Posts Page - CloudCentric

JTEKT ELECTRONICS Kostac PLC Programming Software

Written by on April 6, 2023. Posted in CISA-Published Industrial Control System Vulnerabilities.

1. EXECUTIVE SUMMARY

CVSS v3 7.8
ATTENTION: Low attack complexity
Vendor: JTEKT ELECTRONICS CORPORATION
Equipment: Kostac PLC Programming Software
Vulnerabilities: Out-of-bounds Read, Use After Free

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to disclose information or execute arbitrary code.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of JTEKT ELECTRONICS Kostac PLC Programming Software are affected:

JTEKT ELECTRONICS Kostac PLC Programing Software: Versions 1.6.9.0 and earlier

3.2 VULNERABILITY OVERVIEW

3.2.1 OUT-OF-BOUNDS READ CWE-125

When a specially crafted project file is opened, out-of-bounds read occurs when processing a comment block in stage information because the end of data cannot be verified.

CVE-2023-22419 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

3.2.2 OUT-OF-BOUNDS READ CWE-125

When a specially crafted project file is opened, out-of-bounds read occurs because buffer size used by the PLC program instructions is insufficient.

CVE-2023-22421 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

3.2.3 USE AFTER FREE CWE-416

When the maximum number of columns to place the PLC program is out of specification by opening a specially crafted project file, a process accesses memory that has already been freed.

CVE-2023-22424 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Japan

3.4 RESEARCHER

Michael Heinzl reported these vulnerabilities to JPCERT/CC.

4. MITIGATIONS

JTEKT ELECTRONICS recommends users to download the following updates:

Version 1.6.10.0 and above

This version not only addresses the vulnerability, but also takes measures to prevent crafted project files from being opened. Project files saved with Version 1.6.9.0 or earlier can be re-saved with Version 1.6.10.0 or above to enable this tamper-proof feature. Project files saved with Version 1.6.10.0 or above cannot be opened with Version 1.6.9.0 or earlier.

For more information, see JTEKT ELECTRONICS’ Update Notice.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. Specifically, users should:

Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet.
Locate control system networks and remote devices behind firewalls and isolate them from business networks.
When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

Do not click web links or open attachments in unsolicited email messages.
Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploits specifically target these vulnerabilities. These vulnerabilities are not exploitable remotely.

JTEKT ELECTRONICS Screen Creator Advance 2

Written by on April 6, 2023. Posted in CISA-Published Industrial Control System Vulnerabilities.

1. EXECUTIVE SUMMARY

CVSS v3 7.8
ATTENTION: Low attack complexity
Vendor: JTEKT ELECTRONICS CORPORATION
Equipment: Screen Creator Advance 2
Vulnerabilities: Out-of-bounds Read, Out-of-bounds Write, Use After Free

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to disclose information or execute arbitrary code.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of JTEKT ELECTRONICS Screen Creator Advance 2, a software program, are affected:

JTEKT ELECTRONICS Screen Creator Advance 2: Ver0.1.1.4 Build01

3.2 VULNERABILITY OVERVIEW

3.2.1 OUT-OF-BOUNDS WRITE CWE-787

When an out-of-specification error is detected, an out-of-bounds write may occur because there is no error handling process.

CVE-2023-22345 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

3.2.2 OUT-OF-BOUNDS READ CWE-125

An out-of-bounds read may occur when processing template information because the end of data cannot be verified.

CVE-2023-22346 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

3.2.3 OUT-OF-BOUNDS READ CWE-125

An Out-of-bounds read may occur when processing file structure information because the end of data cannot be verified.

CVE-2023-22347 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

3.2.4 OUT-OF-BOUNDS READ CWE-125

An out-of-bounds read may occur when processing screen management information because the end of data cannot be verified.

CVE-2023-22349 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

3.2.5 OUT-OF-BOUNDS READ CWE-125

An out-of-bounds read may occur when processing parts management information because the end of data cannot be verified.

CVE-2023-22350 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

3.2.6 OUT-OF-BOUNDS READ CWE-125

An out-of-bounds read may occur when processing control management information because the end of data cannot be verified.

CVE-2023-22353 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

3.2.7 USE AFTER FREE CWE-416

When an error is detected, an out-of-bounds write may occur because there is no error handling process.

CVE-2023-22360 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Japan

3.4 RESEARCHER

Michael Heinzl reported these vulnerabilities to JPCERT/CC.

4. MITIGATIONS

JTEKT ELECTRONICS recommends users to download the following updates:

Ver.0.1.1.4 Build01A and above

For more information, see JTEKT ELECTRONICS’ Update Notice.

CISA recommends users take the following measures to protect themselves from social engineering attacks:

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploits specifically target these vulnerabilities. These vulnerabilities are not exploitable remotely.

Korenix Jetwave

Written by on April 6, 2023. Posted in CISA-Published Industrial Control System Vulnerabilities.

1. EXECUTIVE SUMMARY

CVSS v3 8.8
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Korenix
Equipment: Jetwave
Vulnerabilities: Command Injection, Uncontrolled Resource Consumption

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to gain full access to the underlying operating system of the device or cause a denial-of-service condition.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of Korenix Jetwave, are affected:

Korenix JetWave4221 HP-E versions V1.3.0 and prior
Korenix JetWave 3220/3420 V3 versions prior to V1.7
Korenix JetWave 2212G version V1.3.T
Korenix JetWave 2212X/2112S version V1.3.0
Korenix JetWave 2211C versions prior to V1.6
Korenix JetWave 2411/2111 versions prior to V1.5
Korenix JetWave 2411L/2111L versions prior to V1.6
Korenix JetWave 2414/2114 versions prior to V1.4
Korenix JetWave 2424 versions prior to V1.3
Korenix JetWave 2460 versions prior to V1.6

3.2 VULNERABILITY OVERVIEW

3.2.1 IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS USED IN A COMMAND (‘COMMAND INJECTION’) CWE-77

Korenix JetWave 4200 Series 1.3.0 and JetWave 3000 Series 1.6.0 are vulnerable to command injection. An attacker could modify the file_name parameter to execute commands as root.

CVE-2023-23294 has been assigned to this vulnerability. A CVSS v3 base score of 8.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

3.2.2 IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS USED IN A COMMAND (‘COMMAND INJECTION’) CWE-77

Korenix Jetwave 4200 Series 1.3.0 and JetWave 3000 Series 1.6.0 are vulnerable to command injection via /goform/formSysCmd. An attacker could modify the sysCmd parameter to execute commands as root.

CVE-2023-23295 has been assigned to this vulnerability. A CVSS v3 base score of 8.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

3.2.3 UNCONTROLLED RESOURCE CONSUMPTION CWE-400

Korenix JetWave 4200 Series 1.3.0 and JetWave 3200 Series 1.6.0 are vulnerable to a possible denial-of-service condition via /goform/formDefault. When logged in, a user could issue a POST request so that the underlying binary exits. The web-service then becomes unavailable and cannot be accessed until a user reboots the device.

CVE-2023-23296 has been assigned to this vulnerability. A CVSS v3 base score of 6.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Communications
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Taiwan

3.4 RESEARCHER

Thomas Weber of CyberDanube reported these vulnerabilities to Korenix.

4. MITIGATIONS

Korenix recommends all users update their JetWave products to the latest firmware:

Korenix JetWave 4221 HP-E V1.4.0
Korenix JetWave 2212G V1.10
Korenix JetWave 2212X V1.11/2112S V1.11
Korenix JetWave 2211C V1.6
Korenix JetWave 2411/2111 V1.5
Korenix JetWave 2411L/2111L V1.6
Korenix JetWave 2414/2114 V1.4
Korenix JetWave 2424 V1.3
Korenix JetWave 2460 V1.6
Korenix JetWave 3220 V3 V1.7/3420 V3 V1.7

According to Korenix, users should visit Korenix and navigate to the appropriate Korenix JetWave product page, found in the “Wireless” section on the site, and download the latest firmware.

For more information, see Korenix’s Security Advisory.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. Specifically, users should:

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploits specifically target these vulnerabilities.

Industrial Control Links ScadaFlex II SCADA Controllers

Written by on April 6, 2023. Posted in CISA-Published Industrial Control System Vulnerabilities.

1. EXECUTIVE SUMMARY

CVSS v3 9.1
ATTENTION: Exploitable remotely/low attack complexity/public exploits are available
Vendor: Industrial Control Links
Equipment: ScadaFlex II SCADA Controllers
Vulnerability: External Control of File Name or Path

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an authenticated attacker to overwrite, delete, or create files.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of Industrial Control Links ScadaFlex II SCADA Controllers are affected:

SW: 1.03.07 (build 317), WebLib: 1.24
SW: 1.02.20 (build 286), WebLib: 1.24
SW: 1.02.15 (build 286), WebLib: 1.22
SW: 1.02.01 (build 229), WebLib: 1.16
SW: 1.01.14 (build 172), WebLib: 1.14
SW: 1.01.01 (build 2149), WebLib: 1.13

3.2 VULNERABILITY OVERVIEW

3.2.1 EXTERNAL CONTROL OF FILE NAME OR PATH CWE-73

On ICL ScadaFlex II SCADA Controller SC-1 and SC-2 devices, unauthenticated remote attackers can overwrite, delete, or create files. This allows an attacker to execute critical file CRUD operations on the device that can potentially allow system access and impact availability.

CVE-2022-25359 has been assigned to this vulnerability. A CVSS v3 base score of 9.1 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: North America, South America
COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER

CISA discovered a public proof-of-concept (PoC) as authored by Gjoko Krstic of Zero Science Lab.

4. MITIGATIONS

Industrial Control Links has relayed that they are closing their business. This product may be considered end-of-life; continued supported for this product may be unavailable.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should:

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

Hitachi Energy MicroSCADA System Data Manager SDM600

Written by on April 6, 2023. Posted in CISA-Published Industrial Control System Vulnerabilities.

1. EXECUTIVE SUMMARY

CVSS v3 9.9
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Hitachi Energy
Equipment: MicroSCADA System Data Manager SDM600
Vulnerabilities: Unrestricted Upload of File with Dangerous Type, Improper Authorization, Improper Resource Shutdown or Release, Improper Privilege Management

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to take remote control of the product.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of Hitachi Energy’s MicroSCADA SDM600, a data management tool, are affected:

SDM600: Versions prior to v1.2 FP3 HF4 (Build Nr. 1.2.23000.291)
SDM600: Versions prior to v1.3.0 (Build Nr. 1.3.0.1339)

3.2 VULNERABILITY OVERVIEW

3.2.1 UNRESTRICTED UPLOAD OF FILE WITH DANGEROUS TYPE CWE-434

A vulnerability exists in the affected SDM600 versions file permission validation. An attacker could exploit the vulnerability by gaining access to the system and uploading a specially crafted message to the system node, which could result in arbitrary code execution.

CVE-2022-3682 has been assigned to this vulnerability. A CVSS v3 base score of 9.9 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).

3.2.2 IMPROPER AUTHORIZATION CWE-285

A vulnerability exists in the affected SDM600 versions application programmable interface (API) web services authorization validation implementation. An attacker successfully exploiting the vulnerability could read sensitive data directly from an insufficiently protected or restricted data store.

CVE-2022-3683 has been assigned to this vulnerability. A CVSS v3 base score of 7.7 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N).

3.2.3 IMPROPER RESOURCE SHUTDOWN OR RELEASE CWE-404

A vulnerability exists in an SDM600 endpoint. An attacker could exploit this vulnerability by running multiple parallel requests, causing the SDM600 web services to become busy, rendering the application unresponsive.

CVE-2022-3684 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

3.2.4 IMPROPER PRIVILEGE MANAGEMENT CWE-269

A vulnerability exists in the affected SDM600 versions software. The software operates at a privilege level higher than the minimum level required. An attacker successfully exploiting this vulnerability could escalate privileges.

CVE-2022-3685 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H).

3.2.5 IMPROPER AUTHORIZATION CWE-285

A vulnerability exists in the affected SDM600 versions API permission check mechanism. Successful exploitation could cause an unauthenticated user to gain access to device data, causing confidentiality and integrity issues.

CVE-2022-3686 has been assigned to this vulnerability. A CVSS v3 base score of 4.8 has been calculated; the CVSS vector string is (AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Energy
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Switzerland

3.4 RESEARCHER

Hitachi Energy reported these vulnerabilities to CISA.

4. MITIGATIONS

Hitachi Energy recommends applying the following mitigations:

All SDM600 versions prior to v1.2 FP3 HF4 (Build Nr. 1.2.23000.291): Update to v1.3.0.1339
SDM600 versions prior to v1.3.0 (Build Nr. 1.3.0.1339): Apply workaround detailed below.

Hitachi Energy recommends the following security practices and firewall configurations to help protect a process control network from attacks originating from outside the network:

Practice principles of least privileges to minimize permissions and accesses to SDM600 related resources.
Follow security practices defined in SDM600 security deployment guidelines.
Physically protect process control systems from unauthorized direct access.
Do not directly connect control systems networks to the internet.
Separate process control systems from other networks using a firewall system with a minimal number of open ports.
Process control systems should not be used for internet surfing, instant messaging, or receiving emails.
Portable computers and removable storage media should be carefully scanned for viruses prior connection to a control system.

For more information, see Hitachi security advisory 8DBD000138.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploits specifically target these vulnerabilities.

Nexx Smart Home Device

Written by on April 4, 2023. Posted in CISA-Published Industrial Control System Vulnerabilities.

1. EXECUTIVE SUMMARY

CVSS v3 8.6
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Nexx
Equipment: Garage Door Controller, Smart Plug, Smart Alarm
Vulnerabilities: Use of Hard-coded Credentials, Authorization Bypass through User-controlled Key, Improper Input Validation, Improper Authentication

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to receive sensitive information, execute application programmable interface (API) requests, or hijack devices.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of Nexx Smart Home devices are affected:

Nexx Garage Door Controller (NXG-100B, NXG-200): Version nxg200v-p3-4-1 and prior
Nexx Smart Plug (NXPG-100W): Version nxpg100cv4-0-0 and prior
Nexx Smart Alarm (NXAL-100): Version nxal100v-p1-9-1and prior

3.2 VULNERABILITY OVERVIEW

3.2.1 USE OF HARD-CODED CREDENTIALS CWE-798
The listed versions of Nexx Smart Home devices use hard-coded credentials. An attacker with unauthenticated access to the Nexx Home mobile application or the affected firmware could view the credentials and access the MQ Telemetry Server (MQTT) server and the ability to remotely control garage doors or smart plugs for any customer.

CVE-2023-1748 has been assigned to this vulnerability. A CVSS v3 base score of 8.6 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L).

3.2.2 AUTHORIZATION BYPASS THROUGH USER-CONTROLLED KEY CWE-639
The listed versions of Nexx Smart Home devices lack proper access control when executing actions. An attacker with a valid NexxHome deviceId could send API requests that the affected devices would execute.

CVE-2023-1749 has been assigned to this vulnerability. A CVSS v3 base score of 6.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N).

3.2.3 AUTHORIZATION BYPASS THROUGH USER-CONTROLLED KEY CWE-639
The listed versions of Nexx Smart Home devices lack proper access control when executing actions. An attacker with a valid NexxHome deviceId could retrieve device history, set device settings, and retrieve device information.

CVE-2023-1750 has been assigned to this vulnerability. A CVSS v3 base score of 7.1 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N).

3.2.4 IMPROPER INPUT VALIDATION CWE-20
The listed versions of Nexx Smart Home devices use a WebSocket server that does not validate if the bearer token in the Authorization header belongs to the device attempting to associate. This could allow any authorized user to receive alarm information and signals meant for other devices which leak a deviceId.

CVE-2023-1751 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

3.2.5 IMPROPER AUTHENTICATION CWE-287
The listed versions of Nexx Smart Home devices could allow any user to register an already registered alarm or associated device with only the device’s MAC address.

CVE-2023-1752 has been assigned to this vulnerability. A CVSS v3 base score of 8.1 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Commercial Facilities
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER

Sam Sabetan reported these vulnerabilities to CISA.

4. MITIGATIONS

Nexx has not responded to requests to work with CISA to mitigate these vulnerabilities. Users of the affected product are encouraged to contact Nexx support for additional information.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability these vulnerabilities. Specifically, users should:

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploits specifically target these vulnerabilities.

Hitachi Energy IEC 61850 MMS-Server

Written by on March 30, 2023. Posted in CISA-Published Industrial Control System Vulnerabilities.

1. EXECUTIVE SUMMARY

CVSS v3 5.9
ATTENTION: Exploitable remotely
Vendor: Hitachi Energy
Equipment: IEC 61850 MMS-Server
Vulnerability: Improper Resource Shutdown or Release

2. RISK EVALUATION

Successful exploitation of this vulnerability could cause products using the IEC 61850 MMS-server communication stack to stop accepting new MMS-client connections.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions Hitachi Energy equipment using the IEC 61850 communication stack are affected:

TXpert Hub CoreTec 4 version 2.0.x
TXpert Hub CoreTec 4 version 2.1.x
TXpert Hub CoreTec 4 version 2.2.x
TXpert Hub CoreTec 4 version 2.3.x
TXpert Hub CoreTec 4 version 2.4.x
TXpert Hub CoreTec 4 version 3.0.x
TXpert Hub CoreTec 5 version 3.0.x
Tego1_r15b08 (FOX615 System Release R15B)
Tego1_r2a16_03 (FOX615 System Release R14A)
Tego1_r2a16
Tego1_r1e01
Tego1_r1d02
Tego1_r1c07
Tego1_r1b02
GMS600 version 1.3
Relion 670 1.2 (Limited)
Relion 670 2.0 (Limited)
Relion 650 version 1.1 (Limited)
Relion 650 version 1.3 (Limited)
Relion 650 version 2.1 (Classic)
Relion 670 version 2.1 (Classic)
Relion SAM600-IO 2.2.1
Relion SAM600-IO 2.2.5
Relion 670/650 version 2.2.0
Relion 670/650 version 2.2.1
Relion 670/650 version 2.2.2
Relion 670/650 version 2.2.3
Relion 670/650 version 2.2.4
Relion 670/650 version 2.2.5
ITT600 SA Explorer version 1.1.0
ITT600 SA Explorer version 1.1.1
ITT600 SA Explorer version 1.1.2
ITT600 SA Explorer version 1.5.0
ITT600 SA Explorer version 1.5.1
ITT600 SA Explorer version 1.6.0
ITT600 SA Explorer version 1.6.0.1
ITT600 SA Explorer version 1.7.0
ITT600 SA Explorer version 1.7.2
ITT600 SA Explorer version 1.8.0
ITT600 SA Explorer version 2.0.1
ITT600 SA Explorer version 2.0.2
ITT600 SA Explorer version 2.0.3
ITT600 SA Explorer version 2.0.4.1
ITT600 SA Explorer version 2.0.5.0
ITT600 SA Explorer version 2.0.5.4
ITT600 SA Explorer version 2.1.0.4
ITT600 SA Explorer version 2.1.0.5
MSM version 2.2.3 and prior
PWC600 version 1.0
PWC600 version 1.1
PWC600 version 1.2
REB500 all V8.x versions
REB500 all V7.x versions
RTU500 series CMU Firmware version 12.0.1 to 12.0.14
RTU500 series CMU Firmware version 12.2.1 to 12.2.11
RTU500 series CMU Firmware version 12.4.1 to 12.4.11
RTU500 series CMU Firmware version 12.6.1 to 12.6.8
RTU500 series CMU Firmware version 12.7.1 to 12.7.4
RTU500 series CMU Firmware version 13.2.1 to 13.2.5
RTU500 series CMU Firmware version 13.3.1 to 13.3.3
RTU500 series CMU Firmware version 13.4.1
SYS600 version 10.1 to 10.3.1

3.2 VULNERABILITY OVERVIEW

3.2.1 IMPROPER RESOURCE SHUTDOWN OR RELEASE CWE-404
An attacker could exploit the IEC 61850 MMS-Server communication stack by forcing the communication stack to stop accepting new MMS-client connections.

CVE-2022-3353 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.9 has been calculated; the CVSS vector string is (AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Energy
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Switzerland

3.4 RESEARCHER

Hitachi Energy reported this vulnerability to CISA.

4. MITIGATIONS

Hitachi Energy provided updates for the following products. Contact Hitachi Energy for update information.

MSM Server update to version 2.2.5
tego1_r15b08 (FOX615 System Release R15B) update to tego1_r16a11 (FOX615 System Release R16A)
REB500 all V8.x versions update to REB500 firmware to version 8.3.3.0 when released.
RTU500 series CMU Firmware version 12.0.1 to 12.0.14 Update to CMU Firmware version 12.0.15
RTU500 series CMU Firmware version 12.2.1 to 12.2.11 Update to CMU Firmware version 12.2.12
RTU500 series CMU Firmware version 12.4.1 to 12.4.11 Update to CMU Firmware version 12.4.12
RTU500 series CMU Firmware version 12.6.1 to 12.6.8 Update to CMU Firmware version 12.6.9
RTU500 series CMU Firmware version 12.7.1 to 12.7.4 Update to CMU Firmware version 12.7.5
RTU500 series CMU Firmware version 13.2.1 to 13.2.5 Update to CMU Firmware version 13.2.6
RTU500 series CMU Firmware version 13.3.1 to 13.3.3 Update to CMU Firmware version 13.3.4
RTU500 series CMU Firmware version 13.4.1 Update to CMU Firmware version 13.4.2
SYS600 version 10.1 to 10.3.1 update to SYS600 version 10.4.1

For all versions, Hitachi Energy recommends that users apply these general mitigation factors:

Upgrade the system once a remediated version is available.
Apply Hitachi Energy recommended security practices and firewall configurations to help protect a process control network from attacks that originate from outside the network. Such practices include:
Physically protecting process control systems from direct access by unauthorized personnel.
Not allowing direct connections to the internet.
Process control systems should not be used for internet surfing, instant messaging, or receiving emails.

Use a firewall system that has a minimal number of exposed ports to separate the process control network from other networks.
Connection to other networks must be evaluated as necessary.

Scan portable computers and removable storage media carefully for viruses before connection to a control system.

MSM is not designed nor intended to be connected to the internet. Disconnect the device from any internet facing network.
Adopt user access management and updated antivirus protection engines equipped with the latest signature rules for computers that have installed and are operating the MMS Client application.
Use the default operating system (OS) user access management function to limit unauthorized access and/or rogue commands via the MMS Client application.

For more information, see the Hitachi Energy advisories for the corresponding affected products:

8DBD000124 TXpert Hub CoreTec 4 and 5 Products
8DBD000132 RTU500 series
8DBD000127 Relion 670, 650 series, and SAM600-IO
8DBD000131 REB500 series
8DBD000130 PWC600
8DBD000129 MSM
8DBD000133 MicroSCADA X SYS600
8DBD000128 ITT600 SA Explorer
8DBD000126 GMS600
8DBD000125 FOX61x TEGO1

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploits specifically target this vulnerability. This vulnerability has a high attack complexity.

Rockwell Automation ThinManager

Written by Admin @CloudCentric on March 27, 2023. Posted in CISA-Published Industrial Control System Vulnerabilities.

1. EXECUTIVE SUMMARY

CVSS v3 9.8
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Rockwell Automation
Equipment: ThinManager ThinServer
Vulnerabilities: Path Traversal, Heap-Based Buffer Overflow

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to potentially perform remote code execution on the target system/device or crash the software.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of Rockwell Automation ThinManager ThinServer, a thin client and remote desktop protocol (RDP) server management software, are affected:

ThinManager ThinServer: Versions 6.x – 10.x
ThinManager ThinServer: Versions 11.0.0 – 11.0.5
ThinManager ThinServer: Versions 11.1.0 – 11.1.5
ThinManager ThinServer: Versions 11.2.0 – 11.2.6
ThinManager ThinServer: Versions 12.0.0 – 12.0.4
ThinManager ThinServer: Versions 12.1.0 – 12.1.5
ThinManager ThinServer: Versions 13.0.0 – 13.0.1

3.2 VULNERABILITY OVERVIEW

3.2.1 IMPROPER LIMITATION OF A PATHNAME TO A RESTRICTED DIRECTORY (‘PATH TRAVERSAL’) CWE-22

In affected versions, a path traversal exists when processing a message. An unauthenticated remote attacker could potentially exploit this vulnerability to upload arbitrary files to any directory on the disk drive where ThinServer.exe is installed. The attacker could overwrite existing executable files with attacker-controlled, malicious contents, potentially causing remote code execution.

CVE-2023-27855 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

3.2.2 IMPROPER LIMITATION OF A PATHNAME TO A RESTRICTED DIRECTORY (‘PATH TRAVERSAL’) CWE-22

In affected versions, a path traversal exists when processing a type 8 message. An unauthenticated remote attacker could exploit this vulnerability to download arbitrary files on the disk drive where ThinServer.exe is installed.

CVE-2023-27856 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

3.2.3 HEAP-BASED BUFFER OVERFLOW CWE-122

In affected versions, a heap-based buffer over-read condition occurs when the message field indicates more data than is present. An unauthenticated remote attacker could exploit this vulnerability to crash ThinServer.exe due to a read access violation.

CVE-2023-27857 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER

Tenable Network Security reported these vulnerabilities to Rockwell Automation

4. MITIGATIONS

Rockwell Automation encourages users to implement the risk mitigations provided below. Users should also combine these mitigations with the general security guidelines, if possible.

Rockwell Automation has released the following updates for the affected versions:

Versions 6.x – 10.x: These versions are retired. Users should update to a supported version.
Versions 11.0.0 – 11.0.5: Update to v11.0.6
Versions 11.1.0 – 11.1.5: Update to v11.1.6
Versions 11.2.0 – 11.2.6: Update to v11.2.7
Versions 12.0.0 – 12.0.4: Update to v12.0.5
Versions 12.1.0 – 12.1.5: Update to v12.1.6
Versions 13.0.0 – 13.0.1: Update to v13.0.2

If users are unable to update to the patched version, the following mitigations should be put in place to reduce exploitation of this vulnerability:

Limit remote access of port 2031/TCP to known thin clients and ThinManager servers.

For additional security best practices, see Rockwell Automation’s Knowledgebase article, QA43240 Security Best Practices.

For more information, see Rockwell Automation’s Security Advisory.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. Specifically, users should:

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploits specifically target these vulnerabilities.

Delta Electronics InfraSuite Device Master

Written by Admin @CloudCentric on March 27, 2023. Posted in CISA-Published Industrial Control System Vulnerabilities.

1. EXECUTIVE SUMMARY

CVSS v3 9.8
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Delta Electronics
Equipment: InfraSuite Device Master
Vulnerabilities: Deserialization of Untrusted Data, Improper Access Control, Exposed Dangerous Method or Function, Path Traversal, Improper Authentication, Command Injection, Incorrect Permission Assignment for Critical Resource, Missing Authentication for Critical Function

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an unauthenticated attacker to obtain access to files and credentials, escalate privileges, and remotely execute arbitrary code.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of InfraSuite Device Master, a real-time device monitoring software, are affected:

Versions prior to 1.0.5

3.2 VULNERABILITY OVERVIEW

3.2.1 DESERIALIZATION OF UNTRUSTED DATA CWE-502

Delta Electronics InfraSuite Device Master versions prior to 1.0.5 contain a vulnerability in which the Device-status service listens on port 10100/ UDP by default. The service accepts the unverified UDP packets and deserializes the content, which could allow an unauthenticated attacker to remotely execute arbitrary code.

CVE-2023-1133 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

3.2.2 DESERIALIZATION OF UNTRUSTED DATA CWE-502

Delta Electronics InfraSuite Device Master versions prior to 1.0.5 are affected by a deserialization vulnerability targeting the Device-gateway service, which could allow deserialization of requests prior to authentication, resulting in remote code execution.

CVE-2023-1139 has been assigned to this vulnerability. A CVSS v3 base score of 8.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

3.2.3 DESERIALIZATION OF UNTRUSTED DATA CWE-502

Delta Electronics InfraSuite Device Master versions prior to 1.0.5 are affected by a deserialization vulnerability targeting the Device-DataCollect service, which could allow deserialization of requests prior to authentication, resulting in remote code execution.

CVE-2023-1145 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

3.2.4 IMPROPER ACCESS CONTROL CWE-284

Delta Electronics InfraSuite Device Master versions prior to 1.0.5 contain an improper access control vulnerability, which could allow an attacker to retrieve Gateway configuration files to obtain plaintext credentials.

CVE-2023-1138 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

3.2.5 IMPROPER ACCESS CONTROL CWE-284

Delta Electronics InfraSuite Device Master versions prior to 1.0.5 contains an improper access control vulnerability in which an attacker can use the Device-Gateway service and bypass authorization, which could result in privilege escalation.

CVE-2023-1144 has been assigned to this vulnerability. A CVSS v3 base score of 8.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

3.2.6 IMPROPER ACCESS CONTROL CWE-284

Delta Electronics InfraSuite Device Master versions prior to 1.0.5 contain a vulnerability in which a low-level user could extract files and plaintext credentials of administrator users, resulting in privilege escalation.

CVE-2023-1137 has been assigned to this vulnerability. A CVSS v3 base score of 6.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N).

3.2.7 EXPOSED DANGEROUS METHOD OR FUNCTION CWE-749

In Delta Electronics InfraSuite Device Master versions prior to 1.0.5, an attacker could use Lua scripts, which could allow an attacker to remotely execute arbitrary code.

CVE-2023-1143 has been assigned to this vulnerability. A CVSS v3 base score of 8.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

3.2.8 IMPROPER LIMITATION OF A PATHNAME TO A RESTRICTED DIRECTORY (‘PATH TRAVERSAL’) CWE-22

Delta Electronics InfraSuite Device Master versions prior to 1.0.5 are affected by a path traversal vulnerability, which could allow an attacker to read local files, disclose plaintext credentials, and escalate privileges.

CVE-2023-1134 has been assigned to this vulnerability. A CVSS v3 base score of 7.1 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H).

3.2.9 IMPROPER LIMITATION OF A PATHNAME TO A RESTRICTED DIRECTORY (‘PATH TRAVERSAL’) CWE-22

In Delta Electronics InfraSuite Device Master versions prior to 1.0.5, an attacker could use URL decoding to retrieve system files, credentials, and bypass authentication resulting in privilege escalation.

CVE-2023-1142 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

3.2.10 IMPROPER AUTHENTICATION CWE-287

In Delta Electronics InfraSuite Device Master versions prior to 1.0.5, an unauthenticated attacker could generate a valid token, which would lead to authentication bypass.

CVE-2023-1136 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

3.2.11 IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS USED IN A COMMAND (‘COMMAND INJECTION’) CWE-77

Delta Electronics InfraSuite Device Master versions prior to 1.0.5 contain a command injection vulnerability that could allow an attacker to inject arbitrary commands, which could result in remote code execution.

CVE-2023-1141 has been assigned to this vulnerability. A CVSS v3 base score of 8.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

3.2.12 INCORRECT PERMISSION ASSIGNMENT FOR CRITICAL RESOURCE CWE-732

In Delta Electronics InfraSuite Device Master versions prior to 1.0.5, an attacker could set incorrect directory permissions, which could result in local privilege escalation.

CVE-2023-1135 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

3.2.13 MISSING AUTHENTICATION FOR CRITICAL FUNCTION CWE-306

Delta Electronics InfraSuite Device Master versions prior to 1.0.5 contain a vulnerability that could allow an attacker to achieve unauthenticated remote code execution in the context of an administrator.

CVE-2023-1140 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Energy
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Taiwan

3.4 RESEARCHER

Piotr Bazydlo (@chudypd) of Trend Micro and Anonymous working with Trend Micro’s Zero Day Initiative reported these vulnerabilities to CISA.

4. MITIGATIONS

Delta Electronics recommends users uninstall old versions of InfraSuite Device Master and reinstall the updated version 1.0.5 using the installer.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. Specifically, users should:

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

No known public exploits specifically target these vulnerabilities.

ProPump and Controls Osprey Pump Controller

Written by Admin @CloudCentric on March 27, 2023. Posted in CISA-Published Industrial Control System Vulnerabilities.

1. EXECUTIVE SUMMARY

CVSS v3 9.8
ATTENTION: Exploitable remotely/low attack complexity/public exploits are available
Vendor: ProPump and Controls, Inc.
Equipment: Osprey Pump Controller
Vulnerabilities: Insufficient Entropy, Use of GET Request Method with Sensitive Query Strings, Use of Hard-coded Password, OS Command Injection, Cross-site Scripting, Authentication Bypass using an Alternate Path or Channel, Cross-Site Request Forgery, Command Injection

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to gain unauthorized access, retrieve sensitive information, modify data, cause a denial-of-service, and/or gain administrative control.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following version of Osprey Pump Controller, pumping systems, and automated controls is affected:

Osprey Pump Controller version 1.01

3.2 VULNERABILITY OVERVIEW

3.2.1 INSUFFICIENT ENTROPY CWE-331

Osprey Pump Controller version 1.01 is vulnerable to a predictable weak session token generation algorithm and could aid in authentication and authorization bypass. This could allow a cyber threat actor to hijack a session by predicting the session id and gain unauthorized access to the product.

CVE-2023-28395 has been assigned to this vulnerability. A CVSS v3 base score of 8.3 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L).

3.2.2 USE OF GET REQUEST METHOD WITH SENSITIVE QUERY STRINGS CWE-598

Osprey Pump Controller version 1.01 is vulnerable to an unauthenticated file disclosure. Cyber threat actors could use a GET parameter to force the affected device to disclose arbitrary files and sensitive system information.

CVE-2023-28375 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

3.2.3 USE OF HARD-CODED PASSWORD CWE-259

Osprey Pump Controller version 1.01 has a hidden administrative account with a hardcoded password that allows full access to the web management interface configuration. The account is not visible in the Usernames and Passwords menu list of the application and the password cannot be changed through any normal operation of the device.

CVE-2023-28654 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

3.2.4 IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS USED IN AN OS COMMAND (‘OS COMMAND INJECTION’) CWE-78

Osprey Pump Controller version 1.01 is vulnerable to an unauthenticated OS command injection vulnerability. Threat actors could exploit this vulnerability to inject and execute arbitrary shell commands through a HTTP POST parameter called by index.php script.

CVE-2023-27886 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

3.2.5 IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS USED IN AN OS COMMAND (‘OS COMMAND INJECTION’) CWE-78

Osprey Pump Controller version 1.01 is vulnerable an unauthenticated OS command injection vulnerability. Threat actors could exploit this vulnerability to inject and execute arbitrary shell commands through a HTTP GET parameter called by DataLogView.php, EventsView.php and AlarmsView.php scripts.

CVE-2023-27394 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

3.2.6 IMPROPER NEUTRALIZATION OF INPUT DURING WEB PAGE GENERATION (‘CROSS-SITE SCRIPTING’) CWE-79

Osprey Pump Controller version 1.01 inputs passed to a GET parameter are not properly sanitized before being returned to the user. Threat actors could exploit this vulnerability to execute arbitrary HTML/JS code in a user’s browser session in context of an affected site.

CVE-2023-28648 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N).

3.2.7 AUTHENTICATION BYPASS USING AN ALTERNATE PATH OR CHANNEL CWE-288

Osprey Pump Controller version 1.01 could allow an unauthenticated user to create an account and bypass authentication, thereby gaining unauthorized access to the system. A threat actor could exploit this vulnerability to create a user account without providing valid credentials. A threat actor who successfully exploits this vulnerability could gain access to the pump controller and cause disruption in operation, modify data, or shut down the controller.

CVE-2023-28398 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

3.2.8 CROSS-SITE REQUEST FORGERY (CSRF) CWE-352

Osprey Pump Controller version 1.01 allows users to perform certain actions via HTTP requests without performing any checks to verify the requests. This could allow an unauthorized user to perform certain actions with administrative privileges if a logged-in user visits a malicious website.

CVE-2023-28718 has been assigned to this vulnerability. A CVSS v3 base score of 7.1 has been calculated; the CVSS vector string is (AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H).

3.2.9 IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS USED IN A COMMAND (‘COMMAND INJECTION’) CWE-77

Osprey Pump Controller version 1.01 contains an unauthenticated command injection vulnerability that could allow system access with www-data permissions.

CVE-2023-28712 has been assigned to this vulnerability. A CVSS v3 base score of 8.2 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Multiple
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER

Gjoko Krstic of Zero Science Lab reported these vulnerabilities to CISA.

4. MITIGATIONS

ProPump and Controls has not responded to requests to work with CISA to mitigate the reported vulnerabilities. Users of the affected product are encouraged to contact ProPump and Controls representative.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. Specifically, users should:

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.