INPUT VALIDATION CWE-20 

OPC Foundation Local Discovery Server (LDS) in affected products uses a hard-coded file path to a configuration file. This could allow a normal user to create a malicious file that is loaded by LDS (running as a high-privilege user). 

CVE-2022-44725 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been assigned; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). 

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Multiple 
COUNTRIES/AREAS DEPLOYED: Worldwide 
COMPANY HEADQUARTERS LOCATION: Germany 

3.4 RESEARCHER

Michael Heinzl reported this vulnerability to Siemens. 

4. MITIGATIONS

Siemens has identified the following specific workarounds and mitigations users can apply to reduce risk: 

Siemens OpenPCS 7 V9.1: Currently, no fix is available. 
Siemens SIMATIC NET PC Software V14: Currently, no fix is available. 
Siemens SIMATIC NET PC Software V15: Currently, no fix is available. 
Siemens SIMATIC NET PC Software V16: Currently, no fix is available. 
Siemens SIMATIC NET PC Software V17: Currently, no fix is available. 
Siemens SIMATIC NET PC Software V18: Currently, no fix is available. 
Siemens SIMATIC Process Historian OPC UA Server: All versions. 
Siemens SIMATIC WinCC Runtime Professional: Currently, no fix is available. 
Siemens TeleControl Server Basic V3: Currently, no fix is available. 
Siemens SIMATIC WinCC: Update to V8.0 or later version. 
Siemens SIMATIC WinCC Unified PC Runtime: Update to V18.0 UPD 1 SR 1 or later version. 

Siemens has identified the following specific workarounds and mitigations that users can apply to reduce the risk: 

Update the underlying OPC Foundation Unified Architecture Local Discovery Server (UA-LDS) to V1.04.405 or later if possible. 

As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens’ operational guidelines for Industrial Security and following the recommendations in the product manuals. 

Additional information on Industrial Security by Siemens can be found here. 

For further inquiries on security vulnerabilities in Siemens products and solutions, users should contact Siemens ProductCERT. 

For more information, see the associated Siemens security advisory SSA-691715 in HTML and CSAF. 

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should:

Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet.
Locate control system networks and remote devices behind firewalls and isolate them from business networks.
When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploits specifically target this vulnerability. This vulnerability is not exploitable remotely.  

1. EXECUTIVE SUMMARY

CVSS v3 7.3
ATTENTION: Low attack complexity 
Vendor: Siemens 
Equipment: TIA Portal 
Vulnerability: Improper Input Validation 

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to achieve arbitrary code execution. 

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following software from Siemens is affected: 

TIA Portal V15: All versions 
TIA Portal V16: All versions 
TIA Portal V17: All versions 
TIA Portal V18: All versions prior to v18 Update 1 

3.2 VULNERABILITY OVERVIEW

3.2.1 IMPROPER INPUT VALIDATION CWE-20 

Affected products contain a path traversal vulnerability that could allow the creation or overwriting of arbitrary files in the engineering system. If the user is tricked into opening a malicious PC system configuration file, an attacker could exploit this vulnerability to achieve arbitrary code execution. 

CVE-2023-26293 has been assigned to this vulnerability. A CVSS v3 base score of 7.3 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L). 

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Multiple 
COUNTRIES/AREAS DEPLOYED: Worldwide 
COMPANY HEADQUARTERS LOCATION: Germany 

3.4 RESEARCHER

Siemens reported this vulnerability to CISA. 

4. MITIGATIONS

Siemens has released an update for TIA Portal V18 and recommends updating to the latest version. Siemens is preparing further updates and recommends specific countermeasures for products where updates are not, or not yet, available: 

TIA Portal V18: Update to V18 Update 1 or later version. 

Siemens has identified the following specific workarounds and mitigations users can apply to reduce risk: 

Avoid opening untrusted project files or PC system configuration files. 

As a general security measure, Siemens strongly recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens’ operational guidelines for industrial security and following the recommendations in the product manuals. Additional information on industrial security by Siemens can be found at the Siemens Industrial Security web page. 

For further inquiries on security vulnerabilities in Siemens’ products and solutions, users should contact the Siemens ProductCERT. 

For more information, see the associated Siemens security advisory SSA-116924 in HTML and CSAF.  

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks: 

Do not click web links or open attachments in unsolicited email messages. 
Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams. 
Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks. 

No known public exploits specifically target this vulnerability. 

1. EXECUTIVE SUMMARY

CVSS v3 7.8
ATTENTION: Low attack complexity 
Vendor: Siemens  
Equipment: JT Open and JT Utilities 
Vulnerability: Out-of-bounds Read 

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to execute code in the context of the current process. 

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following Siemens software is affected: 

JT Open: All versions prior to V11.3.2.0 
JT Utilities: All versions prior to V13.3.0.0 

3.2 VULNERABILITY OVERVIEW

3.2.1 OUT-OF-BOUNDS READ CWE-125 

The affected applications contain an out-of-bounds read vulnerability past the end of an allocated structure while parsing specially crafted JT files. This could allow an attacker to execute code in the context of the current process. 

CVE-2023-29053 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been assigned; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H). 

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Multiple 
COUNTRIES/AREAS DEPLOYED: Worldwide 
COMPANY HEADQUARTERS LOCATION: Germany 

3.4 RESEARCHER

Michael Heinzl reported this vulnerability to Siemens. 

4. MITIGATIONS

Siemens has identified the following specific workarounds and mitigations users can apply to reduce risk: 

Do not open untrusted files using JT Open Toolkit or JT Utilities. 
JT Utilities: Update to V13.3.0.0 or a later version. 
JT Open: Update to V11.3.2.0 or a later version. 

As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens’ operational guidelines for Industrial Security and following the recommendations in the product manuals. 

Additional information regarding Siemens Industrial Security can be found here. 

For further inquiries on security vulnerabilities in Siemens products and solutions, users should contact Siemens ProductCERT. 

For more information, see the associated Siemens security advisory SSA-642810 in HTML and CSAF. 

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should:

Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet.
Locate control system networks and remote devices behind firewalls and isolate them from business networks.
When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks: 

Do not click web links or open attachments in unsolicited email messages. 
Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams. 
Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks. 

No known public exploits specifically target this vulnerability. This vulnerability is not exploitable remotely. 

1. EXECUTIVE SUMMARY

CVSS v3 6.2
ATTENTION: Low attack complexity  
Vendor: Siemens
Equipment: Adaptec maxView Application
Vulnerability: Exposure of Sensitive Information to an Unauthorized Actor 

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow a local attacker to decrypt intercepted local traffic between the browser and the application. A local attacker could perform a machine-in-the-middle attack to modify data in transit. 

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following software from Siemens is affected: 

SIMATIC IPC1047: All versions  
SIMATIC IPC1047E: All versions with Adaptec maxView Storage Manager prior to 4.09.00.25611 on Windows 
SIMATIC IPC647D: All versions 
SIMATIC IPC647E: All versions with Adaptec maxView Storage Manager prior to 4.09.00.25611 on Windows 
SIMATIC IPC847D: All versions 
SIMATIC IPC847E: All versions with Adaptec maxView Storage Manager prior to 4.09.00.25611 on Windows 

3.2 VULNERABILITY OVERVIEW

3.2.1 EXPOSURE OF SENSITIVE INFORMATION TO AN UNAUTHORIZED ACTOR CWE-200 

The Adaptec maxView application uses a non-unique TLS certificate across installations to protect communication from the local browser to the local application on affected Siemens devices. A local attacker could use this key to decrypt intercepted local traffic between the browser and the application and could perform a machine-in-the-middle attack to modify data in transit. 

CVE-2023-23588 has been assigned to this vulnerability. A CVSS v3 base score of 6.2 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). 

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Multiple  
COUNTRIES/AREAS DEPLOYED: Worldwide 
COMPANY HEADQUARTERS LOCATION: Germany 

3.4 RESEARCHER

Siemens reported this vulnerability to CISA. 

4. MITIGATIONS

Adaptec has released updates for the affected products and recommends updating to the latest versions.  Siemens recommends countermeasures for products where updates are not, or not yet available: 

Update maxView Storage Manager to 4.09.00.25611 or later version. 

Siemens has identified the following specific workarounds and mitigations users can apply to reduce risk: 

Update the default self-signed device X.509 certificate with a trusted certificate. 

As a general security measure, Siemens strongly recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens’ operational guidelines for industrial security and to follow recommendations in the product manuals.  

Additional information on industrial security by Siemens can be found here. 

For further inquiries on security vulnerabilities in Siemens products and solutions, users should contact Siemens ProductCERT. 

For more information, see the associated Siemens security advisory SSA-511182 in HTML and CSAF. 

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should:

Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet.
Locate control system networks and remote devices behind firewalls and isolate them from business networks.
When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploits specifically target this vulnerability. This vulnerability is not exploitable remotely. 

1. EXECUTIVE SUMMARY

CVSS v3 6.8
ATTENTION: Exploitable remotely 
Vendor: FANUC 
Equipment: ROBOGUIDE-HandlingPRO 
Vulnerability: Path Traversal 

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to read and/or overwrite files on the system running the affected software. 

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of ROBOGUIDE-HandlingPRO, a robot simulation software, are affected: 

ROBOGUIDE-HandlingPRO: Versions 9 Rev.ZD and prior 

3.2 VULNERABILITY OVERVIEW

3.2.1 IMPROPER LIMITA8TION OF A PATHNAME TO A RESTRICTED DIRECTORY (‘PATH TRAVERSAL’) CWE-22 

FANUC ROBOGUIDE-HandlingPRO Versions 9 Rev.ZD and prior is vulnerable to a path traversal, which could allow an attacker to remotely read files on the system running the affected software. 

CVE-2023-1864 has been assigned to this vulnerability. A CVSS v3 base score of 6.8 has been assigned; the CVSS vector string is (AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N). 

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing 
COUNTRIES/AREAS DEPLOYED: Worldwide 
COMPANY HEADQUARTERS LOCATION: Japan 

3.4 RESEARCHER

Yenting Lee of TXOne Networks reported this vulnerability to CISA. 

4. MITIGATIONS

FANUC recommends users update to the latest version. 

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability these vulnerabilities. Specifically, users should:

Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet.
Locate control system networks and remote devices behind firewalls and isolate them from business networks.
When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploits specifically target this vulnerability. High attack complexity. 

1. EXECUTIVE SUMMARY

CVSS v3 9.9 
ATTENTION: Exploitable remotely/low attack complexity/public exploits are available 
Vendor: mySCADA Technologies 
Equipment: mySCADA myPRO 
Vulnerabilities: OS Command Injection 

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an authenticated user to inject arbitrary operating system commands. 

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of myPRO HMI/SCADA systems are affected: 

myPRO: versions 8.26.0 and prior 

3.2 VULNERABILITY OVERVIEW

3.2.1 OS COMMAND INJECTION CWE-78 

mySCADA myPRO versions 8.26.0 and prior has parameters which an authenticated user could exploit to inject arbitrary operating system commands. 

CVE-2023-28400 has been assigned to this vulnerability. A CVSS v3 base score of 9.9 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H). 

3.2.2 OS COMMAND INJECTION CWE-78 

mySCADA myPRO versions 8.26.0 and prior has parameters which an authenticated user could exploit to inject arbitrary operating system commands. 

CVE-2023-28716 has been assigned to this vulnerability. A CVSS v3 base score of 9.9 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H). 

3.2.3 OS COMMAND INJECTION CWE-78 

mySCADA myPRO versions 8.26.0 and prior has parameters which an authenticated user could exploit to inject arbitrary operating system commands. 

CVE-2023-28384 has been assigned to this vulnerability. A CVSS v3 base score of 9.9 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H). 

3.2.4 OS COMMAND INJECTION CWE-78 

mySCADA myPRO versions 8.26.0 and prior has parameters which an authenticated user could exploit to inject arbitrary operating system commands. 

CVE-2023-29169 has been assigned to this vulnerability. A CVSS v3 base score of 9.9 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H). 

3.2.5 OS COMMAND INJECTION CWE-78 

mySCADA myPRO versions 8.26.0 and prior has parameters which an authenticated user could exploit to inject arbitrary operating system commands. 

CVE-2023-29150 has been assigned to this vulnerability. A CVSS v3 base score of 9.9 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H). 

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Energy, Food and Agriculture, Transportation Systems, Water and Wastewater Systems 
COUNTRIES/AREAS DEPLOYED: Worldwide 
COMPANY HEADQUARTERS LOCATION: Czech Republic 

3.4 RESEARCHER

Michael Heinzl publicly disclosed these vulnerabilities on the internet. 

4. MITIGATIONS

mySCADA recommends users upgrade to version 8.29.0 or higher. For more information, contact mySCADA technical support. mySCADA will also send security advice by email to all registered users. 

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. Specifically, users should:

Ensure the least-privilege user principle is followed. 
Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet.
Locate control system networks and remote devices behind firewalls and isolate them from business networks.
When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks: 

Do not click web links or open attachments in unsolicited email messages. 
Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams. 
Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks. 

Known public exploits specifically target these vulnerabilities.  These vulnerabilities are exploitable remotely. These vulnerabilities have low attack complexity. 

1. EXECUTIVE SUMMARY

CVSS v3 7.8 
ATTENTION: Low attack complexity  
Vendor: JTEKT ELECTRONICS CORPORATION 
Equipment: Kostac PLC Programming Software 
Vulnerabilities: Out-of-bounds Read, Use After Free 

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to disclose information or execute arbitrary code.  

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of JTEKT ELECTRONICS Kostac PLC Programming Software are affected: 

JTEKT ELECTRONICS Kostac PLC Programing Software: Versions 1.6.9.0 and earlier 

3.2 VULNERABILITY OVERVIEW

3.2.1 OUT-OF-BOUNDS READ CWE-125 

When a specially crafted project file is opened, out-of-bounds read occurs when processing a comment block in stage information because the end of data cannot be verified. 

CVE-2023-22419 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H). 

3.2.2 OUT-OF-BOUNDS READ CWE-125 

When a specially crafted project file is opened, out-of-bounds read occurs because buffer size used by the PLC program instructions is insufficient. 

CVE-2023-22421 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H). 

3.2.3 USE AFTER FREE CWE-416 

When the maximum number of columns to place the PLC program is out of specification by opening a specially crafted project file, a process accesses memory that has already been freed. 

CVE-2023-22424 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H). 

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing  
COUNTRIES/AREAS DEPLOYED: Worldwide  
COMPANY HEADQUARTERS LOCATION: Japan  

3.4 RESEARCHER

Michael Heinzl reported these vulnerabilities to JPCERT/CC. 

4. MITIGATIONS

JTEKT ELECTRONICS recommends users to download the following updates: 

Version 1.6.10.0 and above 

This version not only addresses the vulnerability, but also takes measures to prevent crafted project files from being opened. Project files saved with Version 1.6.9.0 or earlier can be re-saved with Version 1.6.10.0 or above to enable this tamper-proof feature. Project files saved with Version 1.6.10.0 or above cannot be opened with Version 1.6.9.0 or earlier. 

For more information, see JTEKT ELECTRONICS’ Update Notice. 

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. Specifically, users should:

Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet.
Locate control system networks and remote devices behind firewalls and isolate them from business networks.
When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks: 

Do not click web links or open attachments in unsolicited email messages. 
Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams. 
Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks. 

No known public exploits specifically target these vulnerabilities. These vulnerabilities are not exploitable remotely.  

1. EXECUTIVE SUMMARY

CVSS v3 7.8 
ATTENTION: Low attack complexity  
Vendor: JTEKT ELECTRONICS CORPORATION 
Equipment: Screen Creator Advance 2 
Vulnerabilities: Out-of-bounds Read, Out-of-bounds Write, Use After Free 

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to disclose information or execute arbitrary code.  

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of JTEKT ELECTRONICS Screen Creator Advance 2, a software program, are affected: 

JTEKT ELECTRONICS Screen Creator Advance 2: Ver0.1.1.4 Build01 

3.2 VULNERABILITY OVERVIEW

3.2.1 OUT-OF-BOUNDS WRITE CWE-787 

When an out-of-specification error is detected, an out-of-bounds write may occur because there is no error handling process.

CVE-2023-22345 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H). 

3.2.2 OUT-OF-BOUNDS READ CWE-125 

An out-of-bounds read may occur when processing template information because the end of data cannot be verified. 

CVE-2023-22346 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H). 

3.2.3 OUT-OF-BOUNDS READ CWE-125 

An Out-of-bounds read may occur when processing file structure information because the end of data cannot be verified. 

CVE-2023-22347 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H). 

3.2.4 OUT-OF-BOUNDS READ CWE-125 

An out-of-bounds read may occur when processing screen management information because the end of data cannot be verified. 

CVE-2023-22349 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H). 

3.2.5 OUT-OF-BOUNDS READ CWE-125 

An out-of-bounds read may occur when processing parts management information because the end of data cannot be verified. 

CVE-2023-22350 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H). 

3.2.6 OUT-OF-BOUNDS READ CWE-125 

An out-of-bounds read may occur when processing control management information because the end of data cannot be verified. 

CVE-2023-22353 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H). 

3.2.7 USE AFTER FREE CWE-416 

When an error is detected, an out-of-bounds write may occur because there is no error handling process. 

CVE-2023-22360 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H). 

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing  
COUNTRIES/AREAS DEPLOYED: Worldwide 
COMPANY HEADQUARTERS LOCATION: Japan 

3.4 RESEARCHER

Michael Heinzl reported these vulnerabilities to JPCERT/CC. 

4. MITIGATIONS

JTEKT ELECTRONICS recommends users to download the following updates: 

Ver.0.1.1.4 Build01A and above 

For more information, see JTEKT ELECTRONICS’ Update Notice. 

CISA recommends users take the following measures to protect themselves from social engineering attacks: 

Do not click web links or open attachments in unsolicited email messages. 
Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams. 
Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks. 

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploits specifically target these vulnerabilities. These vulnerabilities are not exploitable remotely. 

1. EXECUTIVE SUMMARY

CVSS v3 9.1 
ATTENTION: Exploitable remotely/low attack complexity/public exploits are available 
Vendor: Industrial Control Links 
Equipment: ScadaFlex II SCADA Controllers 
Vulnerability:  External Control of File Name or Path 

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an authenticated attacker to overwrite, delete, or create files. 

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of Industrial Control Links ScadaFlex II SCADA Controllers are affected: 

SW: 1.03.07 (build 317), WebLib: 1.24 
SW: 1.02.20 (build 286), WebLib: 1.24 
SW: 1.02.15 (build 286), WebLib: 1.22 
SW: 1.02.01 (build 229), WebLib: 1.16 
SW: 1.01.14 (build 172), WebLib: 1.14 
SW: 1.01.01 (build 2149), WebLib: 1.13 

3.2 VULNERABILITY OVERVIEW

3.2.1 EXTERNAL CONTROL OF FILE NAME OR PATH CWE-73 

On ICL ScadaFlex II SCADA Controller SC-1 and SC-2 devices, unauthenticated remote attackers can overwrite, delete, or create files. This allows an attacker to execute critical file CRUD operations on the device that can potentially allow system access and impact availability. 

CVE-2022-25359 has been assigned to this vulnerability. A CVSS v3 base score of 9.1 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H). 

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing 
COUNTRIES/AREAS DEPLOYED: North America, South America 
COMPANY HEADQUARTERS LOCATION: United States 

3.4 RESEARCHER

CISA discovered a public proof-of-concept (PoC) as authored by Gjoko Krstic of Zero Science Lab.  

4. MITIGATIONS

Industrial Control Links has relayed that they are closing their business. This product may be considered end-of-life; continued supported for this product may be unavailable. 

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should: 

Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet.
Locate control system networks and remote devices behind firewalls and isolate them from business networks.
When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.