1. EXECUTIVE SUMMARY

CVSS v3 9.8
ATTENTION: Exploitable remotely/low skill level to exploit
Vendor: Rockwell Automation
Equipment: FactoryTalk Diagnostics
Vulnerabilities: Deserialization of Untrusted Data

2. UPDATE OR REPOSTED INFORMATION

This updated advisory is a follow-up to the original advisory titled ICSA-20-051-02-Rockwell Automation FactoryTalk Diagnostics (Update A) that was published February 20, 2020, on the ICS webpage at cisa.gov/ICS.

3. RISK EVALUATION

Successful exploitation of this vulnerability could allow a remote unauthenticated attacker to execute arbitrary code with SYSTEM level privileges.

4. TECHNICAL DETAILS

4.1 AFFECTED PRODUCTS

The following versions of FactoryTalk Diagnostic software, a subsystem of the FactoryTalk Service Platform, are affected:

FactoryTalk Diagnostics software: Versions 2.00 to 6.11

4.2 VULNERABILITY OVERVIEW

4.2.1 DESERIALIZATION OF UNTRUSTED DATA CWE-502 

Factory Talk Diagnostics exposes a .NET Remoting endpoint via RNADiagnosticsSrv.exe at TCPtcp/8082, which can insecurely deserialize untrusted data.

CVE-2020-6967 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

4.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Food and Agriculture, Transportation Systems, Water and Wastewater Systems
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: United States

4.4 RESEARCHER

Trend Micro’s Zero Day Initiative, working with rgod of 9sg, reported this vulnerability to CISA.

5. MITIGATIONS

Rockwell Automation will fully resolve this vulnerability in the next release of the FactoryTalk Service Platform.

Rockwell Automation recommends affected users implement the following compensating controls, based on their needs:

Upgrade to version 6.20 or later for versions that predate version 6.20; this version restricts connection settings to only the local port.

——— Begin Update B Part 1 of 1 ——— 

For FactoryTalk Services Platform version 6.31: Enable Microsoft Windows Commination Foundation (WCF) which avoids the vulnerability.
For FactoryTalk Services Platform version 6.31: Enable .NET Remoting (system default) with connections restricted to a local port; mitigating the vulnerability.

——— End Update B Part 1 of 1 ——— 

Install the patch BF24822 to restrict connections settings to only the local port for versions 2.74, 2.80, 2.81, 2.90, 3.00, 6.10, or 6.11.
Upgrade to a more recent version for versions that predate version 2.74.
Disable the Remote Diagnostics Service if this service is not in use. Disabling this service does not result in data loss.
Use Windows Firewall Configuration to help prevent remote connection to the affected port if the Remote Diagnostics Service is in use.

For more information, please see Rockwell Automation’s security advisory (login required).

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should:

Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet.
Locate control system networks and remote devices behind firewalls, and isolate them from the business network.
Use secure methods, such as Virtual Private Networks (VPNs), when remote access is required. Recognize that VPNs may have vulnerabilities and should be updated to the most current version available; VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on us-cert.gov. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage on us-cert.gov in the Technical Information Paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to CISA for tracking and correlation against other incidents.

No known public exploits specifically target this vulnerability.

1. EXECUTIVE SUMMARY

CVSS v3 6.7 
ATTENTION: Public exploits are available
Vendor: Hitachi Energy
Equipment: MicroSCADA Pro/X SYS600 Products
Vulnerabilities: Permissions, Privileges, and Access Controls

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected product.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of Hitachi Energy’s MicroSCADA Pro/X SYS600 products are affected:

SYS600: 9.4 FP2 Hotfix 5 and earlier
SYS600: 10.1.1 and earlier

3.2 VULNERABILITY OVERVIEW

3.2.1 PERMISSIONS, PRIVILEGES, AND ACCESS CONTROLS CWE-264  

The ActiveBar ActiveX control distributed in ActBar.ocx 1.0.3.8 in SYS600 product does not properly restrict the SetLayoutData method, which could allow attackers to execute arbitrary code via a crafted data argument.

CVE-2011-1207 has been assigned to this vulnerability. A CVSS v3 base score of 6.7 has been calculated; the CVSS vector string is (AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Energy
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Switzerland

3.4 RESEARCHER

Hitachi Energy reported this vulnerability to CISA.

4. MITIGATIONS

Hitachi Energy has released the following mitigations/fixes:

SYS600 9.x: upgrade to at least SYS600 version 10.2 or apply general mitigation factors.
SYS600 10.x update to at least SYS600 version 10.2 or apply general mitigation factors.

Hitachi Energy recommends general mitigation factors and workarounds:

Recommended security practices and firewall configurations can help protect a process control network from attacks originating from outside the network.
Keep process control systems physically protected from direct access by unauthorized personnel.
Ensure process control systems have no direct connections to the internet, are separated from other networks by means of a firewall system that has a minimal number of ports exposed, and other practices that must be evaluated case by case.
Avoid using process control systems for internet surfing, instant messaging, or receiving emails.
Carefully scan portable computers and removable storage media for malware before connection to a control system.
Ensure proper password policies and processes are followed.

Hitachi Energy recommends following the cybersecurity deployment guideline as follows: 1MRK511518 MicroSCADA X Cyber Security Deployment Guideline. 

For more information, see Hitachi Energy cybersecurity advisory 8DBD000142.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should:

Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet.
Locate control system networks and remote devices behind firewalls and isolate them from business networks.
When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

Do not click web links or open attachments in unsolicited email messages.
Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

This vulnerability is not exploitable remotely. This vulnerability has a high attack complexity.

1. EXECUTIVE SUMMARY

CVSS v3 7.5
ATTENTION: Exploitable remotely/low attack complexity/public exploits are available
Vendor: Carlo Gavazzi
Equipment: Powersoft
Vulnerabilities: Path Traversal

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to access and retrieve any file from the server. 

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of Carlo Gavazzi Powersoft, an energy management software, are affected:

Powersoft: Versions 2.1.1.1 and prior

3.2 VULNERABILITY OVERVIEW

3.2.1 IMPROPER LIMITATION OF A PATHNAME TO A RESTRICTED DIRECTORY (‘PATH TRAVERSAL’) CWE-22

Carlo Gavazzi Powersoft versions 2.1.1.1 and prior have a directory traversal vulnerability that can allow an attacker to access and retrieve any file through specially crafted GET requests to the server.

CVE-2017-20184 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Switzerland

3.4 RESEARCHER

CISA discovered a public proof-of-concept as authored by James Fitts.

4. MITIGATIONS

Carlo Gavazzi will not issue a fix as this product is end-of-life.

Users should contact Carlo Gavazzi for more information.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should:

Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet.
Locate control system networks and remote devices behind firewalls and isolate them from business networks.
When remote access is required, use secure methods, such as virtual private networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

1. EXECUTIVE SUMMARY

CVSS v3 10.0 
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Johnson Controls Inc.
Equipment: OpenBlue Enterprise Manager Data Collector
Vulnerabilities: Improper Authentication, Exposure of Sensitive Information to an Unauthorized Actor

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker, under certain circumstances, to make application programming interface (API) calls to the OpenBlue Enterprise Manager Data Collector, which do not require authentication and may expose sensitive information to an unauthorized user.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following Johnson Controls products are affected: 

OpenBlue Enterprise Manager Data Collector: Firmware versions prior to 3.2.5.75

3.2 VULNERABILITY OVERVIEW

3.2.1 IMPROPER AUTHENTICATION CWE-287

Under certain circumstances, API calls to the OpenBlue Enterprise Manager Data Collector do not require authentication.

CVE-2023-2024 has been assigned to this vulnerability. A CVSS v3 base score of 10.0 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N).

3.2.2 EXPOSURE OF SENSITIVE INFORMATION TO AN UNAUTHORIZED ACTOR CWE-200

Under certain circumstances, API calls to the OpenBlue Enterprise Manager Data Collector may expose sensitive information to an unauthorized user.

CVE-2023-2025 has been assigned to this vulnerability. A CVSS v3 base score of 5.0 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Ireland

3.4 RESEARCHER

Rushank Shetty, Security Researcher at Northwestern Mutual, reported this vulnerability to Johnson Controls, Inc.; Johnson Controls, Inc. reported this vulnerability to CISA.

4. MITIGATIONS

Johnson Controls recommends updating OpenBlue Enterprise Manager Data Collector firmware to version 3.2.5.75. Users must contact Johnson Controls to obtain the update.

For more information, refer to Johnson Controls Product Security Advisory JCI-PSA-2023-04 v1

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. Specifically, users should:

Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet.
Locate control system networks and remote devices behind firewalls and isolate them from business networks.
When remote access is required, use secure methods, such as virtual private networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploits specifically target these vulnerabilities.

1. EXECUTIVE SUMMARY

CVSS v3 7.5 
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Mitsubishi Electric
Equipment: WS0-GETH00200
Vulnerabilities: Active Debug Code

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to bypass authentication and log in by connecting to the module via telnet to reset the module or, if certain conditions are met, either disclose or tamper with the module’s configuration, or rewrite the firmware.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of Mitsubishi Electric MELSEC WS Series, an ethernet interface module, are affected:

WS0-GETH00200: All versions

3.2 VULNERABILITY OVERVIEW

3.2.1 ACTIVE DEBUG CODE CWE-489 

In the affected products, the hidden telnet function is enabled by default when shipped from the factory. An authentication bypass vulnerability could allow a remote unauthenticated attacker to log into the affected module by connecting to it via telnet. 

CVE-2023-1618 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Japan

3.4 RESEARCHER

Mitsubishi Electric reported this vulnerability to CISA.

4. MITIGATIONS

Mitsubishi Electric has released the following mitigations/workarounds:

Set password for telnet sessions that are difficult for third parties to guess. The password can be up to 15 characters long. Note that “[space]” in the input string represents a single-byte space. Users can change the password for the telnet session of the affected product by using the telnet client and performing:
Password setting:
Enter “telnet[space]” followed by the IP address of the affected product and press the Enter key.
When “Password” is displayed, press the Enter key without entering anything. 
When “telnet>” is displayed, enter “password[space]” followed by the desired password string and press the Enter key.
Enter “quit” and press the Enter key.

Confirm the password is set:
After the Password setting process, enter “telnet[space]” followed by the IP address of the affected product and press the Enter key.
When “Password” is displayed, enter the password string set in the Password setting process and press the Enter key.
If “telnet>” is displayed, the password is set correctly.
Enter “quit” and press the Enter key.

Alternatively, Mitsubishi Electric recommends that users take the following mitigation measures to minimize the risk of exploiting this vulnerability:

Use a firewall, virtual private network (VPN), etc. to prevent unauthorized access when Internet access is required.
Use product within a local area network (LAN) and use firewalls to block access from untrusted networks and hosts.
Restrict physical access to prevent untrusted devices from connecting to the LAN.

For more information, see Mitsubishi Electric’s Security Advisory.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploits specifically target this vulnerability.

1. EXECUTIVE SUMMARY

CVSS v3 8.6
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Snap One
Equipment: OvrC Cloud, OvrC Pro Devices
Vulnerabilities: Improper Input Validation, Observable Response Discrepancy, Improper Access Control, Cleartext Transmission of Sensitive Information, Insufficient Verification of Data Authenticity, Open Redirect, Use of Hard-coded Credentials, Hidden Functionality

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to impersonate and claim devices, execute arbitrary code, and disclose information about the affected device.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following Snap One component is affected:

OvrC Pro version 7.1

3.2 VULNERABILITY OVERVIEW

3.2.1 IMPROPER INPUT VALIDATION CWE-20

The Hub in the Snap One OvrC cloud platform is a device used to centralize and manage nested devices connected to it. A vulnerability exists in which an attacker could impersonate a hub and send device requests to claim already claimed devices. The OvrC cloud platform receives the requests but does not validate if the found devices are already managed by another user.

CVE-2023-28649 has been assigned to this vulnerability. A CVSS v3 base score of 8.6 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H).

3.2.2 OBSERVABLE RESPONSE DISCREPANCY CWE-204

When supplied with a random MAC address, Snap One OvrC cloud servers will return information about the device. The MAC address of devices can be enumerated in an attack and the OvrC cloud will disclose their information.

CVE-2023-28412 has been assigned to this vulnerability. A CVSS v3 base score of 5.3 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).

3.2.3 IMPROPER ACCESS CONTROL CWE-284

Snap One OvrC cloud servers contain a route an attacker can use to bypass requirements and claim devices outright.

CVE-2023-31241 has been assigned to this vulnerability. A CVSS v3 base score of 8.6 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H).

3.2.4 CLEARTEXT TRANSMISSION OF SENSITIVE INFORMATION CWE-319

Snap One OvrC Pro versions prior to 7.3 use HTTP connections when downloading a program from their servers. Because they do not use HTTPS, OvrC Pro devices are susceptible to exploitation.

CVE-2023-31193 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

3.2.5 INSUFFICIENT VERIFICATION OF DATA AUTHENTICITY CWE-345

Snap One OvrC Pro devices versions 7.2 and prior do not validate firmware updates correctly. The device only calculates the MD5 hash of the firmware and does not check using a private-public key mechanism. The lack of complete PKI system firmware signature could allow attackers to upload arbitrary firmware updates, resulting in code execution.

CVE-2023-28386 has been assigned to this vulnerability. A CVSS v3 base score of 8.6 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N).

3.2.6 URL REDIRECTION TO UNTRUSTED SITE (‘OPEN REDIRECT’) CWE-601

Devices using Snap One OvrC cloud are sent to a web address when accessing a web management interface using a HTTP connection. Attackers could impersonate a device and supply malicious information about the device’s web server interface. By supplying malicious parameters, an attacker could redirect the user to arbitrary and dangerous locations on the web.

CVE-2023-31245 has been assigned to this vulnerability. A CVSS v3 base score of 7.1 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L).

3.2.7 USE OF HARD-CODED CREDENTIALS CWE-798

Snap One OvrC Pro versions prior to 7.2 have their own locally running web server accessible both from the local network and remotely. OvrC cloud contains a hidden superuser account =accessible through hard-coded credentials.

CVE-2023-31240 has been assigned to this vulnerability. A CVSS v3 base score of 8.3 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L). 

3.2.8 HIDDEN FUNCTIONALITY CWE-912

In Snap One OvrC Pro versions prior to 7.2, when logged into the superuser account, a new functionality appears that could allow users to execute arbitrary commands on the hub device.

CVE-2023-25183 has been assigned to this vulnerability. A CVSS v3 base score of 8.3 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Communications
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER

Uri Katz of Claroty reported these vulnerabilities to CISA.

4. MITIGATIONS

Snap One has released the following updates/fixes for the affected products:

OvrC Pro v7.2 has been automatically pushed out to devices to update via OvrC cloud.
OvrC Pro v7.3 has been automatically pushed out to devices to update via OvrC cloud.
Disable UPnP.

For more information, see Snap One’s Release Notes.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. Specifically, users should:

Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet.
Locate control system networks and remote devices behind firewalls and isolate them from business networks.
When remote access is required, use secure methods, such as virtual private networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. 

CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies. 

No known public exploits specifically target these vulnerabilities.

1. EXECUTIVE SUMMARY

CVSS v3 7.1
ATTENTION: Exploitable remotely
Vendor: Rockwell Automation
Equipment: FactoryTalk Vantagepoint
Vulnerabilities: Insufficient Verification of Data Authenticity

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to impersonate an existing user or execute a cross site request forgery (CSRF) attack.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of Rockwell Automation FactoryTalk Vantagepoint are affected:

FactoryTalk Vantagepoint: All versions prior to 8.40

3.2 VULNERABILITY OVERVIEW

3.2.1 INSUFFICIENT VERIFICATION OF DATA AUTHENTICITY CWE-345

The affected product is vulnerable to a CSRF attack, which could allow an attacker to impersonate a legitimate user.

CVE-2023-2444 has been assigned to this vulnerability. A CVSS v3 base score of 7.1 has been calculated; the CVSS vector string is (AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:H).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER

Rockwell Automation reported this vulnerability to CISA.

4. MITIGATIONS

Rockwell Automation recommends users update to V8.40 or later.

Users of the affected software are also encouraged to implement Rockwell Automation’s suggested Security Best Practices to minimize risk associated with the vulnerability and provide training about social engineering attacks, such as phishing.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

Do not click web links or open attachments in unsolicited email messages.
Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploits specifically target this vulnerability. This vulnerability has a high attack complexity.

1. EXECUTIVE SUMMARY

CVSS v3 7.0
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Rockwell
Equipment: ArmorStart
Vulnerabilities: Improper Input Validation

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow a malicious user to view and modify sensitive data or make the web page unavailable.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of Rockwell ArmorStart are affected:

ArmorStart ST281E: Version 2.004.06 and later
ArmorStart ST284E: All versions
ArmorStart ST280E: All versions

3.2 VULNERABILITY OVERVIEW

3.2.1 IMPROPER INPUT VALIDATION CWE-20 

A cross site scripting vulnerability was discovered that could potentially allow a malicious user to view and modify sensitive data or make the web page unavailable. User interaction, such as a phishing attack, is required for successful exploitation of this vulnerability.

CVE-2023-29031 has been assigned to this vulnerability. A CVSS v3 base score of 7.0 has been calculated; the CVSS vector string is (AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H). 

3.2.2 IMPROPER INPUT VALIDATION CWE-20

A cross site scripting vulnerability was discovered that could potentially allow a malicious user to view and modify sensitive data or make the web page unavailable. User interaction, such as a phishing attack, is required for successful exploitation of this vulnerability.

CVE-2023-29030 has been assigned to this vulnerability. A CVSS v3 base score of 7.0 has been calculated; the CVSS vector string is (AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H).

3.2.3 IMPROPER INPUT VALIDATION CWE-20

A cross site scripting vulnerability was discovered that could potentially allow a malicious user to view and modify sensitive data or make the web page unavailable. User interaction, such as a phishing attack, is required for successful exploitation of this vulnerability.

CVE-2023-29023 has been assigned to this vulnerability. A CVSS v3 base score of 7.0 has been calculated; the CVSS vector string is (AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H).

3.2.4 IMPROPER INPUT VALIDATION CWE-20

A cross site scripting vulnerability was discovered that could potentially allow a malicious user to view and modify sensitive data or make the web page unavailable. User interaction, such as a phishing attack, is required for successful exploitation of this vulnerability.

CVE-2023-29024 has been assigned to this vulnerability. A CVSS v3 base score of 5.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L). 

3.2.5 IMPROPER INPUT VALIDATION CWE-20

A cross site scripting vulnerability was discovered that could potentially allow a malicious user with admin privileges and network access to view user data and modify the web interface. Additionally, a malicious user could potentially cause interruptions to the availability of the web page.

CVE-2023-29025 has been assigned to this vulnerability. A CVSS v3 base score of 4.7 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L). 

3.2.6 IMPROPER INPUT VALIDATION CWE-20

A cross site scripting vulnerability was discovered that could potentially allow a malicious user with admin privileges and network access to view user data and modify the web interface. Additionally, a malicious user could potentially cause interruptions to the availability of the web page.

CVE-2023-29026 has been assigned to this vulnerability. A CVSS v3 base score of 4.7 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L). 

3.2.7 IMPROPER INPUT VALIDATION CWE-20

A cross site scripting vulnerability was discovered that could potentially allow a malicious user with admin privileges and network access to view user data and modify the web interface. Additionally, a malicious user could potentially cause interruptions to the availability of the web page.

CVE-2023-29027 has been assigned to this vulnerability. A CVSS v3 base score of 4.7 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L). 

3.2.8 IMPROPER INPUT VALIDATION CWE-20

A cross site scripting vulnerability was discovered that could potentially allow a malicious user with admin privileges and network access to view user data and modify the web interface. Additionally, a malicious user could potentially cause interruptions to the availability of the web page.

CVE-2023-29028 has been assigned to this vulnerability. A CVSS v3 base score of 4.7 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L).

3.2.9 IMPROPER INPUT VALIDATION CWE-20

A cross site scripting vulnerability was discovered that could potentially allow a malicious user with admin privileges and network access to view user data and modify the web interface. Additionally, a malicious user could potentially cause interruptions to the availability of the web page.

CVE-2023-29029 has been assigned to this vulnerability. A CVSS v3 base score of 4.7 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L). 

3.2.10 IMPROPER INPUT VALIDATION CWE-20

A cross site scripting vulnerability was discovered that could potentially allow a malicious user with admin privileges and network access to view user data and modify the web interface. Additionally, a malicious user could potentially cause interruptions to the availability of the web page.

CVE-2023-29022 has been assigned to this vulnerability. A CVSS v3 base score of 4.7 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER

Rockwell Automation reported these vulnerabilities to CISA.

4. MITIGATIONS

Rockwell Automation recommends users take the following measures to mitigate the risk of these vulnerabilities:

Disable the webserver during normal use. The webserver is disabled by default and should only be enabled to modify configurations. After modifying configurations, the web server should be disabled.
For information on how to mitigate security risks on industrial automation control systems (IACS) networks see the following publications:
 System Security Design Guidelines Reference Manual publication, SECURE-RM001
Configure System Security Features User Manual, SECURE-UM001

Additionally, Rockwell Automation encourages customers to implement their suggested security best practices to minimize the risk of the vulnerabilities.

CISA recommends users take defensive measures to minimize the risk of exploitation these vulnerabilities. Specifically, users should:

Locate control system networks and remote devices behind firewalls and isolate them from business networks.
When remote access is required, use secure methods, such as virtual private networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

Do not click web links or open attachments in unsolicited email messages.
Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploits specifically target these vulnerabilities.

1. EXECUTIVE SUMMARY

CVSS v3 7.5
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Rockwell Automation
Equipment: ThinManager
Vulnerabilities: Inadequate Encryption Strength

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to decrypt traffic sent between the client and server application programming interface (API), resulting in unauthorized access to information.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of ThinManager, a software management platform, are affected:

ThinManager: Versions 13.0 to 13.0.1

3.2 VULNERABILITY OVERVIEW

3.2.1 INADEQUATE ENCRYPTION STRENGTH CWE-326

The affected product allows the use of medium-strength ciphers. If the client requests an insecure cipher, then a malicious actor could decrypt traffic sent between the client and server API.

CVE-2023-2443 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER

Rockwell Automation reported this vulnerability to CISA.

4. MITIGATIONS

Users of the affected software are encouraged to apply risk mitigations when possible and implement Rockwell Automation’s suggested security best practices to minimize risk of vulnerability exploitation.

Upgrade to v13.0.2.
Do not use 3DES encryption algorithm.
Reference Recommended Security Guidelines from Rockwell Automation.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should:

Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolate them from business networks.
When remote access is required, use secure methods, such as virtual private networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices at cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

Additional mitigation guidance and recommended practices are publicly available at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploits specifically target this vulnerability.

1. EXECUTIVE SUMMARY

CVSS v3 9.8
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Rockwell Automation
Equipment: PanelView 800
Vulnerabilities: Out-of-bounds Write, Out-of-bounds Read

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow remote code execution.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of PanelView 800, a graphics terminal, are affected: 

PanelView 800-2711R-T4T: Version 5.011 to 8.011
PanelView 800-2711R-T7T: Version 5.011 to 8.011
PanelView 800-2711R-T10T: Version 5.011 to 8.011

3.2 VULNERABILITY OVERVIEW

3.2.1 OUT-OF-BOUNDS WRITE CWE-787

The affected product is vulnerable to an out-of-bounds write, which could allow an attacker to accomplish a heap buffer overflow if the user has the email feature enabled in the project file  WolfSSL uses. This feature is disabled by default.

CVE-2020-36177 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

3.2.2 OUT-OF BOUNDS READ CWE-125

The affected product is vulnerable to an out-of-bounds read, which could allow an attacker to accomplish a heap buffer overflow if the user has the email feature enabled in the project file WolfSSL uses. This feature is disabled by default.

CVE-2019-16748 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Energy, Water and Wastewater, Telecommunications
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER

Rockwell Automation reported these vulnerabilities to CISA.

4. MITIGATIONS

Users of the affected software are encouraged to apply the following risk mitigations, if possible:

Upgrade to V8.011, which has been patched to mitigate these issues.
Ensure the email feature is disabled (it is disabled by default).
For information on mitigating security risks on industrial automation control systems (IACS) networks, see the following:
System Security Design Guidelines Reference Manual publication, SECURE-RM001
Configure System Security Features User Manual, SECURE-UM001

Rockwell Automation encourages users to implement their suggested security best practices to minimize risk of vulnerability.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. Specifically, users should:

Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet.
Locate control system networks and remote devices behind firewalls and isolate them from business networks.
When remote access is required, use secure methods, such as virtual private networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploits specifically target these vulnerabilities.