Posts Page - CloudCentric

Delta Electronics CNCSoft-B DOPSoft

Written by on June 6, 2023. Posted in CISA-Published Industrial Control System Vulnerabilities.

1. EXECUTIVE SUMMARY

CVSS v3 7.8
ATTENTION: Low attack complexity
Vendor: Delta Electronics
Equipment: CNCSoft-B DOPSoft
Vulnerabilities: Stack-based Buffer Overflow, Heap-based Buffer Overflow

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to exploit a buffer overflow condition and remotely execute arbitrary code.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of CNCSoft-B DOPSoft, a human machine interface (HMI), are affected:

CNCSoft-B DOPSoft: versions 1.0.0.4 and prior

3.2 VULNERABILITY OVERVIEW

3.2.1 STACK-BASED BUFFER OVERFLOW CWE-121

Delta Electronics’ CNCSoft-B DOPSoft versions 1.0.0.4 and prior are vulnerable to stack-based buffer overflow, which could allow an attacker to execute arbitrary code.

CVE-2023-25177 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been assigned; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

3.2.2 HEAP-BASED BUFFER OVERFLOW CWE-122

Delta Electronics’ CNCSoft-B DOPSoft versions 1.0.0.4 and prior are vulnerable to heap-based buffer overflow, which could allow an attacker to execute arbitrary code.

CVE-2023-24014 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been assigned; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Taiwan

3.4 RESEARCHER

Natnael Samson (@NattiSamson), working with Trend Micro’s Zero Day Initiative, reported these vulnerabilities to CISA.

4. MITIGATIONS

Delta Electronics has released and recommends users to download CNCSoft-B DOPSoft v4.0.0.82 or later.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. Specifically, users should:

Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet.
Locate control system networks and remote devices behind firewalls and isolate them from business networks.
When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

Do not click web links or open attachments in unsolicited email messages.
Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploits specifically target these vulnerabilities. These vulnerabilities are not exploitable remotely.

Mitsubishi Electric MELSEC iQ-R Series/iQ-F Series

Written by on June 6, 2023. Posted in CISA-Published Industrial Control System Vulnerabilities.

1. EXECUTIVE SUMMARY

CVSS v3 7.5
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Mitsubishi Electric
Equipment: MELSEC iQ-R Series/iQ-F Series EtherNet/IP Modules and EtherNet/IP Configuration tool
Vulnerabilities: Weak Password Requirements, Use of Hard-coded Password, Missing Password Field Masking, Unrestricted Upload of File with Dangerous Type

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow a remote unauthenticated attacker to connect to the module via FTP and bypass authentication to log in.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

Mitsubishi Electric reports these vulnerabilities affect the following MELSEC iQ-R Series/iQ-F Series EtherNet/IP Modules and EtherNet/IP Configuration tool:

RJ71EIP91: All versions
SW1DNN-EIPCT-BD: All versions
FX5-ENET/IP: All versions
SW1DNN-EIPCTFX5-BD: All versions

3.2 VULNERABILITY OVERVIEW

3.2.1 WEAK PASSWORD REQUIREMENTS CWE-521

Authentication bypass vulnerability in FTP function on EtherNet/IP module due to weak password requirements could allow a remote unauthenticated attacker to access to the module via FTP by dictionary attack or password sniffing.

CVE-2023-2060 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

3.2.2 USE OF HARD-CODED PASSWORD CWE-259

Authentication bypass vulnerability in FTP function on EtherNet/IP module could allow a remote unauthenticated attacker to obtain a hard-coded password and access to the module via FTP.

CVE-2023-2061 has been assigned to this vulnerability. A CVSS v3 base score of 6.2 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

3.2.3 MISSING PASSWORD FIELD MASKING CWE-549

The EtherNet/IP configuration tool that displays unmasked passwords due to missing password field masking results in authentication bypass vulnerability, which could allow a remote unauthenticated attacker to access the module via FTP.

CVE-2023-2062 has been assigned to this vulnerability. A CVSS v3 base score of 6.2 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

3.2.4 UNRESTRICTED UPLOAD OF FILE WITH DANGEROUS TYPE CWE-434

Information disclosure, tampering, deletion, destruction vulnerability exists in the FTP function on EtherNet/IP module via file upload/download due to unrestricted upload of file with dangerous type.

CVE-2023-2063 has been assigned to this vulnerability. A CVSS v3 base score of 6.3 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Japan

3.4 RESEARCHER

Iie Karada reported these vulnerabilities to Mitsubishi Electric.

4. MITIGATIONS

Mitsubishi Electric recommends customers take the following mitigation measures to minimize the risk of a threat actor exploiting these vulnerabilities:

Use a firewall, virtual private network (VPN), etc. to prevent unauthorized access when Internet access is required.
Use within a LAN and block access from untrusted networks and hosts through firewalls.
Restrict physical access to prevent untrusted devices LAN to which the affected product connects.
Avoid uploading/downloading files directly using FTP, and use the EtherNet/IP configuration tool. Do not open the downloaded file with anything other than the EtherNet/IP configuration tool.
For FX5-ENET/IP, use IP filter function to block access from untrusted hosts. For details on the IP filter function, please refer to the following manual: “12.1 IP Filter Function” in the MELSEC iQ-F FX5 User’s Manual (Ethernet Communication).

For specific update instructions and additional details, see the Mitsubishi Electric advisory.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploits specifically target these vulnerabilities. These vulnerabilities are exploitable remotely. These vulnerabilities have low attack complexity.

HID Global SAFE

Written by on June 1, 2023. Posted in CISA-Published Industrial Control System Vulnerabilities.

1. EXECUTIVE SUMMARY

CVSS v3 7.3
ATTENTION: Exploitable remotely/low attack complexity
Vendor: HID Global
Equipment: SAFE
Vulnerabilities: Modification of Assumed-Immutable Data

2. RISK EVALUATION

Successful exploitation of this vulnerability could result in exposure of personal data or create a denial-of-service condition.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of HID’s SAFE, a personnel and access management software, are affected:

HID SAFE using the optional External Visitor Manager portal: Versions 5.8.0 through 5.11.3

3.2 VULNERABILITY OVERVIEW

3.2.1 MODIFICATION OF ASSUMED-IMMUTABLE DATA CWE-471

The External Visitor Manager portal of HID’s SAFE versions 5.8.0 through 5.11.3 are vulnerable to manipulation within web fields in the application programmable interface (API). An attacker could log in using account credentials available through a request generated by an internal user and then manipulate the visitor-id within the web API to access the personal data of other users. There is no limit on the number of requests that can be made to the HID SAFE Web Server, so an attacker could also exploit this vulnerability to create a denial-of-service condition.

CVE-2023-2904 has been assigned to this vulnerability. A CVSS v3 base score of 7.3 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:H).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Government Facilities, Transportation, Commercial Facilities, Healthcare
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER

CISA internal research reported this vulnerability to HID.

4. MITIGATIONS

The External Visitor Management feature is licensed and deployed separately from the HID SAFE core software. Users not using this feature are not affected. According to HID Global, the number of affected systems is limited and all affected systems have been patched.

Please see HID’s security advisory for more information.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploits specifically target this vulnerability.

Advantech WebAccess/SCADA

Written by on June 1, 2023. Posted in CISA-Published Industrial Control System Vulnerabilities.

1. EXECUTIVE SUMMARY

CVSS v3 7.2
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Advantech
Equipment: WebAccess Node
Vulnerabilities: Improper Control of Generation of Code (‘Code Injection’), Unrestricted Upload of File with Dangerous Type

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to arbitrarily overwrite files resulting in remote code execution.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following Advantech products are affected:

WebAccess/SCADA versions 9.1.3 and prior

3.2 VULNERABILITY OVERVIEW

3.2.1 IMPROPER CONTROL OF GENERATION OF CODE (‘CODE INJECTION’) CWE-94

In Advantech WebAccss/SCADA v9.1.3 and prior, there is an arbitrary file overwrite vulnerability, which could allow an attacker to overwrite any file in the operating system (including system files), inject code into an XLS file, and modify the file extension, which could lead to arbitrary code execution.

CVE-2023-32540 has been assigned to this vulnerability. A CVSS v3 base score of 7.2 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).

3.2.2 UNRESTRICTED UPLOAD OF FILE WITH DANGEROUS TYPE CWE-434

In Advantech WebAccss/SCADA v9.1.3 and prior, there is an arbitrary file upload vulnerability that could allow an attacker to upload an ASP script file to a webserver when logged in as manager user, which can lead to arbitrary code execution.

CVE-2023-22450 has been assigned to this vulnerability. A CVSS v3 base score of 7.2 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).

3.2.3 UNRESTRICTED UPLOAD OF FILE WITH DANGEROUS TYPE CWE-434

In Advantech WebAccss/SCADA v9.1.3 and prior, there is an arbitrary file upload vulnerability that could allow an attacker to modify the file extension of a certificate file to ASP when uploading it, which can lead to remote code execution.

CVE-2023-32628 has been assigned to this vulnerability. A CVSS v3 base score of 7.2 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing, Energy, Water and Wastewater Systems
COUNTRIES/AREAS DEPLOYED: East Asia, Europe, United States
COMPANY HEADQUARTERS LOCATION: Tawain

3.4 RESEARCHER

YangLiu from Elex Feigong Research Institute reported these vulnerabilities to CISA.

4. MITIGATIONS

Advantech recommends WebAccess/SCADA users upgrade to v9.1.4.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. Specifically, users should:

Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet.
Locate control system networks and remote devices behind firewalls and isolate them from business networks.
When remote access is required, use secure methods, such as virtual private networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploits specifically target these vulnerabilities. These vulnerabilities are not exploitable remotely.

Advantech WebAccess/SCADA

Written by on May 30, 2023. Posted in CISA-Published Industrial Control System Vulnerabilities.

1. EXECUTIVE SUMMARY

CVSS v3 7.3
ATTENTION: Low attack complexity
Vendor: Advantech
Equipment: WebAccess/SCADA
Vulnerabilities: Insufficient Type Distinction

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker full control over the supervisory control and data acquisition (SCADA) server.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

Advantech reports this vulnerability affect the following WebAccess/SCADA product:

WebAccess/SCADA: version 8.4.5

3.2 VULNERABILITY OVERVIEW

3.2.1 INSUFFICIENT TYPE DISTINCTION CWE-351

If an attacker can trick an authenticated user into loading a maliciously crafted .zip file onto Advantech WebAccess version 8.4.5, a web shell could be used to give the attacker full control of the SCADA server.

CVE-2023-2866 has been assigned to this vulnerability. A CVSS v3 base score of 7.3 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H).

3.3 BACKGROUND

3.4 RESEARCHER

Marlon Luis Petry reported this vulnerability to CISA.

4. MITIGATIONS

Advantech recommends users locate and delete the “WADashboardSetup.msi” file to avoid this issue.

If users wish to remedy this problem in version 8.4.5, they can uninstall “WebAccess Dashboard” from the control panel. Delete all the files:

InetpubwwwrootbroadwebWADashboard

WebAccessNodeWADashboardSetup.msi

Advantech released a new version V9.1.4 to address the problem by not including these files.

CISA recommends users take the following measures to protect themselves from social engineering attacks:

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploits specifically target this vulnerability. This vulnerability is not exploitable remotely.

Moxa MXsecurity Series

Written by on May 25, 2023. Posted in CISA-Published Industrial Control System Vulnerabilities.

1. EXECUTIVE SUMMARY

CVSS v3 9.8
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Moxa
Equipment: MXsecurity Series
Vulnerabilities: Command Injection and Use of Hard-Coded Credentials

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an unauthorized user to bypass authentication or to execute arbitrary commands on the device.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

Moxa reports these vulnerabilities affect the following MXsecurity Series:

MXsecurity Series: Software v1.0

3.2 VULNERABILITY OVERVIEW

3.2.1 COMMAND INJECTION CWE-77

A remote attacker, who has gained authorization privileges, could execute arbitrary commands on the device.

CVE-2023-33235 has been assigned to this vulnerability. A CVSS v3 base score of 7.2 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).

3.2.2 USE OF HARD-CODED CREDENTIALS CWE-798

An attacker could bypass authentication for web-based application programmable interfaces (APIs).

CVE-2023-33236 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Multiple Sectors
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Taiwan

3.4 RESEARCHER

Simon Janz, working with Trend Micro Zero Day Initiative, reported these vulnerabilities to CISA.

4. MITIGATIONS

Moxa has developed a solution to address these vulnerabilities. Users should upgrade to software v1.0.1 or higher.

Users are encouraged to visit Moxa’s security advisory MPSA-230301 for more information.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. Specifically, users should:

Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet.
Locate control system networks and remote devices behind firewalls and isolate them from business networks.
When remote access is required, use secure methods, such as virtual private networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploits specifically target these vulnerabilities. These vulnerabilities are exploitable remotely. These vulnerabilities have low attack complexity.

Hitachi Energy’s AFS65x, AFS67x, AFR67x and AFF66x Products

Written by on May 23, 2023. Posted in CISA-Published Industrial Control System Vulnerabilities.

1. EXECUTIVE SUMMARY

CVSS v3 8.1
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Hitachi Energy
Equipment: AFS65x, AFS67x, AFR67x and AFF66x series products
Vulnerabilities: Use After Free

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to disclose sensitive information or lead to a Denial-of-Service (DoS).

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of Hitachi Energy’s AFS65x, AFS67x, AFR67x and AFF66x series products, are affected:

AFS660/665S, AFS660/665C, AFS670v2: Firmware 7.1.05 and earlier
AFS670/675, AFR67x: Firmware 9.1.07 and earlier
AFF660/665: Firmware 03.0.02 and earlier
AFS65x: All versions

3.2 VULNERABILITY OVERVIEW

3.2.1 USE AFTER FREE CWE-416

The libexpat library is incorporated in the AFS, AFR and AFF products family. Versions of libexpat before 2.4.9 have a use-after-free in the do-Content function in xmlparse.c. Successful exploitation of this vulnerability could lead to disclosure of sensitive information, addition or modification of data, or a denial-of-service condition.

CVE-2022-40674 has been assigned to this vulnerability. A CVSS v3 base score of 8.1 has been assigned; the CVSS vector string is (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).

3.2.2 USE AFTER FREE CWE-416

The libexpat library is incorporated in the AFS, AFR and AFF products family. In versions of libexpat through 2.4.9, there is a use-after free caused by overeager destruction of a shared DTD in XML_ExternalEntityParserCreate in out-of-memory situations. Successful exploitation of this vulnerability could lead to a denial-of-service condition.

CVE-2022-43680 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Energy
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Switzerland

3.4 RESEARCHER

Hitachi Energy reported these vulnerabilities to CISA.

4. MITIGATIONS

Hitachi Energy has released the following mitigations/fixes:

AFS660/665S, AFS660/665C, AFS670v2: Apply mitigation strategy as described in General Mitigation Factors Section or update to upcoming 7.1.08 when available.
AFS670/675, AFR67x: Apply mitigation strategy as described in General Mitigation Factors Section or update to 9.1.08.
AFS65x: EoL product – only mitigation available, no remediation expected. Apply mitigation strategy as described in General Mitigation Factors Section.
AFF660/665: Apply mitigation strategy as described in General Mitigation Factors Section or update to upcoming release.

Hitachi Energy also recommends general mitigations:

Recommended security practices and firewall configurations can help protect a process control network from attacks originating from outside the network.
Physically protect process control systems from direct access by unauthorized personnel.
Ensure process control systems have no direct connections to the internet and are separated from other networks by a firewall system with a minimal number of exposed ports.
Do not use process control systems for internet surfing, instant messaging, or receiving emails.
Scan portable computers and removable storage media for malware prior connection to a control system.

For more information, see Hitachi Energy’s Security Advisory: 8DBD000149.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. Specifically, users should:

When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploits specifically target these vulnerabilities.

Horner Automation Cscape

Written by on May 23, 2023. Posted in CISA-Published Industrial Control System Vulnerabilities.

1. EXECUTIVE SUMMARY

CVSS v3 7.8
ATTENTION: Low attack complexity
Vendor: Horner Automation
Equipment: Cscape, Cscape EnvisionRV
Vulnerabilities: Stack-based Buffer Overflow, Out-of-bounds Read, Use After Free, Access of Uninitialized Pointer, Improper Restriction of Operations within the Bounds of a Memory Buffer

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to disclose information and to execute arbitrary code.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of Horner Automation’s Cscape are affected:

Cscape: v9.90 SP8
Cscape EnvisionRV: v4.70

3.2 VULNERABILITY OVERVIEW

3.2.1 STACK-BASED BUFFER OVERFLOW CWE-121

The affected application lacks proper validation of user-supplied data when parsing project files (e.g., CSP). This could lead to a stack-based buffer overflow. An attacker could leverage this vulnerability to execute arbitrary code in the context of the current process.

CVE-2023-29503 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

3.2.2 OUT-OF-BOUNDS READ CWE-125

The affected application lacks proper validation of user-supplied data when parsing project files (e.g., CSP). This could lead to an out-of-bounds read in the FontManager. An attacker could leverage this vulnerability to execute arbitrary code in the context of the current process.

CVE-2023-32281 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

3.2.3 OUT-OF-BOUNDS READ CWE-125

The affected application lacks proper validation of user-supplied data when parsing project files (e.g.., CSP). This could lead to an out-of-bounds read in IO_CFG. An attacker could leverage this vulnerability to execute arbitrary code in the context of the current process.

CVE-2023-32289 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

3.2.4 OUT-OF-BOUNDS READ CWE-125

The affected application lacks proper validation of user-supplied data when parsing project files (e.g., CSP). This could lead to an out-of-bounds read in Cscape!CANPortMigration. An attacker could leverage this vulnerability to execute arbitrary code in the context of the current process.

CVE-2023-32545 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

3.2.5 OUT-OF-BOUNDS READ CWE-125

The affected application lacks proper validation of user-supplied data when parsing font files (e.g., FNT). This could lead to an out-of-bounds read. An attacker could leverage this vulnerability to potentially execute arbitrary code in the context of the current process.

CVE-2023-27916 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

3.2.6 USE AFTER FREE CWE-416

The affected application lacks proper validation of user-supplied data when parsing project files (e.g., CSP). This could lead to a use-after-free vulnerability. An attacker could leverage this vulnerability to execute arbitrary code in the context of the current process.

CVE-2023-28653 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

3.2.7 ACCESS OF UNINITIALIZED POINTER CWE-824

The affected product does not properly validate user-supplied data. If a user opens a maliciously formed CSP file, then an attacker could execute arbitrary code within the current process by accessing an uninitialized pointer.

CVE-2023-31244 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

3.2.8 IMPROPER RESTRICTION OF OPERATIONS WITHIN THE BOUNDS OF A MEMORY BUFFER CWE-119

The affected application lacks proper validation of user-supplied data when parsing project files (e.g., HMI). This could lead to an out-of-bounds write at CScape_EnvisionRV+0x2e374b. An attacker could leverage this vulnerability to execute arbitrary code in the context of the current process.

CVE-2023-32203 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

3.2.9 IMPROPER RESTRICTION OF OPERATIONS WITHIN THE BOUNDS OF A MEMORY BUFFER CWE-119

The affected application lacks proper validation of user-supplied data when parsing project files (e.g., HMI). This could lead to an out-of-bounds write at CScape_EnvisionRV+0x2e3c04. An attacker could leverage this vulnerability to potentially execute arbitrary code in the context of the current process.

CVE-2023-32539 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

3.2.10 IMPROPER RESTRICTION OF OPERATIONS WITHIN THE BOUNDS OF A MEMORY BUFFER CWE-119

The affected application lacks proper validation of user-supplied data when parsing project files (e.g., HMI). This could lead to an out-of-bounds read. An attacker could leverage this vulnerability to potentially execute arbitrary code in the context of the current process.

CVE-2023-31278 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER

Michael Heinzl reported these vulnerabilities to CISA.

4. MITIGATIONS

Horner Automation recommends upgrading the following software:

Cscape: Update to v9.90 SP9
Cscape Envision RV: Update to v4.80

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

No known public exploits specifically target these vulnerabilities. These vulnerabilities are not exploitable remotely.

Hitachi Energy’s RTU500 Series Product

Written by on May 23, 2023. Posted in CISA-Published Industrial Control System Vulnerabilities.

1. EXECUTIVE SUMMARY

CVSS v3 9.8
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Hitachi Energy
Equipment: RTU500 Series
Vulnerabilities: Type Confusion, Observable Timing Discrepancy, Out-of-bounds Read, Infinite Loop, Classic Buffer Overflow

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to crash the device being accessed or cause a denial-of-service condition.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of Hitachi Energy’s RTU500 Series Product, are affected:

For CVE-2023-0286, CVE-2022-4304

RTU500 series CMU Firmware: version 12.0.1 through 12.0.15
RTU500 series CMU Firmware: version 12.2.1 through 12.2.12
RTU500 series CMU Firmware: version 12.4.1 through 12.4.12
RTU500 series CMU Firmware: version 12.6.1 through 12.6.9
RTU500 series CMU Firmware: version 12.7.1 through 12.7.6
RTU500 series CMU Firmware: version 13.2.1 through 13.2.6
RTU500 series CMU Firmware: version 13.3.1 through 13.3.3
RTU500 series CMU Firmware: version 13.4.1 through 13.4.2

For CVE-2022-23937, CVE-2022-0778, CVE-2021-3711, CVE-2021-3712

RTU500 series CMU Firmware: version 12.0.1 through 12.0.14
RTU500 series CMU Firmware: version 12.2.1 through 12.2.11
RTU500 series CMU Firmware: version 12.4.1 through 12.4.11
RTU500 series CMU Firmware: version 12.6.1 through 12.6.8
RTU500 series CMU Firmware: version 12.7.1 through 12.7.5
RTU500 series CMU Firmware: version 13.2.1 through 13.2.5
RTU500 series CMU Firmware: version 13.3.1 through 13.3.3
RTU500 series CMU Firmware: version 13.4.1 through 13.4.1

3.2 VULNERABILITY OVERVIEW

3.2.1 ACCESS OF RESOURCE USING INCOMPATIBLE TYPE (‘TYPE CONFUSION’) CWE-843

There is a type-confusion vulnerability affecting X.400 address processing within an X.509 GeneralName. This vulnerability could allow an attacker to pass arbitrary pointers to a memcmp call, enabling access to read memory contents or cause a denial-of-service condition. X.400 addresses parsed as an ASN1_STRING while the public structure definition for GENERAL_NAME incorrectly specifies the x400Address field type as ASN1_TYPE.

CVE-2023-0286 has been assigned to this vulnerability. A CVSS v3 base score of 7.4 has been assigned; the CVSS vector string is (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H).

3.2.2 OBSERVABLE TIMING DISCREPANCY CWE-208

A timing-based side channel exists in the OpenSSL RSA Decryption implementation. This could allow an attacker sufficient access to recover plaintext across a network to perform a Bleichenbacher style attack. The vulnerability affects all RSA padding modes: PKCS#1 v1.5, RSA-OEAP and RSASVE.

CVE-2022-4304 has been assigned to this vulnerability. A CVSS v3 base score of 5.9 has been assigned; the CVSS vector string is (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N).

3.2.3 OUT-OF-BOUNDS READ CWE-125

A vulnerability exists in the Wind River VxWorks version 6.9 affecting the RTU500 series product versions listed. An attacker could exploit the vulnerability by using a specific crafted packet that could lead to an out-of-bounds read during an IKE initial exchange scenario.

CVE-2022-23937 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

3.2.4 LOOP WITH UNREACHABLE EXIT CONDITION (‘INFINITE LOOP’) CWE-835

A vulnerability exists in the OpenSSL version 1.0.2 that affects the RTU500 Series product versions listed. An attacker can exploit the BN_mod_sqrt() function to compute a modular square root that contains a bug causing a continual loop for non-prime moduli.

CVE-2022-0778 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

3.2.5 BUFFER COPY WITHOUT CHECKING SIZE OF INPUT (‘CLASSIC BUFFER OVERFLOW’) CWE-120

A vulnerability exists in the OpenSSL Version 1.0.2 affecting the RTU500 Series product versions listed. An attacker with access to applications and the capability to present SM2 content for decryption could cause a buffer overflow up to a maximum of 62 bytes while altering contents of data present after the buffer. This vulnerability could allow an attacker to change application behavior or cause the application to crash.

CVE-2021-3711 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

3.2.6 OUT-OF-BOUNDS READ CWE-125

A vulnerability exists in the OpenSSL Version 1.0.2 affecting the RTU500 Series product versions listed. A malicious actor could cause an application to directly construct an ASN1_STRING and then process it through one of the affected OpenSSL functions. Exploiting this vulnerability could create a system crash causing a denial-of-service condition or a disclosure of private memory contents, such as private keys or sensitive plaintext.

CVE-2021-3712 has been assigned to this vulnerability. A CVSS v3 base score of 7.4 has been assigned; the CVSS vector string is (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Energy
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Switzerland

3.4 RESEARCHER

Hitachi Energy reported these vulnerabilities to CISA.

4. MITIGATIONS

Hitachi Energy has released the following mitigations/fixes:

Until the updates are made available, follow the General Mitigation Factors/Workarounds

Hitachi Energy recommends general mitigation factors/Workarounds:

Recommended security practices and firewall configurations can help protect a process control network from attacks originating from outside the network including.
Physically protect process control systems from direct access by unauthorized personnel.
Do not allow process control systems direct connections to the internet.
Separate process control systems from other networks by means of a firewall system that has a minimal number of ports exposed.
Process control systems should not be used for internet surfing, instant messaging, or receiving emails.
Portable computers and removable storage media should be carefully scanned for viruses before they are connected to a control system.

For more information, see Hitachi Energy’s Security Advisories:

8DBD000150
8DBD000153

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. Specifically, users should:

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploits specifically target these vulnerabilities.

Mitsubishi Electric MELSEC Series CPU module

Written by on May 23, 2023. Posted in CISA-Published Industrial Control System Vulnerabilities.

1. EXECUTIVE SUMMARY

CVSS v3 10.0
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Mitsubishi Electric Corporation
Equipment: MELSEC Series CPU module
Vulnerabilities: Classic Buffer Overflow

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow a remote attacker to cause a denial-of-service condition or execute malicious code on a target product by sending specially crafted packets. The attacker needs to understand the internal structure of products to execute malicious code. Therefore, it is difficult to execute malicious code.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

Mitsubishi Electric reports this vulnerability affects the following MELSEC Series CPU module:

MELSEC iQ-F Series FX5U-xMy/z x=32,64,80, y=T,R, z=ES,DS,ESS,DSS: Serial number 17X**** or later, version 1.220 and later
MELSEC iQ-F Series FX5UC-xMy/z x=32,64,96, y=T, z=D,DSS: Serial number 17X**** or later, version 1.220 and later
MELSEC iQ-F Series FX5UC-32MT/DS-TS, FX5UC-32MT/DSS-TS, FX5UC-32MR/DS-TS: version 1.220 and later

3.2 VULNERABILITY OVERVIEW

3.2.1 CLASSIC BUFFER OVERFLOW CWE-120

A vulnerability, due to copying buffers without checking size of input, exists in affected MELSEC Series CPU modules. Exploitation may allow a denial-of-service condition and malicious code execution.

CVE-2023-1424 has been assigned to this vulnerability. A CVSS v3 base score of 10.0 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Japan

3.4 RESEARCHER

Matt Wiseman of Cisco Talos reported this vulnerability to Mitsubishi Electric.

4. MITIGATIONS

Mitsubishi Electric has created firmware version 1.290 to address this issue and encourages users to update. The following should be referred to when updating: “5 FIRMWARE UPDATE FUNCTION” in the MELSEC iQ-F FX5 User’s Manual (Application).

Mitsubishi Electric recommends that users take the following mitigation measures to minimize the risk of exploiting this vulnerability:

Use a firewall or virtual private network (VPN) etc., to prevent unauthorized access when internet access is required.
Use the product within a local area network (LAN) and use firewalls to block access from untrusted networks and hosts.
Use IP filter function to block access from untrusted hosts.
For details regarding the IP filter function, users can refer to “12.1 IP Filter Function” in the MELSEC iQ-F FX5 User’s Manual (Ethernet Communication).
Restrict physical access to the LAN that is connected by affected products.

For specific update instructions and additional details see the Mitsubishi Electric advisory.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploits specifically target this vulnerability. This vulnerability is exploitable remotely. This vulnerability has low attack complexity.