1. EXECUTIVE SUMMARY

CVSS v3 7.8
ATTENTION: Low attack complexity 
Vendor: Siemens  
Equipment: JT Open and JT Utilities 
Vulnerability: Out-of-bounds Read 

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to execute code in the context of the current process. 

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following Siemens software is affected: 

JT Open: All versions prior to V11.3.2.0 
JT Utilities: All versions prior to V13.3.0.0 

3.2 VULNERABILITY OVERVIEW

3.2.1 OUT-OF-BOUNDS READ CWE-125 

The affected applications contain an out-of-bounds read vulnerability past the end of an allocated structure while parsing specially crafted JT files. This could allow an attacker to execute code in the context of the current process. 

CVE-2023-29053 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been assigned; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H). 

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Multiple 
COUNTRIES/AREAS DEPLOYED: Worldwide 
COMPANY HEADQUARTERS LOCATION: Germany 

3.4 RESEARCHER

Michael Heinzl reported this vulnerability to Siemens. 

4. MITIGATIONS

Siemens has identified the following specific workarounds and mitigations users can apply to reduce risk: 

Do not open untrusted files using JT Open Toolkit or JT Utilities. 
JT Utilities: Update to V13.3.0.0 or a later version. 
JT Open: Update to V11.3.2.0 or a later version. 

As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens’ operational guidelines for Industrial Security and following the recommendations in the product manuals. 

Additional information regarding Siemens Industrial Security can be found here. 

For further inquiries on security vulnerabilities in Siemens products and solutions, users should contact Siemens ProductCERT. 

For more information, see the associated Siemens security advisory SSA-642810 in HTML and CSAF. 

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should:

Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet.
Locate control system networks and remote devices behind firewalls and isolate them from business networks.
When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks: 

Do not click web links or open attachments in unsolicited email messages. 
Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams. 
Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks. 

No known public exploits specifically target this vulnerability. This vulnerability is not exploitable remotely. 

1. EXECUTIVE SUMMARY

CVSS v3 6.2
ATTENTION: Low attack complexity  
Vendor: Siemens
Equipment: Adaptec maxView Application
Vulnerability: Exposure of Sensitive Information to an Unauthorized Actor 

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow a local attacker to decrypt intercepted local traffic between the browser and the application. A local attacker could perform a machine-in-the-middle attack to modify data in transit. 

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following software from Siemens is affected: 

SIMATIC IPC1047: All versions  
SIMATIC IPC1047E: All versions with Adaptec maxView Storage Manager prior to 4.09.00.25611 on Windows 
SIMATIC IPC647D: All versions 
SIMATIC IPC647E: All versions with Adaptec maxView Storage Manager prior to 4.09.00.25611 on Windows 
SIMATIC IPC847D: All versions 
SIMATIC IPC847E: All versions with Adaptec maxView Storage Manager prior to 4.09.00.25611 on Windows 

3.2 VULNERABILITY OVERVIEW

3.2.1 EXPOSURE OF SENSITIVE INFORMATION TO AN UNAUTHORIZED ACTOR CWE-200 

The Adaptec maxView application uses a non-unique TLS certificate across installations to protect communication from the local browser to the local application on affected Siemens devices. A local attacker could use this key to decrypt intercepted local traffic between the browser and the application and could perform a machine-in-the-middle attack to modify data in transit. 

CVE-2023-23588 has been assigned to this vulnerability. A CVSS v3 base score of 6.2 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). 

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Multiple  
COUNTRIES/AREAS DEPLOYED: Worldwide 
COMPANY HEADQUARTERS LOCATION: Germany 

3.4 RESEARCHER

Siemens reported this vulnerability to CISA. 

4. MITIGATIONS

Adaptec has released updates for the affected products and recommends updating to the latest versions.  Siemens recommends countermeasures for products where updates are not, or not yet available: 

Update maxView Storage Manager to 4.09.00.25611 or later version. 

Siemens has identified the following specific workarounds and mitigations users can apply to reduce risk: 

Update the default self-signed device X.509 certificate with a trusted certificate. 

As a general security measure, Siemens strongly recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens’ operational guidelines for industrial security and to follow recommendations in the product manuals.  

Additional information on industrial security by Siemens can be found here. 

For further inquiries on security vulnerabilities in Siemens products and solutions, users should contact Siemens ProductCERT. 

For more information, see the associated Siemens security advisory SSA-511182 in HTML and CSAF. 

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should:

Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet.
Locate control system networks and remote devices behind firewalls and isolate them from business networks.
When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploits specifically target this vulnerability. This vulnerability is not exploitable remotely. 

1. EXECUTIVE SUMMARY

CVSS v3 6.8
ATTENTION: Exploitable remotely 
Vendor: FANUC 
Equipment: ROBOGUIDE-HandlingPRO 
Vulnerability: Path Traversal 

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to read and/or overwrite files on the system running the affected software. 

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of ROBOGUIDE-HandlingPRO, a robot simulation software, are affected: 

ROBOGUIDE-HandlingPRO: Versions 9 Rev.ZD and prior 

3.2 VULNERABILITY OVERVIEW

3.2.1 IMPROPER LIMITA8TION OF A PATHNAME TO A RESTRICTED DIRECTORY (‘PATH TRAVERSAL’) CWE-22 

FANUC ROBOGUIDE-HandlingPRO Versions 9 Rev.ZD and prior is vulnerable to a path traversal, which could allow an attacker to remotely read files on the system running the affected software. 

CVE-2023-1864 has been assigned to this vulnerability. A CVSS v3 base score of 6.8 has been assigned; the CVSS vector string is (AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N). 

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing 
COUNTRIES/AREAS DEPLOYED: Worldwide 
COMPANY HEADQUARTERS LOCATION: Japan 

3.4 RESEARCHER

Yenting Lee of TXOne Networks reported this vulnerability to CISA. 

4. MITIGATIONS

FANUC recommends users update to the latest version. 

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability these vulnerabilities. Specifically, users should:

Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet.
Locate control system networks and remote devices behind firewalls and isolate them from business networks.
When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploits specifically target this vulnerability. High attack complexity. 

1. EXECUTIVE SUMMARY

CVSS v3 9.9 
ATTENTION: Exploitable remotely/low attack complexity/public exploits are available 
Vendor: mySCADA Technologies 
Equipment: mySCADA myPRO 
Vulnerabilities: OS Command Injection 

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an authenticated user to inject arbitrary operating system commands. 

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of myPRO HMI/SCADA systems are affected: 

myPRO: versions 8.26.0 and prior 

3.2 VULNERABILITY OVERVIEW

3.2.1 OS COMMAND INJECTION CWE-78 

mySCADA myPRO versions 8.26.0 and prior has parameters which an authenticated user could exploit to inject arbitrary operating system commands. 

CVE-2023-28400 has been assigned to this vulnerability. A CVSS v3 base score of 9.9 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H). 

3.2.2 OS COMMAND INJECTION CWE-78 

mySCADA myPRO versions 8.26.0 and prior has parameters which an authenticated user could exploit to inject arbitrary operating system commands. 

CVE-2023-28716 has been assigned to this vulnerability. A CVSS v3 base score of 9.9 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H). 

3.2.3 OS COMMAND INJECTION CWE-78 

mySCADA myPRO versions 8.26.0 and prior has parameters which an authenticated user could exploit to inject arbitrary operating system commands. 

CVE-2023-28384 has been assigned to this vulnerability. A CVSS v3 base score of 9.9 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H). 

3.2.4 OS COMMAND INJECTION CWE-78 

mySCADA myPRO versions 8.26.0 and prior has parameters which an authenticated user could exploit to inject arbitrary operating system commands. 

CVE-2023-29169 has been assigned to this vulnerability. A CVSS v3 base score of 9.9 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H). 

3.2.5 OS COMMAND INJECTION CWE-78 

mySCADA myPRO versions 8.26.0 and prior has parameters which an authenticated user could exploit to inject arbitrary operating system commands. 

CVE-2023-29150 has been assigned to this vulnerability. A CVSS v3 base score of 9.9 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H). 

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Energy, Food and Agriculture, Transportation Systems, Water and Wastewater Systems 
COUNTRIES/AREAS DEPLOYED: Worldwide 
COMPANY HEADQUARTERS LOCATION: Czech Republic 

3.4 RESEARCHER

Michael Heinzl publicly disclosed these vulnerabilities on the internet. 

4. MITIGATIONS

mySCADA recommends users upgrade to version 8.29.0 or higher. For more information, contact mySCADA technical support. mySCADA will also send security advice by email to all registered users. 

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. Specifically, users should:

Ensure the least-privilege user principle is followed. 
Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet.
Locate control system networks and remote devices behind firewalls and isolate them from business networks.
When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks: 

Do not click web links or open attachments in unsolicited email messages. 
Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams. 
Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks. 

Known public exploits specifically target these vulnerabilities.  These vulnerabilities are exploitable remotely. These vulnerabilities have low attack complexity. 

1. EXECUTIVE SUMMARY

CVSS v3 7.8 
ATTENTION: Low attack complexity  
Vendor: JTEKT ELECTRONICS CORPORATION 
Equipment: Kostac PLC Programming Software 
Vulnerabilities: Out-of-bounds Read, Use After Free 

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to disclose information or execute arbitrary code.  

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of JTEKT ELECTRONICS Kostac PLC Programming Software are affected: 

JTEKT ELECTRONICS Kostac PLC Programing Software: Versions 1.6.9.0 and earlier 

3.2 VULNERABILITY OVERVIEW

3.2.1 OUT-OF-BOUNDS READ CWE-125 

When a specially crafted project file is opened, out-of-bounds read occurs when processing a comment block in stage information because the end of data cannot be verified. 

CVE-2023-22419 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H). 

3.2.2 OUT-OF-BOUNDS READ CWE-125 

When a specially crafted project file is opened, out-of-bounds read occurs because buffer size used by the PLC program instructions is insufficient. 

CVE-2023-22421 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H). 

3.2.3 USE AFTER FREE CWE-416 

When the maximum number of columns to place the PLC program is out of specification by opening a specially crafted project file, a process accesses memory that has already been freed. 

CVE-2023-22424 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H). 

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing  
COUNTRIES/AREAS DEPLOYED: Worldwide  
COMPANY HEADQUARTERS LOCATION: Japan  

3.4 RESEARCHER

Michael Heinzl reported these vulnerabilities to JPCERT/CC. 

4. MITIGATIONS

JTEKT ELECTRONICS recommends users to download the following updates: 

Version 1.6.10.0 and above 

This version not only addresses the vulnerability, but also takes measures to prevent crafted project files from being opened. Project files saved with Version 1.6.9.0 or earlier can be re-saved with Version 1.6.10.0 or above to enable this tamper-proof feature. Project files saved with Version 1.6.10.0 or above cannot be opened with Version 1.6.9.0 or earlier. 

For more information, see JTEKT ELECTRONICS’ Update Notice. 

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. Specifically, users should:

Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet.
Locate control system networks and remote devices behind firewalls and isolate them from business networks.
When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks: 

Do not click web links or open attachments in unsolicited email messages. 
Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams. 
Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks. 

No known public exploits specifically target these vulnerabilities. These vulnerabilities are not exploitable remotely.  

1. EXECUTIVE SUMMARY

CVSS v3 7.8 
ATTENTION: Low attack complexity  
Vendor: JTEKT ELECTRONICS CORPORATION 
Equipment: Screen Creator Advance 2 
Vulnerabilities: Out-of-bounds Read, Out-of-bounds Write, Use After Free 

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to disclose information or execute arbitrary code.  

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of JTEKT ELECTRONICS Screen Creator Advance 2, a software program, are affected: 

JTEKT ELECTRONICS Screen Creator Advance 2: Ver0.1.1.4 Build01 

3.2 VULNERABILITY OVERVIEW

3.2.1 OUT-OF-BOUNDS WRITE CWE-787 

When an out-of-specification error is detected, an out-of-bounds write may occur because there is no error handling process.

CVE-2023-22345 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H). 

3.2.2 OUT-OF-BOUNDS READ CWE-125 

An out-of-bounds read may occur when processing template information because the end of data cannot be verified. 

CVE-2023-22346 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H). 

3.2.3 OUT-OF-BOUNDS READ CWE-125 

An Out-of-bounds read may occur when processing file structure information because the end of data cannot be verified. 

CVE-2023-22347 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H). 

3.2.4 OUT-OF-BOUNDS READ CWE-125 

An out-of-bounds read may occur when processing screen management information because the end of data cannot be verified. 

CVE-2023-22349 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H). 

3.2.5 OUT-OF-BOUNDS READ CWE-125 

An out-of-bounds read may occur when processing parts management information because the end of data cannot be verified. 

CVE-2023-22350 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H). 

3.2.6 OUT-OF-BOUNDS READ CWE-125 

An out-of-bounds read may occur when processing control management information because the end of data cannot be verified. 

CVE-2023-22353 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H). 

3.2.7 USE AFTER FREE CWE-416 

When an error is detected, an out-of-bounds write may occur because there is no error handling process. 

CVE-2023-22360 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H). 

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing  
COUNTRIES/AREAS DEPLOYED: Worldwide 
COMPANY HEADQUARTERS LOCATION: Japan 

3.4 RESEARCHER

Michael Heinzl reported these vulnerabilities to JPCERT/CC. 

4. MITIGATIONS

JTEKT ELECTRONICS recommends users to download the following updates: 

Ver.0.1.1.4 Build01A and above 

For more information, see JTEKT ELECTRONICS’ Update Notice. 

CISA recommends users take the following measures to protect themselves from social engineering attacks: 

Do not click web links or open attachments in unsolicited email messages. 
Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams. 
Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks. 

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploits specifically target these vulnerabilities. These vulnerabilities are not exploitable remotely. 

1. EXECUTIVE SUMMARY

CVSS v3 9.1 
ATTENTION: Exploitable remotely/low attack complexity/public exploits are available 
Vendor: Industrial Control Links 
Equipment: ScadaFlex II SCADA Controllers 
Vulnerability:  External Control of File Name or Path 

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an authenticated attacker to overwrite, delete, or create files. 

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of Industrial Control Links ScadaFlex II SCADA Controllers are affected: 

SW: 1.03.07 (build 317), WebLib: 1.24 
SW: 1.02.20 (build 286), WebLib: 1.24 
SW: 1.02.15 (build 286), WebLib: 1.22 
SW: 1.02.01 (build 229), WebLib: 1.16 
SW: 1.01.14 (build 172), WebLib: 1.14 
SW: 1.01.01 (build 2149), WebLib: 1.13 

3.2 VULNERABILITY OVERVIEW

3.2.1 EXTERNAL CONTROL OF FILE NAME OR PATH CWE-73 

On ICL ScadaFlex II SCADA Controller SC-1 and SC-2 devices, unauthenticated remote attackers can overwrite, delete, or create files. This allows an attacker to execute critical file CRUD operations on the device that can potentially allow system access and impact availability. 

CVE-2022-25359 has been assigned to this vulnerability. A CVSS v3 base score of 9.1 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H). 

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing 
COUNTRIES/AREAS DEPLOYED: North America, South America 
COMPANY HEADQUARTERS LOCATION: United States 

3.4 RESEARCHER

CISA discovered a public proof-of-concept (PoC) as authored by Gjoko Krstic of Zero Science Lab.  

4. MITIGATIONS

Industrial Control Links has relayed that they are closing their business. This product may be considered end-of-life; continued supported for this product may be unavailable. 

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should: 

Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet.
Locate control system networks and remote devices behind firewalls and isolate them from business networks.
When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

1. EXECUTIVE SUMMARY

CVSS v3 9.9 
ATTENTION: Exploitable remotely/low attack complexity 
Vendor: Hitachi Energy 
Equipment: MicroSCADA System Data Manager SDM600 
Vulnerabilities: Unrestricted Upload of File with Dangerous Type, Improper Authorization, Improper Resource Shutdown or Release, Improper Privilege Management 

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to take remote control of the product. 

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of Hitachi Energy’s MicroSCADA SDM600, a data management tool, are affected: 

SDM600: Versions prior to v1.2 FP3 HF4 (Build Nr. 1.2.23000.291) 
SDM600: Versions prior to v1.3.0 (Build Nr. 1.3.0.1339) 

3.2 VULNERABILITY OVERVIEW

3.2.1 UNRESTRICTED UPLOAD OF FILE WITH DANGEROUS TYPE CWE-434 

A vulnerability exists in the affected SDM600 versions file permission validation. An attacker could exploit the vulnerability by gaining access to the system and uploading a specially crafted message to the system node, which could result in arbitrary code execution. 

CVE-2022-3682 has been assigned to this vulnerability. A CVSS v3 base score of 9.9 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H). 

3.2.2 IMPROPER AUTHORIZATION CWE-285 

A vulnerability exists in the affected SDM600 versions application programmable interface (API) web services authorization validation implementation. An attacker successfully exploiting the vulnerability could read sensitive data directly from an insufficiently protected or restricted data store.

CVE-2022-3683 has been assigned to this vulnerability. A CVSS v3 base score of 7.7 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N). 

3.2.3 IMPROPER RESOURCE SHUTDOWN OR RELEASE CWE-404 

A vulnerability exists in an SDM600 endpoint. An attacker could exploit this vulnerability by running multiple parallel requests, causing the SDM600 web services to become busy, rendering the application unresponsive. 

CVE-2022-3684 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). 

3.2.4 IMPROPER PRIVILEGE MANAGEMENT CWE-269 

A vulnerability exists in the affected SDM600 versions software. The software operates at a privilege level higher than the minimum level required. An attacker successfully exploiting this vulnerability could escalate privileges. 

CVE-2022-3685 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H). 

3.2.5 IMPROPER AUTHORIZATION CWE-285 

A vulnerability exists in the affected SDM600 versions API permission check mechanism. Successful exploitation could cause an unauthenticated user to gain access to device data, causing confidentiality and integrity issues. 

CVE-2022-3686 has been assigned to this vulnerability. A CVSS v3 base score of 4.8 has been calculated; the CVSS vector string is (AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L). 

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Energy 
COUNTRIES/AREAS DEPLOYED: Worldwide 
COMPANY HEADQUARTERS LOCATION: Switzerland 

3.4 RESEARCHER

Hitachi Energy reported these vulnerabilities to CISA. 

4. MITIGATIONS

Hitachi Energy recommends applying the following mitigations: 

All SDM600 versions prior to v1.2 FP3 HF4 (Build Nr. 1.2.23000.291): Update to v1.3.0.1339 
SDM600 versions prior to v1.3.0 (Build Nr. 1.3.0.1339): Apply workaround detailed below. 

Hitachi Energy recommends the following security practices and firewall configurations to help protect a process control network from attacks originating from outside the network:  

Practice principles of least privileges to minimize permissions and accesses to SDM600 related resources. 
Follow security practices defined in SDM600 security deployment guidelines. 
Physically protect process control systems from unauthorized direct access.  
Do not directly connect control systems networks to the internet.  
Separate process control systems from other networks using a firewall system with a minimal number of open ports.  
Process control systems should not be used for internet surfing, instant messaging, or receiving emails.  
Portable computers and removable storage media should be carefully scanned for viruses prior connection to a control system.  

For more information, see Hitachi security advisory 8DBD000138. 

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploits specifically target these vulnerabilities. 

1. EXECUTIVE SUMMARY

CVSS v3 8.6
ATTENTION: Exploitable remotely/low attack complexity 
Vendor: Nexx
Equipment: Garage Door Controller, Smart Plug, Smart Alarm
Vulnerabilities: Use of Hard-coded Credentials, Authorization Bypass through User-controlled Key, Improper Input Validation, Improper Authentication

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to receive sensitive information, execute application programmable interface (API) requests, or hijack devices.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of Nexx Smart Home devices are affected:

Nexx Garage Door Controller (NXG-100B, NXG-200): Version nxg200v-p3-4-1 and prior
Nexx Smart Plug (NXPG-100W): Version nxpg100cv4-0-0 and prior
Nexx Smart Alarm (NXAL-100): Version nxal100v-p1-9-1and prior

3.2 VULNERABILITY OVERVIEW

3.2.1    USE OF HARD-CODED CREDENTIALS CWE-798
The listed versions of Nexx Smart Home devices use hard-coded credentials. An attacker with unauthenticated access to the Nexx Home mobile application or the affected firmware could view the credentials and access the MQ Telemetry Server (MQTT) server and the ability to remotely control garage doors or smart plugs for any customer.

CVE-2023-1748 has been assigned to this vulnerability. A CVSS v3 base score of 8.6 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L).

3.2.2    AUTHORIZATION BYPASS THROUGH USER-CONTROLLED KEY CWE-639
The listed versions of Nexx Smart Home devices lack proper access control when executing actions. An attacker with a valid NexxHome deviceId could send API requests that the affected devices would execute.

CVE-2023-1749 has been assigned to this vulnerability. A CVSS v3 base score of 6.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N).

3.2.3    AUTHORIZATION BYPASS THROUGH USER-CONTROLLED KEY CWE-639
The listed versions of Nexx Smart Home devices lack proper access control when executing actions. An attacker with a valid NexxHome deviceId could retrieve device history, set device settings, and retrieve device information. 

CVE-2023-1750 has been assigned to this vulnerability. A CVSS v3 base score of 7.1 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N).

3.2.4    IMPROPER INPUT VALIDATION CWE-20
The listed versions of Nexx Smart Home devices use a WebSocket server that does not validate if the bearer token in the Authorization header belongs to the device attempting to associate. This could allow any authorized user to receive alarm information and signals meant for other devices which leak a deviceId.

CVE-2023-1751 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

3.2.5    IMPROPER AUTHENTICATION CWE-287
The listed versions of Nexx Smart Home devices could allow any user to register an already registered alarm or associated device with only the device’s MAC address.

CVE-2023-1752 has been assigned to this vulnerability. A CVSS v3 base score of 8.1 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Commercial Facilities
COUNTRIES/AREAS DEPLOYED: Worldwide 
COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER

Sam Sabetan reported these vulnerabilities to CISA.

4. MITIGATIONS

Nexx has not responded to requests to work with CISA to mitigate these vulnerabilities. Users of the affected product are encouraged to contact Nexx support for additional information.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability these vulnerabilities. Specifically, users should:

Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet.
Locate control system networks and remote devices behind firewalls and isolate them from business networks.
When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploits specifically target these vulnerabilities.