1. EXECUTIVE SUMMARY

CVSS v3 7.8
ATTENTION: Low attack complexity
Vendor: Keysight Technologies
Equipment: N6854A Geolocation Sever
Vulnerability: Deserialization of Untrusted Data

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to escalate privileges in the affected device’s default configuration, resulting in remote code execution or deleting system files and folders.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following Keysight monitoring products are affected:

N6854A Geolocation Server versions 2.4.2 and prior

3.2 VULNERABILITY OVERVIEW

3.2.1    DESERIALIZATION OF UNTRUSTED DATA CWE-502

N6854A Geolocation Server versions 2.4.2 are vulnerable to untrusted data deserialization, which may allow a malicious actor to escalate privileges in the affected device’s default configuration and achieve remote code execution.

CVE-2023-1399 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Communications, Government
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER

An anonymous individual working with Trend Micro’s Zero Day Initiative reported this vulnerability to CISA.

4. MITIGATIONS

Keysight recommends upgrading the N6854A Geolocation server to version 2.4.3.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should:

Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet.
Locate control system networks and remote devices behind firewalls and isolate them from business networks.
When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploits specifically target this vulnerability. This vulnerability is not exploitable remotely.

1. EXECUTIVE SUMMARY

CVSS v3 5.5
ATTENTION: Low attack complexity 
Vendor: VISAM 
Equipment: VBASE 
Vulnerabilities: Improper Restriction of XML External Entity Reference

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to obtain sensitive information from the target device. 

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

VISAM reports these vulnerabilities affect the following VBASE products:  

VBASE Automation Base: versions prior to 11.7.5 

3.2 VULNERABILITY OVERVIEW

3.2.1 IMPROPER RESTRICTION OF XML EXTERNAL ENTITY REFERENCE CWE-611 

Versions of VISAM VBASE Automation Base prior to 11.7.5 may disclose information if a valid user opens a specially crafted file. 

CVE-2022-41696 has been assigned to this vulnerability. A CVSS v3 base score of 5.5 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N). 

3.2.2 IMPROPER RESTRICTION OF XML EXTERNAL ENTITY REFERENCE CWE-611 

Versions of VISAM VBASE Automation Base prior to 11.7.5 may disclose information if a valid user opens a specially crafted file. 

CVE-2022-43512 has been assigned to this vulnerability. A CVSS v3 base score of 5.5 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N). 

3.2.3 IMPROPER RESTRICTION OF XML EXTERNAL ENTITY REFERENCE CWE-611 

Versions of VISAM VBASE Automation Base prior to 11.7.5 may disclose information if a valid user opens a specially crafted file. 

CVE-2022-45121 has been assigned to this vulnerability. A CVSS v3 base score of 5.5 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N). 

3.2.4 IMPROPER RESTRICTION OF XML EXTERNAL ENTITY REFERENCE CWE-611 

Versions of VISAM VBASE Automation Base prior to 11.7.5 may disclose information if a valid user opens a specially crafted file. 

CVE-2022-45468 has been assigned to this vulnerability. A CVSS v3 base score of 5.5 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N). 

3.2.5 IMPROPER RESTRICTION OF XML EXTERNAL ENTITY REFERENCE CWE-611 

Versions of VISAM VBASE Automation Base prior to 11.7.5 may disclose information if a valid user opens a specially crafted file. 

CVE-2022-45876 has been assigned to this vulnerability. A CVSS v3 base score of 5.5 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N). 

3.2.6 IMPROPER RESTRICTION OF XML EXTERNAL ENTITY REFERENCE CWE-611 

Versions of VISAM VBASE Automation Base prior to 11.7.5 may disclose information if a valid user opens a specially crafted file. 

CVE-2022-46286 has been assigned to this vulnerability. A CVSS v3 base score of 5.5 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N). 

3.2.7 IMPROPER RESTRICTION OF XML EXTERNAL ENTITY REFERENCE CWE-611 

Versions of VISAM VBASE Automation Base prior to 11.7.5 may disclose information if a valid user opens a specially crafted file. 

CVE-2022-46300 has been assigned to this vulnerability. A CVSS v3 base score of 5.5 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N). 

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Multiple 
COUNTRIES/AREAS DEPLOYED: Worldwide 
COMPANY HEADQUARTERS LOCATION: Germany 

3.4 RESEARCHER

Kimiya, working with Trend Micro Zero Day Initiative, reported these vulnerabilities to CISA. 

4. MITIGATIONS

VISAM recommends users update to VBASE 11.7.5 or later. The update can be performed via the VBASE Editor update dialog on machines with secure access to the internet.  Users of machines without internet access must manually update by submitting a request form to receive a download link. 

For more information, users should contact VISAM using the information provided on their contact page (German language). 

CISA recommends users take the following measures to protect themselves from social engineering attacks: 

Do not click web links or open attachments in unsolicited email messages. 
Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams. 
Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks. 

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. 

CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploits specifically target these vulnerabilities. These vulnerabilities are not exploitable remotely. These vulnerabilities have low attack complexity. 

1. EXECUTIVE SUMMARY

CVSS v3 6.3
ATTENTION: Exploitable remotely/low attack complexity 
Vendor: ABB 
Equipment: Pulsar Plus Controller  
Vulnerabilities: Use of Insufficiently Random Values, Cross-Site Request Forgery (CSRF) 

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to take control of the product or execute arbitrary code.  

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of ABB Pulsar Plus Controller, are affected: 

ABB Infinity DC Power Plant – H5692448 G104 G842 G224L G630-4 G451C(2) G461(2) – comcode 150047415 
ABB Pulsar Plus System Controller – NE843_S – comcode 150042936 

3.2 VULNERABILITY OVERVIEW

3.2.1 CROSS-SITE REQUEST FORGERY (CSRF) CWE-352 

There are several fields in the web pages where a user can enter arbitrary text, such as a description of an alarm or a rectifier. These represent a cross site scripting vulnerability where JavaScript code can be entered as the description with the potential of causing system interactions unknown to the user. These issues were remediated by adding a check of every field update to reject suspicious entries. 

CVE-2022-1607 has been assigned to this vulnerability. A CVSS v3 base score of 4.6 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N). 

3.2.2 USE OF INSUFFICIENTLY RANDOM VALUES CWE-330 

Every interaction with the web server requires a Session ID that is assigned to the session after a successful login. The reported vulnerability is that the Session IDs were too short (16 bits), too predictable (IDs simply incremented), and were plainly visible in the URLs of the web pages. These issues were remediated by rewriting the web server to follow recommended best practices.  

CVE-2022-26080 has been assigned to this vulnerability. A CVSS v3 base score of 6.3 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:N). 

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Chemical, Critical Manufacturing, Dams, Energy, Food and Agriculture, Water and Wastewater 
COUNTRIES/AREAS DEPLOYED:  Worldwide 
COMPANY HEADQUARTERS LOCATION: Switzerland 

3.4 RESEARCHER

Vlad Ionescu of Facebook Red Team X reported these vulnerabilities to ABB. 

4. MITIGATIONS

ABB has an available update resolving a privately reported vulnerability in the product versions listed above. The update is version number 5.0.0 for the application and 5.0.0 for web pages. These updates have been distributed through the appropriate product support channels with affected users.  

ABB recommends users ensure the firewall protection is properly configured. 

A workaround suggested by ABB is to use the controller’s Read/Write Enable/Disable feature for a network port (NET1,WRE=0).  

The controller can disable all writes over the network port. The factory default is to have the write capability enabled. However, some users may not want settings to be remotely changed once systems are set. This feature, when set to “Disable”, will allow no changes to be accepted. Once set, it can only be changed locally through the front panel.  

Although these workarounds will not correct the underlying vulnerability, they can help block known attack vectors.  

For more information, see ABB Security Advisory.  

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. Specifically, users should:

Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet.
Locate control system networks and remote devices behind firewalls and isolate them from business networks.
When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks: 

Do not click web links or open attachments in unsolicited email messages. 
Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams. 
Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks. 

No known public exploits specifically target these vulnerabilities.  

1. EXECUTIVE SUMMARY

CVSS v3 8.8
ATTENTION: Exploitable remotely/low attack complexity 
Vendor: SAUTER 
Equipment: EY-modulo 5 Building Automation Stations 
Vulnerabilities: Cross-site Scripting, Cleartext Transmission of Sensitive Information, and Unrestricted Upload of File with Dangerous Type 

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could lead to privilege escalation, unauthorized execution of actions, a denial-of-service condition, or retrieval of sensitive information. 

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

SAUTER reports these vulnerabilities affect the following EY-modulo 5 Building Automation Stations:  

EY-AS525F001 with moduWeb 

3.2 VULNERABILITY OVERVIEW

3.2.1 CROSS-SITE SCRIPTING CWE-79 

An unauthenticated remote attacker could provide a malicious link and trick an unsuspecting user into clicking on it. If clicked, the attacker could execute the malicious JavaScript (JS) payload in the target’s security context. 

CVE-2023-28650 has been assigned to this vulnerability. A CVSS v3 base score of 8.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H). 

3.2.2 CROSS-SITE SCRIPTING CWE-79 

A malicious user could leverage this vulnerability to escalate privileges or perform unauthorized actions in the context of the targeted privileged users. 

CVE-2023-28655 has been assigned to this vulnerability. A CVSS v3 base score of 8.0 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H). 

3.2.3 CROSS-SITE SCRIPTING CWE-79 

An unauthenticated remote attacker could force all authenticated users, such as administrative users, to perform unauthorized actions by viewing the logs. This action would also grant the attacker privilege escalation. 

CVE-2023-22300 has been assigned to this vulnerability. A CVSS v3 base score of 8.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H). 

3.2.4 CLEARTEXT TRANSMISSION OF SENSITIVE INFORMATION CWE-319 

An authenticated malicious user could acquire the simple mail transfer protocol (SMTP) Password in cleartext format, despite it being protected and hidden behind asterisks. The attacker could then perform further attacks using the SMTP credentials. 

CVE-2023-27927 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). 

3.2.5 UNRESTRICTED UPLOAD OF FILE WITH DANGEROUS TYPE CWE-434 

An authenticated malicious user could successfully upload a malicious image could lead to a denial-of-service condition. 

CVE-2023-28652 has been assigned to this vulnerability. A CVSS v3 base score of 6.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H). 

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing, Energy 
COUNTRIES/AREAS DEPLOYED: Worldwide 
COMPANY HEADQUARTERS LOCATION: Switzerland 

3.4 RESEARCHER

Ithaca Labs of Odyssey Cyber Security reported this vulnerability to CISA. 

4. MITIGATIONS

According to SAUTER, the EY-modulo 5 Building Automation Stations product line does not support encryption on its communication protocols. As such, it is not appropriate for open networks.  

SAUTER recommends deactivating moduWeb when not in use as doing so closes the vulnerabilities related to the web server and the mail client service; users can upgrade to the latest generation modulo 6 with moduWeb Unity as the web server, which supports encrypted communication with TLS. 

SAUTER recommends users take all necessary measures to protect the integrity of building automation networks, restrict access to the devices, and leverage all appropriate means and policies to minimize risks. Users should evaluate and upgrade legacy systems to current solutions where necessary. 

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. Specifically, users should:

Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet.
Locate control system networks and remote devices behind firewalls and isolate them from business networks.
When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks: 

Do not click web links or open attachments in unsolicited email messages. 
Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams. 
Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks. 

No known public exploits specifically target these vulnerabilities. These vulnerabilities are exploitable remotely. These vulnerabilities have low attack complexity. 

1. EXECUTIVE SUMMARY

CVSS v3 8.8
ATTENTION: Exploitable remotely/low attack complexity 
Vendor: Schneider Electric 
Equipment: IGSS (Interactive Graphical SCADA System)  
Vulnerabilities: Missing Authentication for Critical Function, Insufficient Verification of Data Authenticity, Deserialization of Untrusted Data, Improper Limitation of a Pathname to a Restricted Directory, and Improper Input Validation

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could result in a denial-of-service condition, as well as the loss, addition, or modification of dashboards or report files in the IGSS Report folder. Successful exploitation of these vulnerabilities could also allow remote code execution, potentially resulting in loss of control of the supervisory control and data acquisition (SCADA) System with IGSS running in production mode.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

Schneider Electric reports these vulnerabilities affect the following Data Server, Dashboard and Custom Reports modules for the IGSS (Interactive Graphical SCADA System) product:

IGSS Data Server (IGSSdataServer.exe): V16.0.0.23040 and prior 
IGSS Dashboard (DashBoard.exe): V16.0.0.23040 and prior 
Custom Reports (RMS16.dll): V16.0.0.23040 and prior

3.2 VULNERABILITY OVERVIEW

3.2.1 MISSING AUTHENTICATION FOR CRITICAL FUNCTION CWE-306 

A vulnerability in Schneider Electric Data Server TCP interface could allow the creation of a malicious report file in the IGSS project report directory, and this could lead to remote code execution when an unsuspecting user opens the malicious report.  

CVE-2023-27980 has been assigned to this vulnerability. A CVSS v3 base score of 8.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H). 

3.2.2 INSUFFICIENT VERIFICATION OF DATA AUTHENTICITY CWE-345 

A vulnerability in Schneider Electric Data Server could cause manipulation of dashboard files in the IGSS project report directory when an attacker sends specific crafted messages to the Data Server TCP port. This could lead to remote code execution if an unsuspecting user opens the malicious dashboard file. 

CVE-2023-27982 has been assigned to this vulnerability. A CVSS v3 base score of 8.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H). 

3.2.3 DESERIALIZATION OF UNTRUSTED DATA CWE-502 

A vulnerability in Schneider Electric Dashboard module could cause an interpretation of malicious payload data if a malicious file is opened by an unsuspecting user. This could lead to remote code execution. 

CVE-2023-27978 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H). 

3.2.4 IMPROPER LIMITATION OF A PATHNAME TO A RESTRICTED DIRECTORY CWE-22 

A vulnerability in Schneider Electric Custom Reports could cause remote code execution if an unsuspecting user opens a malicious report. 

CVE-2023-27981 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H). 

3.2.5 IMPROPER INPUT VALIDATION CWE-20 

A vulnerability in Schneider Electric Custom Reports could result in macro execution if a malicious report file is opened by an unsuspecting user, potentially leading to remote code execution. 

CVE-2023-27984 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H). 

3.2.6 INSUFFICIENT VERIFICATION OF DATA AUTHENTICITY CWE-345 

A vulnerability in Schneider Electric Data Server could grant an unauthorized user access to delete files in the IGSS project report directory if specific crafted messages are sent to the Data Server TCP port. 

CVE-2023-27977 has been assigned to this vulnerability. A CVSS v3 base score of 6.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L). 

3.2.7 INSUFFICIENT VERIFICATION OF DATA AUTHENTICITY CWE-345 

A vulnerability in Schneider Electric Data Server could allow an unauthorized user to rename files in the IGSS project report directory. This could lead to a denial-of-service condition if an attacker sends specific crafted messages to the Data Server TCP port. 

CVE-2023-27979 has been assigned to this vulnerability. A CVSS v3 base score of 6.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L). 

3.2.8 MISSING AUTHENTICATION FOR CRITICAL FUNCTION CWE-306 

A vulnerability in Schneider Electric Data Server TCP interface could allow deletion of reports from the IGSS project report directory. 

CVE-2023-27983 has been assigned to this vulnerability. A CVSS v3 base score of 6.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L). 

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Commercial Facilities, Critical Manufacturing, Energy 
COUNTRIES/AREAS DEPLOYED: Worldwide 
COMPANY HEADQUARTERS LOCATION: France 

3.4 RESEARCHER

Kimiya, working with Trend Micro Zero Day Initiative, reported these vulnerabilities to Schneider Electric. 

4. MITIGATIONS

Version 16.0.0.23041 of IGSS Data Server, Dashboard and Custom Reports (RMS) includes corrections and mitigations for these vulnerabilities and is available for download through IGSS Master > Update IGSS Software; the update is also available directly from Schneider Electric.  

Schneider Electric recommends that users use appropriate patching methodologies when applying these patches to their systems. Schneider Electric strongly recommends the use of back-ups and impact evaluating these patches in a test, development, or offline infrastructure environment. Users can contact Schneider Electric’s Customer Care Center for additional assistance. 

Additionally, if patching is not feasible, Schneider Electric recommends the following mitigations to reduce the risk of vulnerability exploitation: 

Read the Security Guideline for IGSS on securing an IGSS SCADA-installation. 
Ensure that the System Configuration module under Files, automatic backup is enabled for file backup. 
Strip report output from Excel output. In the System Configuration module under Reports, stripping of macros for the output engine can be enabled, reducing the risk of distributing an unsafe report. 
Verify that devices are isolated on a private network and that firewalls are configured with strict boundaries for devices that require remote access. 

Schneider Electric strongly recommends the following industry cybersecurity best practices. 

Locate control and safety system networks and remote devices behind firewalls and isolate them from the business network. 
Install physical controls to help prevent unauthorized users from accessing industrial control and safety systems, components, peripheral equipment, and networks. 
Place all controllers in locked cabinets, and do not leave them in the “Program” mode. 
Only connect programming software to the network intended for that device. 
Scan all methods of mobile data exchange with the isolated network before use in the terminals or nodes connected to these networks. 
Properly sanitize mobile devices that have connected to another network before connecting to the intended network. 
Minimize network exposure for all control system devices and systems and ensure that they are not accessible from the internet. 
When remote access is required, use secure methods, such as virtual private networks (VPNs). 
For more information refer to the Schneider Electric Recommended Cybersecurity Best Practices document. 

For more information, see Schneider Electric security notification SEVD-2023-073-04. 

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploits specifically target these vulnerabilities. These vulnerabilities are exploitable remotely. These vulnerabilities have low attack complexity. 

1. EXECUTIVE SUMMARY

CVSS v3 7.8
ATTENTION: Low attack complexity 
Vendor: CP Plus 
Equipment: KVMS Pro 
Vulnerability: Insufficiently Protected Credentials 

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to retrieve sensitive credentials and control the entire CCTV system.  

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of CP Plus KVMS Pro, a software management platform, are affected: 

 KVMS Pro V2.01.0.T.190521 and prior 

3.2 VULNERABILITY OVERVIEW

3.2.1 INSUFFICIENTLY PROTECTED CREDENTIALS CWE-522  

CP Plus KVMS Pro versions 2.01.0.T.190521 and prior are vulnerable to sensitive credentials being leaked because they are insufficiently protected.   

CVE-2023-1518 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). 

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Commercial Facilities 
COUNTRIES/AREAS DEPLOYED: Worldwide 
COMPANY HEADQUARTERS LOCATION: India 

3.4 RESEARCHER

Harshit Shukla reported this vulnerability to CISA. 

4. MITIGATIONS

CP Plus has not responded to requests to work with CISA to mitigate this vulnerability. Users of the affected product are encouraged to contact CP Plus customer support for additional information. 

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should:

Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet.
Locate control system networks and remote devices behind firewalls and isolate them from business networks.
When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

This vulnerability is not exploitable remotely. No known public exploits specifically target this vulnerability. 

1. EXECUTIVE SUMMARY

CVSS v3 7.9
ATTENTION: Low attack complexity  
Vendor: RoboDK 
Equipment: RoboDK 
Vulnerability: Incorrect Permission Assignment for Critical Resource 

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to escalate privileges, which could allow attackers to write files to the RoboDK directory and achieve code execution. 

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of RoboDK, a programming and simulation software, are affected: 

RoboDK v5.5.3 and prior 

3.2 VULNERABILITY OVERVIEW

3.2.1 INCORRECT PERMISSION ASSIGNMENT OR CRITICAL RESOURCE CWE-732 

RoboDK versions 5.5.3 and prior contain an insecure permission assignment to critical directories vulnerability, which could allow a local user to escalate privileges and write files to the RoboDK process and achieve code execution.  

CVE-2023-1516 has been assigned to this vulnerability. A CVSS v3 base score of 7.9 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N). 

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing  
COUNTRIES/AREAS DEPLOYED: Worldwide  
COMPANY HEADQUARTERS LOCATION: Canada 

3.4 RESEARCHER

Noam Moshe of Claroty reported this vulnerability to CISA. 

4. MITIGATIONS

RoboDK has not responded to requests to work with CISA to mitigate this vulnerability. Users of the affected product are encouraged to contact RoboDK support for additional information. 

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should: 

Locate control system networks and remote devices behind firewalls and isolate them from business networks. 
When remote access is required, use secure methods, such as virtual private networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices. 

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploits specifically target this vulnerability. This vulnerability is not exploitable remotely.