Posts Page - CloudCentric

Hitachi Energy MicroSCADA System Data Manager SDM600

Written by on April 6, 2023. Posted in CISA-Published Industrial Control System Vulnerabilities.

1. EXECUTIVE SUMMARY

CVSS v3 9.9
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Hitachi Energy
Equipment: MicroSCADA System Data Manager SDM600
Vulnerabilities: Unrestricted Upload of File with Dangerous Type, Improper Authorization, Improper Resource Shutdown or Release, Improper Privilege Management

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to take remote control of the product.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of Hitachi Energy’s MicroSCADA SDM600, a data management tool, are affected:

SDM600: Versions prior to v1.2 FP3 HF4 (Build Nr. 1.2.23000.291)
SDM600: Versions prior to v1.3.0 (Build Nr. 1.3.0.1339)

3.2 VULNERABILITY OVERVIEW

3.2.1 UNRESTRICTED UPLOAD OF FILE WITH DANGEROUS TYPE CWE-434

A vulnerability exists in the affected SDM600 versions file permission validation. An attacker could exploit the vulnerability by gaining access to the system and uploading a specially crafted message to the system node, which could result in arbitrary code execution.

CVE-2022-3682 has been assigned to this vulnerability. A CVSS v3 base score of 9.9 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).

3.2.2 IMPROPER AUTHORIZATION CWE-285

A vulnerability exists in the affected SDM600 versions application programmable interface (API) web services authorization validation implementation. An attacker successfully exploiting the vulnerability could read sensitive data directly from an insufficiently protected or restricted data store.

CVE-2022-3683 has been assigned to this vulnerability. A CVSS v3 base score of 7.7 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N).

3.2.3 IMPROPER RESOURCE SHUTDOWN OR RELEASE CWE-404

A vulnerability exists in an SDM600 endpoint. An attacker could exploit this vulnerability by running multiple parallel requests, causing the SDM600 web services to become busy, rendering the application unresponsive.

CVE-2022-3684 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

3.2.4 IMPROPER PRIVILEGE MANAGEMENT CWE-269

A vulnerability exists in the affected SDM600 versions software. The software operates at a privilege level higher than the minimum level required. An attacker successfully exploiting this vulnerability could escalate privileges.

CVE-2022-3685 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H).

3.2.5 IMPROPER AUTHORIZATION CWE-285

A vulnerability exists in the affected SDM600 versions API permission check mechanism. Successful exploitation could cause an unauthenticated user to gain access to device data, causing confidentiality and integrity issues.

CVE-2022-3686 has been assigned to this vulnerability. A CVSS v3 base score of 4.8 has been calculated; the CVSS vector string is (AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Energy
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Switzerland

3.4 RESEARCHER

Hitachi Energy reported these vulnerabilities to CISA.

4. MITIGATIONS

Hitachi Energy recommends applying the following mitigations:

All SDM600 versions prior to v1.2 FP3 HF4 (Build Nr. 1.2.23000.291): Update to v1.3.0.1339
SDM600 versions prior to v1.3.0 (Build Nr. 1.3.0.1339): Apply workaround detailed below.

Hitachi Energy recommends the following security practices and firewall configurations to help protect a process control network from attacks originating from outside the network:

Practice principles of least privileges to minimize permissions and accesses to SDM600 related resources.
Follow security practices defined in SDM600 security deployment guidelines.
Physically protect process control systems from unauthorized direct access.
Do not directly connect control systems networks to the internet.
Separate process control systems from other networks using a firewall system with a minimal number of open ports.
Process control systems should not be used for internet surfing, instant messaging, or receiving emails.
Portable computers and removable storage media should be carefully scanned for viruses prior connection to a control system.

For more information, see Hitachi security advisory 8DBD000138.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploits specifically target these vulnerabilities.

Nexx Smart Home Device

Written by on April 4, 2023. Posted in CISA-Published Industrial Control System Vulnerabilities.

1. EXECUTIVE SUMMARY

CVSS v3 8.6
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Nexx
Equipment: Garage Door Controller, Smart Plug, Smart Alarm
Vulnerabilities: Use of Hard-coded Credentials, Authorization Bypass through User-controlled Key, Improper Input Validation, Improper Authentication

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to receive sensitive information, execute application programmable interface (API) requests, or hijack devices.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of Nexx Smart Home devices are affected:

Nexx Garage Door Controller (NXG-100B, NXG-200): Version nxg200v-p3-4-1 and prior
Nexx Smart Plug (NXPG-100W): Version nxpg100cv4-0-0 and prior
Nexx Smart Alarm (NXAL-100): Version nxal100v-p1-9-1and prior

3.2 VULNERABILITY OVERVIEW

3.2.1 USE OF HARD-CODED CREDENTIALS CWE-798
The listed versions of Nexx Smart Home devices use hard-coded credentials. An attacker with unauthenticated access to the Nexx Home mobile application or the affected firmware could view the credentials and access the MQ Telemetry Server (MQTT) server and the ability to remotely control garage doors or smart plugs for any customer.

CVE-2023-1748 has been assigned to this vulnerability. A CVSS v3 base score of 8.6 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L).

3.2.2 AUTHORIZATION BYPASS THROUGH USER-CONTROLLED KEY CWE-639
The listed versions of Nexx Smart Home devices lack proper access control when executing actions. An attacker with a valid NexxHome deviceId could send API requests that the affected devices would execute.

CVE-2023-1749 has been assigned to this vulnerability. A CVSS v3 base score of 6.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N).

3.2.3 AUTHORIZATION BYPASS THROUGH USER-CONTROLLED KEY CWE-639
The listed versions of Nexx Smart Home devices lack proper access control when executing actions. An attacker with a valid NexxHome deviceId could retrieve device history, set device settings, and retrieve device information.

CVE-2023-1750 has been assigned to this vulnerability. A CVSS v3 base score of 7.1 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N).

3.2.4 IMPROPER INPUT VALIDATION CWE-20
The listed versions of Nexx Smart Home devices use a WebSocket server that does not validate if the bearer token in the Authorization header belongs to the device attempting to associate. This could allow any authorized user to receive alarm information and signals meant for other devices which leak a deviceId.

CVE-2023-1751 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

3.2.5 IMPROPER AUTHENTICATION CWE-287
The listed versions of Nexx Smart Home devices could allow any user to register an already registered alarm or associated device with only the device’s MAC address.

CVE-2023-1752 has been assigned to this vulnerability. A CVSS v3 base score of 8.1 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Commercial Facilities
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER

Sam Sabetan reported these vulnerabilities to CISA.

4. MITIGATIONS

Nexx has not responded to requests to work with CISA to mitigate these vulnerabilities. Users of the affected product are encouraged to contact Nexx support for additional information.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability these vulnerabilities. Specifically, users should:

Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet.
Locate control system networks and remote devices behind firewalls and isolate them from business networks.
When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploits specifically target these vulnerabilities.

Hitachi Energy IEC 61850 MMS-Server

Written by on March 30, 2023. Posted in CISA-Published Industrial Control System Vulnerabilities.

1. EXECUTIVE SUMMARY

CVSS v3 5.9
ATTENTION: Exploitable remotely
Vendor: Hitachi Energy
Equipment: IEC 61850 MMS-Server
Vulnerability: Improper Resource Shutdown or Release

2. RISK EVALUATION

Successful exploitation of this vulnerability could cause products using the IEC 61850 MMS-server communication stack to stop accepting new MMS-client connections.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions Hitachi Energy equipment using the IEC 61850 communication stack are affected:

TXpert Hub CoreTec 4 version 2.0.x
TXpert Hub CoreTec 4 version 2.1.x
TXpert Hub CoreTec 4 version 2.2.x
TXpert Hub CoreTec 4 version 2.3.x
TXpert Hub CoreTec 4 version 2.4.x
TXpert Hub CoreTec 4 version 3.0.x
TXpert Hub CoreTec 5 version 3.0.x
Tego1_r15b08 (FOX615 System Release R15B)
Tego1_r2a16_03 (FOX615 System Release R14A)
Tego1_r2a16
Tego1_r1e01
Tego1_r1d02
Tego1_r1c07
Tego1_r1b02
GMS600 version 1.3
Relion 670 1.2 (Limited)
Relion 670 2.0 (Limited)
Relion 650 version 1.1 (Limited)
Relion 650 version 1.3 (Limited)
Relion 650 version 2.1 (Classic)
Relion 670 version 2.1 (Classic)
Relion SAM600-IO 2.2.1
Relion SAM600-IO 2.2.5
Relion 670/650 version 2.2.0
Relion 670/650 version 2.2.1
Relion 670/650 version 2.2.2
Relion 670/650 version 2.2.3
Relion 670/650 version 2.2.4
Relion 670/650 version 2.2.5
ITT600 SA Explorer version 1.1.0
ITT600 SA Explorer version 1.1.1
ITT600 SA Explorer version 1.1.2
ITT600 SA Explorer version 1.5.0
ITT600 SA Explorer version 1.5.1
ITT600 SA Explorer version 1.6.0
ITT600 SA Explorer version 1.6.0.1
ITT600 SA Explorer version 1.7.0
ITT600 SA Explorer version 1.7.2
ITT600 SA Explorer version 1.8.0
ITT600 SA Explorer version 2.0.1
ITT600 SA Explorer version 2.0.2
ITT600 SA Explorer version 2.0.3
ITT600 SA Explorer version 2.0.4.1
ITT600 SA Explorer version 2.0.5.0
ITT600 SA Explorer version 2.0.5.4
ITT600 SA Explorer version 2.1.0.4
ITT600 SA Explorer version 2.1.0.5
MSM version 2.2.3 and prior
PWC600 version 1.0
PWC600 version 1.1
PWC600 version 1.2
REB500 all V8.x versions
REB500 all V7.x versions
RTU500 series CMU Firmware version 12.0.1 to 12.0.14
RTU500 series CMU Firmware version 12.2.1 to 12.2.11
RTU500 series CMU Firmware version 12.4.1 to 12.4.11
RTU500 series CMU Firmware version 12.6.1 to 12.6.8
RTU500 series CMU Firmware version 12.7.1 to 12.7.4
RTU500 series CMU Firmware version 13.2.1 to 13.2.5
RTU500 series CMU Firmware version 13.3.1 to 13.3.3
RTU500 series CMU Firmware version 13.4.1
SYS600 version 10.1 to 10.3.1

3.2 VULNERABILITY OVERVIEW

3.2.1 IMPROPER RESOURCE SHUTDOWN OR RELEASE CWE-404
An attacker could exploit the IEC 61850 MMS-Server communication stack by forcing the communication stack to stop accepting new MMS-client connections.

CVE-2022-3353 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.9 has been calculated; the CVSS vector string is (AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Energy
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Switzerland

3.4 RESEARCHER

Hitachi Energy reported this vulnerability to CISA.

4. MITIGATIONS

Hitachi Energy provided updates for the following products. Contact Hitachi Energy for update information.

MSM Server update to version 2.2.5
tego1_r15b08 (FOX615 System Release R15B) update to tego1_r16a11 (FOX615 System Release R16A)
REB500 all V8.x versions update to REB500 firmware to version 8.3.3.0 when released.
RTU500 series CMU Firmware version 12.0.1 to 12.0.14 Update to CMU Firmware version 12.0.15
RTU500 series CMU Firmware version 12.2.1 to 12.2.11 Update to CMU Firmware version 12.2.12
RTU500 series CMU Firmware version 12.4.1 to 12.4.11 Update to CMU Firmware version 12.4.12
RTU500 series CMU Firmware version 12.6.1 to 12.6.8 Update to CMU Firmware version 12.6.9
RTU500 series CMU Firmware version 12.7.1 to 12.7.4 Update to CMU Firmware version 12.7.5
RTU500 series CMU Firmware version 13.2.1 to 13.2.5 Update to CMU Firmware version 13.2.6
RTU500 series CMU Firmware version 13.3.1 to 13.3.3 Update to CMU Firmware version 13.3.4
RTU500 series CMU Firmware version 13.4.1 Update to CMU Firmware version 13.4.2
SYS600 version 10.1 to 10.3.1 update to SYS600 version 10.4.1

For all versions, Hitachi Energy recommends that users apply these general mitigation factors:

Upgrade the system once a remediated version is available.
Apply Hitachi Energy recommended security practices and firewall configurations to help protect a process control network from attacks that originate from outside the network. Such practices include:
Physically protecting process control systems from direct access by unauthorized personnel.
Not allowing direct connections to the internet.
Process control systems should not be used for internet surfing, instant messaging, or receiving emails.

Use a firewall system that has a minimal number of exposed ports to separate the process control network from other networks.
Connection to other networks must be evaluated as necessary.

Scan portable computers and removable storage media carefully for viruses before connection to a control system.

MSM is not designed nor intended to be connected to the internet. Disconnect the device from any internet facing network.
Adopt user access management and updated antivirus protection engines equipped with the latest signature rules for computers that have installed and are operating the MMS Client application.
Use the default operating system (OS) user access management function to limit unauthorized access and/or rogue commands via the MMS Client application.

For more information, see the Hitachi Energy advisories for the corresponding affected products:

8DBD000124 TXpert Hub CoreTec 4 and 5 Products
8DBD000132 RTU500 series
8DBD000127 Relion 670, 650 series, and SAM600-IO
8DBD000131 REB500 series
8DBD000130 PWC600
8DBD000129 MSM
8DBD000133 MicroSCADA X SYS600
8DBD000128 ITT600 SA Explorer
8DBD000126 GMS600
8DBD000125 FOX61x TEGO1

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploits specifically target this vulnerability. This vulnerability has a high attack complexity.

Rockwell Automation ThinManager

Written by Admin @CloudCentric on March 27, 2023. Posted in CISA-Published Industrial Control System Vulnerabilities.

1. EXECUTIVE SUMMARY

CVSS v3 9.8
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Rockwell Automation
Equipment: ThinManager ThinServer
Vulnerabilities: Path Traversal, Heap-Based Buffer Overflow

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to potentially perform remote code execution on the target system/device or crash the software.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of Rockwell Automation ThinManager ThinServer, a thin client and remote desktop protocol (RDP) server management software, are affected:

ThinManager ThinServer: Versions 6.x – 10.x
ThinManager ThinServer: Versions 11.0.0 – 11.0.5
ThinManager ThinServer: Versions 11.1.0 – 11.1.5
ThinManager ThinServer: Versions 11.2.0 – 11.2.6
ThinManager ThinServer: Versions 12.0.0 – 12.0.4
ThinManager ThinServer: Versions 12.1.0 – 12.1.5
ThinManager ThinServer: Versions 13.0.0 – 13.0.1

3.2 VULNERABILITY OVERVIEW

3.2.1 IMPROPER LIMITATION OF A PATHNAME TO A RESTRICTED DIRECTORY (‘PATH TRAVERSAL’) CWE-22

In affected versions, a path traversal exists when processing a message. An unauthenticated remote attacker could potentially exploit this vulnerability to upload arbitrary files to any directory on the disk drive where ThinServer.exe is installed. The attacker could overwrite existing executable files with attacker-controlled, malicious contents, potentially causing remote code execution.

CVE-2023-27855 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

3.2.2 IMPROPER LIMITATION OF A PATHNAME TO A RESTRICTED DIRECTORY (‘PATH TRAVERSAL’) CWE-22

In affected versions, a path traversal exists when processing a type 8 message. An unauthenticated remote attacker could exploit this vulnerability to download arbitrary files on the disk drive where ThinServer.exe is installed.

CVE-2023-27856 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

3.2.3 HEAP-BASED BUFFER OVERFLOW CWE-122

In affected versions, a heap-based buffer over-read condition occurs when the message field indicates more data than is present. An unauthenticated remote attacker could exploit this vulnerability to crash ThinServer.exe due to a read access violation.

CVE-2023-27857 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER

Tenable Network Security reported these vulnerabilities to Rockwell Automation

4. MITIGATIONS

Rockwell Automation encourages users to implement the risk mitigations provided below. Users should also combine these mitigations with the general security guidelines, if possible.

Rockwell Automation has released the following updates for the affected versions:

Versions 6.x – 10.x: These versions are retired. Users should update to a supported version.
Versions 11.0.0 – 11.0.5: Update to v11.0.6
Versions 11.1.0 – 11.1.5: Update to v11.1.6
Versions 11.2.0 – 11.2.6: Update to v11.2.7
Versions 12.0.0 – 12.0.4: Update to v12.0.5
Versions 12.1.0 – 12.1.5: Update to v12.1.6
Versions 13.0.0 – 13.0.1: Update to v13.0.2

If users are unable to update to the patched version, the following mitigations should be put in place to reduce exploitation of this vulnerability:

Limit remote access of port 2031/TCP to known thin clients and ThinManager servers.

For additional security best practices, see Rockwell Automation’s Knowledgebase article, QA43240 Security Best Practices.

For more information, see Rockwell Automation’s Security Advisory.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. Specifically, users should:

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploits specifically target these vulnerabilities.

Delta Electronics InfraSuite Device Master

Written by Admin @CloudCentric on March 27, 2023. Posted in CISA-Published Industrial Control System Vulnerabilities.

1. EXECUTIVE SUMMARY

CVSS v3 9.8
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Delta Electronics
Equipment: InfraSuite Device Master
Vulnerabilities: Deserialization of Untrusted Data, Improper Access Control, Exposed Dangerous Method or Function, Path Traversal, Improper Authentication, Command Injection, Incorrect Permission Assignment for Critical Resource, Missing Authentication for Critical Function

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an unauthenticated attacker to obtain access to files and credentials, escalate privileges, and remotely execute arbitrary code.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of InfraSuite Device Master, a real-time device monitoring software, are affected:

Versions prior to 1.0.5

3.2 VULNERABILITY OVERVIEW

3.2.1 DESERIALIZATION OF UNTRUSTED DATA CWE-502

Delta Electronics InfraSuite Device Master versions prior to 1.0.5 contain a vulnerability in which the Device-status service listens on port 10100/ UDP by default. The service accepts the unverified UDP packets and deserializes the content, which could allow an unauthenticated attacker to remotely execute arbitrary code.

CVE-2023-1133 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

3.2.2 DESERIALIZATION OF UNTRUSTED DATA CWE-502

Delta Electronics InfraSuite Device Master versions prior to 1.0.5 are affected by a deserialization vulnerability targeting the Device-gateway service, which could allow deserialization of requests prior to authentication, resulting in remote code execution.

CVE-2023-1139 has been assigned to this vulnerability. A CVSS v3 base score of 8.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

3.2.3 DESERIALIZATION OF UNTRUSTED DATA CWE-502

Delta Electronics InfraSuite Device Master versions prior to 1.0.5 are affected by a deserialization vulnerability targeting the Device-DataCollect service, which could allow deserialization of requests prior to authentication, resulting in remote code execution.

CVE-2023-1145 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

3.2.4 IMPROPER ACCESS CONTROL CWE-284

Delta Electronics InfraSuite Device Master versions prior to 1.0.5 contain an improper access control vulnerability, which could allow an attacker to retrieve Gateway configuration files to obtain plaintext credentials.

CVE-2023-1138 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

3.2.5 IMPROPER ACCESS CONTROL CWE-284

Delta Electronics InfraSuite Device Master versions prior to 1.0.5 contains an improper access control vulnerability in which an attacker can use the Device-Gateway service and bypass authorization, which could result in privilege escalation.

CVE-2023-1144 has been assigned to this vulnerability. A CVSS v3 base score of 8.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

3.2.6 IMPROPER ACCESS CONTROL CWE-284

Delta Electronics InfraSuite Device Master versions prior to 1.0.5 contain a vulnerability in which a low-level user could extract files and plaintext credentials of administrator users, resulting in privilege escalation.

CVE-2023-1137 has been assigned to this vulnerability. A CVSS v3 base score of 6.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N).

3.2.7 EXPOSED DANGEROUS METHOD OR FUNCTION CWE-749

In Delta Electronics InfraSuite Device Master versions prior to 1.0.5, an attacker could use Lua scripts, which could allow an attacker to remotely execute arbitrary code.

CVE-2023-1143 has been assigned to this vulnerability. A CVSS v3 base score of 8.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

3.2.8 IMPROPER LIMITATION OF A PATHNAME TO A RESTRICTED DIRECTORY (‘PATH TRAVERSAL’) CWE-22

Delta Electronics InfraSuite Device Master versions prior to 1.0.5 are affected by a path traversal vulnerability, which could allow an attacker to read local files, disclose plaintext credentials, and escalate privileges.

CVE-2023-1134 has been assigned to this vulnerability. A CVSS v3 base score of 7.1 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H).

3.2.9 IMPROPER LIMITATION OF A PATHNAME TO A RESTRICTED DIRECTORY (‘PATH TRAVERSAL’) CWE-22

In Delta Electronics InfraSuite Device Master versions prior to 1.0.5, an attacker could use URL decoding to retrieve system files, credentials, and bypass authentication resulting in privilege escalation.

CVE-2023-1142 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

3.2.10 IMPROPER AUTHENTICATION CWE-287

In Delta Electronics InfraSuite Device Master versions prior to 1.0.5, an unauthenticated attacker could generate a valid token, which would lead to authentication bypass.

CVE-2023-1136 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

3.2.11 IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS USED IN A COMMAND (‘COMMAND INJECTION’) CWE-77

Delta Electronics InfraSuite Device Master versions prior to 1.0.5 contain a command injection vulnerability that could allow an attacker to inject arbitrary commands, which could result in remote code execution.

CVE-2023-1141 has been assigned to this vulnerability. A CVSS v3 base score of 8.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

3.2.12 INCORRECT PERMISSION ASSIGNMENT FOR CRITICAL RESOURCE CWE-732

In Delta Electronics InfraSuite Device Master versions prior to 1.0.5, an attacker could set incorrect directory permissions, which could result in local privilege escalation.

CVE-2023-1135 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

3.2.13 MISSING AUTHENTICATION FOR CRITICAL FUNCTION CWE-306

Delta Electronics InfraSuite Device Master versions prior to 1.0.5 contain a vulnerability that could allow an attacker to achieve unauthenticated remote code execution in the context of an administrator.

CVE-2023-1140 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Energy
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Taiwan

3.4 RESEARCHER

Piotr Bazydlo (@chudypd) of Trend Micro and Anonymous working with Trend Micro’s Zero Day Initiative reported these vulnerabilities to CISA.

4. MITIGATIONS

Delta Electronics recommends users uninstall old versions of InfraSuite Device Master and reinstall the updated version 1.0.5 using the installer.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. Specifically, users should:

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

Do not click web links or open attachments in unsolicited email messages.
Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploits specifically target these vulnerabilities.

ProPump and Controls Osprey Pump Controller

Written by Admin @CloudCentric on March 27, 2023. Posted in CISA-Published Industrial Control System Vulnerabilities.

1. EXECUTIVE SUMMARY

CVSS v3 9.8
ATTENTION: Exploitable remotely/low attack complexity/public exploits are available
Vendor: ProPump and Controls, Inc.
Equipment: Osprey Pump Controller
Vulnerabilities: Insufficient Entropy, Use of GET Request Method with Sensitive Query Strings, Use of Hard-coded Password, OS Command Injection, Cross-site Scripting, Authentication Bypass using an Alternate Path or Channel, Cross-Site Request Forgery, Command Injection

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to gain unauthorized access, retrieve sensitive information, modify data, cause a denial-of-service, and/or gain administrative control.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following version of Osprey Pump Controller, pumping systems, and automated controls is affected:

Osprey Pump Controller version 1.01

3.2 VULNERABILITY OVERVIEW

3.2.1 INSUFFICIENT ENTROPY CWE-331

Osprey Pump Controller version 1.01 is vulnerable to a predictable weak session token generation algorithm and could aid in authentication and authorization bypass. This could allow a cyber threat actor to hijack a session by predicting the session id and gain unauthorized access to the product.

CVE-2023-28395 has been assigned to this vulnerability. A CVSS v3 base score of 8.3 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L).

3.2.2 USE OF GET REQUEST METHOD WITH SENSITIVE QUERY STRINGS CWE-598

Osprey Pump Controller version 1.01 is vulnerable to an unauthenticated file disclosure. Cyber threat actors could use a GET parameter to force the affected device to disclose arbitrary files and sensitive system information.

CVE-2023-28375 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

3.2.3 USE OF HARD-CODED PASSWORD CWE-259

Osprey Pump Controller version 1.01 has a hidden administrative account with a hardcoded password that allows full access to the web management interface configuration. The account is not visible in the Usernames and Passwords menu list of the application and the password cannot be changed through any normal operation of the device.

CVE-2023-28654 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

3.2.4 IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS USED IN AN OS COMMAND (‘OS COMMAND INJECTION’) CWE-78

Osprey Pump Controller version 1.01 is vulnerable to an unauthenticated OS command injection vulnerability. Threat actors could exploit this vulnerability to inject and execute arbitrary shell commands through a HTTP POST parameter called by index.php script.

CVE-2023-27886 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

3.2.5 IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS USED IN AN OS COMMAND (‘OS COMMAND INJECTION’) CWE-78

Osprey Pump Controller version 1.01 is vulnerable an unauthenticated OS command injection vulnerability. Threat actors could exploit this vulnerability to inject and execute arbitrary shell commands through a HTTP GET parameter called by DataLogView.php, EventsView.php and AlarmsView.php scripts.

CVE-2023-27394 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

3.2.6 IMPROPER NEUTRALIZATION OF INPUT DURING WEB PAGE GENERATION (‘CROSS-SITE SCRIPTING’) CWE-79

Osprey Pump Controller version 1.01 inputs passed to a GET parameter are not properly sanitized before being returned to the user. Threat actors could exploit this vulnerability to execute arbitrary HTML/JS code in a user’s browser session in context of an affected site.

CVE-2023-28648 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N).

3.2.7 AUTHENTICATION BYPASS USING AN ALTERNATE PATH OR CHANNEL CWE-288

Osprey Pump Controller version 1.01 could allow an unauthenticated user to create an account and bypass authentication, thereby gaining unauthorized access to the system. A threat actor could exploit this vulnerability to create a user account without providing valid credentials. A threat actor who successfully exploits this vulnerability could gain access to the pump controller and cause disruption in operation, modify data, or shut down the controller.

CVE-2023-28398 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

3.2.8 CROSS-SITE REQUEST FORGERY (CSRF) CWE-352

Osprey Pump Controller version 1.01 allows users to perform certain actions via HTTP requests without performing any checks to verify the requests. This could allow an unauthorized user to perform certain actions with administrative privileges if a logged-in user visits a malicious website.

CVE-2023-28718 has been assigned to this vulnerability. A CVSS v3 base score of 7.1 has been calculated; the CVSS vector string is (AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H).

3.2.9 IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS USED IN A COMMAND (‘COMMAND INJECTION’) CWE-77

Osprey Pump Controller version 1.01 contains an unauthenticated command injection vulnerability that could allow system access with www-data permissions.

CVE-2023-28712 has been assigned to this vulnerability. A CVSS v3 base score of 8.2 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Multiple
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER

Gjoko Krstic of Zero Science Lab reported these vulnerabilities to CISA.

4. MITIGATIONS

ProPump and Controls has not responded to requests to work with CISA to mitigate the reported vulnerabilities. Users of the affected product are encouraged to contact ProPump and Controls representative.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. Specifically, users should:

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

Keysight N6845A Geolocation Server

Written by Admin @CloudCentric on March 27, 2023. Posted in CISA-Published Industrial Control System Vulnerabilities.

1. EXECUTIVE SUMMARY

CVSS v3 7.8
ATTENTION: Low attack complexity
Vendor: Keysight Technologies
Equipment: N6854A Geolocation Sever
Vulnerability: Deserialization of Untrusted Data

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to escalate privileges in the affected device’s default configuration, resulting in remote code execution or deleting system files and folders.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following Keysight monitoring products are affected:

N6854A Geolocation Server versions 2.4.2 and prior

3.2 VULNERABILITY OVERVIEW

3.2.1 DESERIALIZATION OF UNTRUSTED DATA CWE-502

N6854A Geolocation Server versions 2.4.2 are vulnerable to untrusted data deserialization, which may allow a malicious actor to escalate privileges in the affected device’s default configuration and achieve remote code execution.

CVE-2023-1399 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Communications, Government
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER

An anonymous individual working with Trend Micro’s Zero Day Initiative reported this vulnerability to CISA.

4. MITIGATIONS

Keysight recommends upgrading the N6854A Geolocation server to version 2.4.3.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should:

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploits specifically target this vulnerability. This vulnerability is not exploitable remotely.

VISAM VBASE Automation Base

Written by Admin @CloudCentric on March 27, 2023. Posted in CISA-Published Industrial Control System Vulnerabilities.

1. EXECUTIVE SUMMARY

CVSS v3 5.5
ATTENTION: Low attack complexity
Vendor: VISAM
Equipment: VBASE
Vulnerabilities: Improper Restriction of XML External Entity Reference

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to obtain sensitive information from the target device.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

VISAM reports these vulnerabilities affect the following VBASE products:

VBASE Automation Base: versions prior to 11.7.5

3.2 VULNERABILITY OVERVIEW

3.2.1 IMPROPER RESTRICTION OF XML EXTERNAL ENTITY REFERENCE CWE-611

Versions of VISAM VBASE Automation Base prior to 11.7.5 may disclose information if a valid user opens a specially crafted file.

CVE-2022-41696 has been assigned to this vulnerability. A CVSS v3 base score of 5.5 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N).

3.2.2 IMPROPER RESTRICTION OF XML EXTERNAL ENTITY REFERENCE CWE-611

Versions of VISAM VBASE Automation Base prior to 11.7.5 may disclose information if a valid user opens a specially crafted file.

CVE-2022-43512 has been assigned to this vulnerability. A CVSS v3 base score of 5.5 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N).

3.2.3 IMPROPER RESTRICTION OF XML EXTERNAL ENTITY REFERENCE CWE-611

Versions of VISAM VBASE Automation Base prior to 11.7.5 may disclose information if a valid user opens a specially crafted file.

CVE-2022-45121 has been assigned to this vulnerability. A CVSS v3 base score of 5.5 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N).

3.2.4 IMPROPER RESTRICTION OF XML EXTERNAL ENTITY REFERENCE CWE-611

Versions of VISAM VBASE Automation Base prior to 11.7.5 may disclose information if a valid user opens a specially crafted file.

CVE-2022-45468 has been assigned to this vulnerability. A CVSS v3 base score of 5.5 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N).

3.2.5 IMPROPER RESTRICTION OF XML EXTERNAL ENTITY REFERENCE CWE-611

Versions of VISAM VBASE Automation Base prior to 11.7.5 may disclose information if a valid user opens a specially crafted file.

CVE-2022-45876 has been assigned to this vulnerability. A CVSS v3 base score of 5.5 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N).

3.2.6 IMPROPER RESTRICTION OF XML EXTERNAL ENTITY REFERENCE CWE-611

Versions of VISAM VBASE Automation Base prior to 11.7.5 may disclose information if a valid user opens a specially crafted file.

CVE-2022-46286 has been assigned to this vulnerability. A CVSS v3 base score of 5.5 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N).

3.2.7 IMPROPER RESTRICTION OF XML EXTERNAL ENTITY REFERENCE CWE-611

Versions of VISAM VBASE Automation Base prior to 11.7.5 may disclose information if a valid user opens a specially crafted file.

CVE-2022-46300 has been assigned to this vulnerability. A CVSS v3 base score of 5.5 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Multiple
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

Kimiya, working with Trend Micro Zero Day Initiative, reported these vulnerabilities to CISA.

4. MITIGATIONS

VISAM recommends users update to VBASE 11.7.5 or later. The update can be performed via the VBASE Editor update dialog on machines with secure access to the internet. Users of machines without internet access must manually update by submitting a request form to receive a download link.

For more information, users should contact VISAM using the information provided on their contact page (German language).

CISA recommends users take the following measures to protect themselves from social engineering attacks:

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploits specifically target these vulnerabilities. These vulnerabilities are not exploitable remotely. These vulnerabilities have low attack complexity.

ABB Pulsar Plus Controller

Written by Admin @CloudCentric on March 27, 2023. Posted in CISA-Published Industrial Control System Vulnerabilities.

1. EXECUTIVE SUMMARY

CVSS v3 6.3
ATTENTION: Exploitable remotely/low attack complexity
Vendor: ABB
Equipment: Pulsar Plus Controller
Vulnerabilities: Use of Insufficiently Random Values, Cross-Site Request Forgery (CSRF)

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to take control of the product or execute arbitrary code.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of ABB Pulsar Plus Controller, are affected:

ABB Infinity DC Power Plant – H5692448 G104 G842 G224L G630-4 G451C(2) G461(2) – comcode 150047415
ABB Pulsar Plus System Controller – NE843_S – comcode 150042936

3.2 VULNERABILITY OVERVIEW

3.2.1 CROSS-SITE REQUEST FORGERY (CSRF) CWE-352

There are several fields in the web pages where a user can enter arbitrary text, such as a description of an alarm or a rectifier. These represent a cross site scripting vulnerability where JavaScript code can be entered as the description with the potential of causing system interactions unknown to the user. These issues were remediated by adding a check of every field update to reject suspicious entries.

CVE-2022-1607 has been assigned to this vulnerability. A CVSS v3 base score of 4.6 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N).

3.2.2 USE OF INSUFFICIENTLY RANDOM VALUES CWE-330

Every interaction with the web server requires a Session ID that is assigned to the session after a successful login. The reported vulnerability is that the Session IDs were too short (16 bits), too predictable (IDs simply incremented), and were plainly visible in the URLs of the web pages. These issues were remediated by rewriting the web server to follow recommended best practices.

CVE-2022-26080 has been assigned to this vulnerability. A CVSS v3 base score of 6.3 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:N).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Chemical, Critical Manufacturing, Dams, Energy, Food and Agriculture, Water and Wastewater
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Switzerland

3.4 RESEARCHER

Vlad Ionescu of Facebook Red Team X reported these vulnerabilities to ABB.

4. MITIGATIONS

ABB has an available update resolving a privately reported vulnerability in the product versions listed above. The update is version number 5.0.0 for the application and 5.0.0 for web pages. These updates have been distributed through the appropriate product support channels with affected users.

ABB recommends users ensure the firewall protection is properly configured.

A workaround suggested by ABB is to use the controller’s Read/Write Enable/Disable feature for a network port (NET1,WRE=0).

The controller can disable all writes over the network port. The factory default is to have the write capability enabled. However, some users may not want settings to be remotely changed once systems are set. This feature, when set to “Disable”, will allow no changes to be accepted. Once set, it can only be changed locally through the front panel.

Although these workarounds will not correct the underlying vulnerability, they can help block known attack vectors.

For more information, see ABB Security Advisory.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. Specifically, users should:

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

No known public exploits specifically target these vulnerabilities.

SAUTER EY-modulo 5 Building Automation Stations

Written by Admin @CloudCentric on March 27, 2023. Posted in CISA-Published Industrial Control System Vulnerabilities.

1. EXECUTIVE SUMMARY

CVSS v3 8.8
ATTENTION: Exploitable remotely/low attack complexity
Vendor: SAUTER
Equipment: EY-modulo 5 Building Automation Stations
Vulnerabilities: Cross-site Scripting, Cleartext Transmission of Sensitive Information, and Unrestricted Upload of File with Dangerous Type

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could lead to privilege escalation, unauthorized execution of actions, a denial-of-service condition, or retrieval of sensitive information.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

SAUTER reports these vulnerabilities affect the following EY-modulo 5 Building Automation Stations:

EY-AS525F001 with moduWeb

3.2 VULNERABILITY OVERVIEW

3.2.1 CROSS-SITE SCRIPTING CWE-79

An unauthenticated remote attacker could provide a malicious link and trick an unsuspecting user into clicking on it. If clicked, the attacker could execute the malicious JavaScript (JS) payload in the target’s security context.

CVE-2023-28650 has been assigned to this vulnerability. A CVSS v3 base score of 8.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

3.2.2 CROSS-SITE SCRIPTING CWE-79

A malicious user could leverage this vulnerability to escalate privileges or perform unauthorized actions in the context of the targeted privileged users.

CVE-2023-28655 has been assigned to this vulnerability. A CVSS v3 base score of 8.0 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H).

3.2.3 CROSS-SITE SCRIPTING CWE-79

An unauthenticated remote attacker could force all authenticated users, such as administrative users, to perform unauthorized actions by viewing the logs. This action would also grant the attacker privilege escalation.

CVE-2023-22300 has been assigned to this vulnerability. A CVSS v3 base score of 8.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

3.2.4 CLEARTEXT TRANSMISSION OF SENSITIVE INFORMATION CWE-319

An authenticated malicious user could acquire the simple mail transfer protocol (SMTP) Password in cleartext format, despite it being protected and hidden behind asterisks. The attacker could then perform further attacks using the SMTP credentials.

CVE-2023-27927 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

3.2.5 UNRESTRICTED UPLOAD OF FILE WITH DANGEROUS TYPE CWE-434

An authenticated malicious user could successfully upload a malicious image could lead to a denial-of-service condition.

CVE-2023-28652 has been assigned to this vulnerability. A CVSS v3 base score of 6.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing, Energy
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Switzerland

3.4 RESEARCHER

Ithaca Labs of Odyssey Cyber Security reported this vulnerability to CISA.

4. MITIGATIONS

According to SAUTER, the EY-modulo 5 Building Automation Stations product line does not support encryption on its communication protocols. As such, it is not appropriate for open networks.

SAUTER recommends deactivating moduWeb when not in use as doing so closes the vulnerabilities related to the web server and the mail client service; users can upgrade to the latest generation modulo 6 with moduWeb Unity as the web server, which supports encrypted communication with TLS.

SAUTER recommends users take all necessary measures to protect the integrity of building automation networks, restrict access to the devices, and leverage all appropriate means and policies to minimize risks. Users should evaluate and upgrade legacy systems to current solutions where necessary.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. Specifically, users should:

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

No known public exploits specifically target these vulnerabilities. These vulnerabilities are exploitable remotely. These vulnerabilities have low attack complexity.