Posts Page - CloudCentric

Rockwell Automation FactoryTalk View ME

Written by on March 26, 2024. Posted in CISA-Published Industrial Control System Vulnerabilities.

1. EXECUTIVE SUMMARY

CVSS v4 6.9
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Rockwell Automation
Equipment: FactoryTalk View ME
Vulnerability: Cross-site Scripting

2. RISK EVALUATION

Successful exploitation of this vulnerability could lead to the loss of view or control of the PanelView product.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of FactoryTalk View ME, an HMI software application, are affected:

FactoryTalk View ME: prior to v14

3.2 Vulnerability Overview

3.2.1 Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) CWE-79

A vulnerability exists in the affected product that allows a malicious user to restart the PanelView Plus 7 terminal remotely without security protections. If the vulnerability is exploited, it could lead to the loss of view or control of the PanelView product.

CVE-2024-21914 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.3 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).

CVE-2024-21914 has been assigned to this vulnerability. A CVSS v4 base score of 6.9 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER

Rockwell Automation reported this vulnerability to CISA.

4. MITIGATIONS

Rockwell Automation recommends users update to the latest version:

FactoryTalk View ME: V11
FactoryTalk View ME: V12
FactoryTalk View ME: V13
FactoryTalk View ME: V14

Rockwell Automation recommends users of the affected software, who are not able to upgrade to one of the corrected versions, to apply security best practices, where possible.

For more information, see Rockwell Automation’s security advisory.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

March 26, 2024: Initial Publication

Automation-Direct C-MORE EA9 HMI

Written by on March 26, 2024. Posted in CISA-Published Industrial Control System Vulnerabilities.

View CSAF

1. EXECUTIVE SUMMARY

CVSS v3 7.5
ATTENTION: Exploitable remotely/low attack complexity
Vendor: AutomationDirect
Equipment: C-MORE EA9 HMI
Vulnerabilities: Path Traversal, Stack-Based Buffer Overflow, Plaintext Storage of a Password

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to exploit a remote device and inject malicious code on the panel.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of C-MORE EA9 HMI, a display system used for interfacing with controllers, are affected:

C-MORE EA9 HMI EA9-T6CL: Version 6.77 and prior
C-MORE EA9 HMI EA9-T7CL: Version 6.77 and prior
C-MORE EA9 HMI EA0-T7CL-R: Version 6.77 and prior
C-MORE EA9 HMI EA9-T8CL: Version 6.77 and prior
C-MORE EA9 HMI EA9-T10CL: Version 6.77 and prior
C-MORE EA9 HMI EA9-T10WCL: Version 6.77 and prior
C-MORE EA9 HMI EA9-T12CL: Version 6.77 and prior
C-MORE EA9 HMI EA9-T15CL: Version 6.77 and prior
C-MORE EA9 HMI EA9-T15CL-R: Version 6.77 and prior
C-MORE EA9 HMI EA9-RHMI: Version 6.77 and prior
C-MORE EA9 HMI EA9-PGMSW: Version 6.77 and prior

3.2 Vulnerability Overview

3.2.1 Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) CWE-22

There is a function in Automation-Direct C-MORE EA9 HMI that allows an attacker to send a relative path in the URL without proper sanitizing of the content.

CVE-2024-25136 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVE-2024-25136 has been assigned to this vulnerability. A CVSS v4 base score of 8.7 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N).

3.2.2 Stack-based Buffer Overflow CWE-121

In Automation-Direct C-MORE EA9 HMI there is a program that copies a buffer of a size controlled by the user into a limited sized buffer on the stack which leads to a stack overflow. The result of this stack-based buffer overflow will lead to a denial-of-service conditions.

CVE-2024-25137 has been assigned to this vulnerability. A CVSS v3.1 base score of 4.3 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L)

CVE-2024-25137 has been assigned to this vulnerability. A CVSS v4 base score of 5.3 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N).

3.2.3 Plaintext Storage of a Password CWE-256

In Automation-Direct C-MORE EA9 HMI credentials used by the platform are stored as plain text on the device.

CVE-2024-25138 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)

CVE-2024-25138 has been assigned to this vulnerability. A CVSS v4 base score of 7.1 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Commercial Facilities, Critical Manufacturing, Energy, Water and Wastewater
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER

Tomer Goldschmidt of Claroty Research – Team82 reported these vulnerabilities to CISA.

4. MITIGATIONS

AutomationDirect recommends that users update C-MORE EA9 HMI to V6.78.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY

March 26, 2024: Initial Publication

Rockwell Automation Arena Simulation

Written by on March 26, 2024. Posted in CISA-Published Industrial Control System Vulnerabilities.

View CSAF

1. EXECUTIVE SUMMARY

CVSS v3 7.8
ATTENTION: low attack complexity
Vendor: Rockwell Automation
Equipment: Arena Simulation Software
Vulnerabilities: Out-of-bounds Write, Heap-based Buffer Overflow, Improper Restriction of Operations within the Bounds of a Memory Buffer, Use After Free, Access of Uninitialized Pointer, Out-of-bounds Read

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could crash the application or allow an attacker to run harmful code on the system.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

Rockwell Automation reports that the following versions of Arena Simulation Software are affected:

Arena Simulation Software: version 16.00

3.2 Vulnerability Overview

3.2.1 Out-of-bounds Write CWE-787

An arbitrary code execution vulnerability could let a malicious user insert unauthorized code into the software. This is done by writing beyond the designated memory area, which causes an access violation. Once inside, the threat actor can run harmful code on the system. This affects the confidentiality, integrity, and availability of the product. To trigger this, the user would unwittingly need to open a malicious file shared by the threat actor.

CVE-2024-21912 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

A CVSS v4 score has been calculated for CVE-2024-21912. A base score of 8.4 has been calculated; the CVSS vector string is (CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.2 HEAP-BASED BUFFER OVERFLOW CWE-122

A heap-based memory buffer overflow vulnerability could potentially allow a malicious user to insert unauthorized code into the software by overstepping the memory boundaries, which trigger an access violation. Once inside, the threat actor can run harmful code on the system. This affects the confidentiality, integrity, and availability of the product. To trigger this, the user would unwittingly need to open a malicious file shared by the threat actor.

CVE-2024-21913 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

A CVSS v4 score has been calculated for CVE-2024-21913. A base score of 8.4 has been calculated; the CVSS vector string is (CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.3 Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-119

A memory corruption vulnerability could potentially allow a malicious user to insert unauthorized code to the software by corrupting the memory triggering an access violation. Once inside, the threat actor can run harmful code on the system. This affects the confidentiality, integrity, and availability of the product. To trigger this, the user would unwittingly need to open a malicious file shared by the threat actor.

CVE-2024-21914 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

A CVSS v4 score has been calculated for CVE-2024-21914. A base score of 8.4 has been calculated; the CVSS vector string is (CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.4 Use After Free CWE-416

A memory buffer vulnerability could potentially allow a malicious user to insert unauthorized code to the software by corrupting the memory and triggering an access violation. Once inside, the threat actor can run harmful code on the system. This affects the confidentiality, integrity, and availability of the product. To trigger this, the user would unwittingly need to open a malicious file shared by the threat actor.

CVE-2024-21918 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

A CVSS v4 score has been calculated for CVE-2024-21918. A base score of 8.4 has been calculated; the CVSS vector string is (CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.5 Access of Uninitialized Pointer CWE-824

An uninitialized pointer could potentially allow a malicious user to insert unauthorized code to the software by leveraging the pointer after it is properly. Once inside, the threat actor can run harmful code on the system. This affects the confidentiality, integrity, and availability of the product. To trigger this, the user would unwittingly need to open a malicious file shared by the threat actor.

CVE-2024-21919 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

A CVSS v4 score has been calculated for CVE-2024-21919. A base score of 8.4 has been calculated; the CVSS vector string is (CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.6 Out-of-bounds Read CWE-125

A memory buffer vulnerability might let a threat actor read beyond the intended memory boundaries. This could reveal sensitive information and even cause the application to crash, resulting in a denial-of-service condition. To trigger this, the user would unwittingly need to open a malicious file shared by the threat actor.

CVE-2024-21920 has been assigned to this vulnerability. A CVSS v3.1 base score of 4.4 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L).

A CVSS v4 score has been calculated for CVE-2024-21920. A base score of 4.6 has been calculated; the CVSS vector string is (CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Food and Agriculture, Healthcare and Public Health, Critical Manufacturing, Transportation Systems
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER

Michael Heinzl reported these vulnerabilities to Rockwell Automation.

4. MITIGATIONS

Rockwell Automation recommends upgrading the affected product software to 16.20.03.

Rockwell Automation encourages users of the affected software to apply the risk mitigations, if possible:

Do not open untrusted files from unknown sources.
For information on how to mitigate security risks on industrial automation control systems, we encourage customers to implement our suggested security best practices to minimize the risk of the vulnerability.
Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

For additional information, refer to Rockwell Automation’s security advisory.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time. These vulnerabilities are not exploitable remotely.

5. UPDATE HISTORY

March 26, 2024: Initial Publication

Advantech WebAccess/SCADA

Written by on March 21, 2024. Posted in CISA-Published Industrial Control System Vulnerabilities.

View CSAF

1. EXECUTIVE SUMMARY

CVSS v4 7.1
ATTENTION: Exploitable remotely/low attack complexity/public exploits are available
Vendor: Advantech
Equipment: WebAccess/SCADA
Vulnerability: SQL Injection

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an authenticated attacker to read or modify a remote database.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of Advantech WebAccess/SCADA, a bowser-based SCADA software, are affected:

WebAccess/SCADA: Version 9.1.5U

3.2 Vulnerability Overview

3.2.1 IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS USED IN AN SQL COMMAND (‘SQL INJECTION’) CWE-89:

There is a SQL Injection vulnerability in Advantech’s WebAccess/SCDA software that allows an authenticated attacker to remotely inject SQL code on the database. Successful exploitation of this vulnerability could allow an attacker to read or modify data on the remote database.

CVE-2024-2453 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.4 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N).

CVE-2024-2453 has been assigned to this vulnerability. A CVSS v4 base score of 7.1 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing, Energy, Water and Wastewater Systems
COUNTRIES/AREAS DEPLOYED: East Asia, Europe, United States
COMPANY HEADQUARTERS LOCATION: Taiwan

3.4 RESEARCHER

CISA discovered a public Proof of Concept (PoC) as authored by Prześlij Komentarz and reported it to Advantech.

4. MITIGATIONS

Advantech recomends updating WebAccess/SCADA to version 9.1.6 or higher to mitigate this vulnerability.

CISA recommends users take defensive measures to minimize the risk of exploitation of this, such as:

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

5. UPDATE HISTORY

March 21, 2024: Initial Publication

Franklin Fueling System EVO 550/5000

Written by on March 19, 2024. Posted in CISA-Published Industrial Control System Vulnerabilities.

View CSAF

1. EXECUTIVE SUMMARY

CVSS v4 8.7
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Franklin Fueling System
Equipment: EVO 550, EVO 5000
Vulnerability: Path Traversal

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to read arbitrary files on the system.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of Franklin Fueling System EVO 550 and EVO 5000, an automatic tank gauge (ATG), are affected:

EVO 550: All versions prior to 2.26.3.8963
EVO 5000: All versions prior to 2.26.3.8963

3.2 Vulnerability Overview

3.2.1 PATH TRAVERSAL: ‘/../FILEDIR’ CWE-25

Franklin Fueling System EVO 550 and EVO 5000 are vulnerable to a Path Traversal vulnerability that could allow an attacker to access sensitive files on the system.

CVE-2024-2442 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

A CVSS v4 score has been calculated for CVE-2024-2442. A base score of 8.7 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER

Momen Eldawakhly of Samurai Digital Security Ltd reported this vulnerability to CISA.

4. MITIGATIONS

Franklin Fueling Systems released the following to fix this vulnerability:

EVO 550: 2.26.3.8963
EVO 5000: 2.26.3.8963

For more information, contact Franklin Fueling System.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

March 19, 2024: Initial Publication

Softing edgeConnector

Written by on March 14, 2024. Posted in CISA-Published Industrial Control System Vulnerabilities.

View CSAF

1. EXECUTIVE SUMMARY

CVSS v3 7.2
ATTENTION: Low attack complexity
Vendor: Softing
Equipment: edgeConnector
Vulnerabilities: Cleartext Transmission of Sensitive Information, Path Traversal

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could create conditions that may allow remote code execution.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of Softing edgeConnector are affected:

Softing edgeConnector: Version 3.60
Softing edgeAggregator: Version 3.60

3.2 Vulnerability Overview

3.2.1 Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) CWE-22

The affected product is vulnerable to an absolute path traversal vulnerability, which may allow an attacker with admin privileges to write to a file or overwrite a file in the filesystem.

CVE-2023-38126 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.2 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).

3.2.2 CLEARTEXT TRANSMISSION OF SENSITIVE INFORMATION CWE-319

The affected product is vulnerable to a cleartext transmission of sensitive information vulnerability, which may allow an attacker to capture packets to craft their own requests.

CVE-2024-0860 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.0 has been calculated; the CVSS vector string is (AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

Pan ZhenPeng (@Peterpan0927) and Li JianTao (@CurseRed) of STAR Labs SG Pte. Ltd. (@starlabs_sg) working with Trend Micro Zero Day Initiative reported these vulnerabilities to CISA. Claroty Team82 working with Trend Micro Zero Day Initiative reported these vulnerabilities to CISA

4. MITIGATIONS

Update Softing edgeConnector and edgeAggregator to v3.70 or greater

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

Do not click web links or open attachments in unsolicited email messages.
Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time. These vulnerabilities are not exploitable remotely.

5. UPDATE HISTORY

March 14, 2024: Initial Publication

Siemens SINEMA Remote Connect Server

Written by on March 14, 2024. Posted in CISA-Published Industrial Control System Vulnerabilities.

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens’ ProductCERT Security Advisories (CERT Services | Services | Siemens Global).

View CSAF

1. EXECUTIVE SUMMARY

CVSS v3 9.8
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Siemens
Equipment: SINEMA Remote Connect Server
Vulnerabilities: Cross-site Scripting, Improper Access Control

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow a remote attacker to execute arbitrary code via the ‘options’ element or obtain access to unauthorized resources.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of Siemens SINEMA Remote Connect Server, a remote management platform, are affected:

SINEMA Remote Connect Server: Versions prior to V3.2
SINEMA Remote Connect Server: Versions prior to V3.1

3.2 Vulnerability Overview

3.2.1 IMPROPER NEUTRALIZATION OF INPUT DURING WEB PAGE GENERATION (‘CROSS-SITE SCRIPTING’) CWE-79

Cross-site scripting vulnerability in jQuery 2.2.0 through 3.x before 3.5.0 allows a remote attacker to execute arbitrary code via the ‘options’ element.

CVE-2020-23064 has been assigned to this vulnerability. A CVSS v3 base score of 6.1 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N).

A CVSS v4 score has also been calculated for CVE-2020-23064. A base score of 5.3 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N).

3.2.2 IMPROPER ACCESS CONTROL CWE-284

The affected application consists of a web service that lacks proper access control for some of the endpoints. This could lead to unauthorized access to resources and potentially lead to code execution.

CVE-2022-32257 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2022-32257. A base score of 9.3 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing, Commercial Facilities, Energy, Food and Agriculture, Healthcare and Public Health, Transportation Systems, Water and Wastewater Systems
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

Siemens reported these vulnerabilities to CISA.

4. MITIGATIONS

Siemens has released updates for the affected products and recommends users update to the latest versions:

(CVE-2020-23064): Update to V3.1 or later version
(CVE-2022-32257): Update to V3.2 or later version

As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens’ operational guidelines for industrial security and following recommendations in the product manuals.

Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage

For more information see the associated Siemens security advisory SSA-576771 in HTML and CSAF.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY

March 14, 2024: Initial Publication

Siemens RUGGEDCOM APE1808 with Fortigate NGFW Devices

Written by on March 14, 2024. Posted in CISA-Published Industrial Control System Vulnerabilities.

View CSAF

1. EXECUTIVE SUMMARY

CVSS v3 9.8
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Siemens
Equipment: RUGGEDCOM APE1808 devices
Vulnerabilities: Improper Certificate Validation, Cleartext Transmission of Sensitive Information, Path Traversal, Exposure of Sensitive Information to an Unauthorized Actor, Cross-site Scripting, Permissive List of Allowed Inputs, Relative Path Traversal, Improper Restriction of Excessive Authentication Attempts, Use of Externally-Controlled Format String, Access of Uninitialized Pointer, Out-of-bounds Write, Open Redirect, Improper Input Validation, Insertion of Sensitive Information into Log File, Heap-based Buffer Overflow, Insufficient Session Expiration, Improper Validation of Integrity Check Value, Improper Access Control, Infinite Loop, NULL Pointer Dereference, Stack-based Buffer Overflow, Basic XSS, Use of GET Request Method With Sensitive Query Strings, Interpretation Conflict, Use After Free, Improper Authorization

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to impact confidentiality, integrity, or availability of the affected products.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following products of Siemens using Fortinet NGFW V7.4.1 and prior are affected:

RUGGEDCOM APE1808: All versions

3.2 Vulnerability Overview

3.2.1 IMPROPER CERTIFICATE VALIDATION CWE-295

An improper certificate validation vulnerability [CWE-295] in FortiOS 7.2.0 through 7.2.3, 7.0.0 through 7.0.7, 6.4 all versions, 6.2 all versions, 6.0 all versions and FortiProxy 7.0.0 through 7.0.6, 2.0 all versions, 1.2 all versions may allow a remote and unauthenticated attacker to perform a Man-in-the-Middle attack on the communication channel between the FortiOS/FortiProxy device and remote servers hosting threat feeds (when the latter are configured as Fabric connectors in FortiOS/FortiProxy)

CVE-2022-39948 has been assigned to this vulnerability. A CVSS v3 base score of 4.8 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N).

3.2.2 CLEARTEXT TRANSMISSION OF SENSITIVE INFORMATION CWE-319

A cleartext transmission of sensitive information vulnerability [CWE-319] in Fortinet FortiOS version 7.2.0 through 7.2.4, 7.0.0 through 7.0.8, FortiProxy version 7.2.0 through 7.2.1 and 7.0.0 through 7.0.8 allows an authenticated attacker with read-only superadmin privileges to intercept traffic in order to obtain other administrators cookies via diagnose CLI commands.

CVE-2022-41327 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been assigned; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

3.2.3 IMPROPER LIMITATION OF A PATHNAME TO A RESTRICTED DIRECTORY (‘PATH TRAVERSAL’) CWE-22

A improper limitation of a pathname to a restricted directory vulnerability (‘path traversal’) [CWE-22] in Fortinet FortiOS version 7.2.0 through 7.2.3, 7.0.0 through 7.0.9 and before 6.4.11 allows a privileged attacker to read and write files on the underlying Linux system via crafted CLI commands.

CVE-2022-41328 has been assigned to this vulnerability. A CVSS v3 base score of 6.7 has been assigned; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).

3.2.4 EXPOSURE OF SENSITIVE INFORMATION TO AN UNAUTHORIZED ACTOR CWE-200

An exposure of sensitive information to an unauthorized actor vulnerability [CWE-200] in Fortinet FortiProxy version 7.2.0 through 7.2.1 and 7.0.0 through 7.0.7, FortiOS version 7.2.0 through 7.2.3 and 7.0.0 through 7.0.9 allows an unauthenticated attackers to obtain sensitive logging informations on the device via crafted HTTP GET requests.

CVE-2022-41329 has been assigned to this vulnerability. A CVSS v3 base score of 5.3 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).

3.2.5 IMPROPER NEUTRALIZATION OF INPUT DURING WEB PAGE GENERATION (‘CROSS-SITE SCRIPTING’) CWE-79

An improper neutralization of input during web page generation vulnerability (‘Cross-site Scripting’) [CWE-79] in Fortinet FortiOS version 7.2.0 through 7.2.3, version 7.0.0 through 7.0.9, version 6.4.0 through 6.4.11 and before 6.2.12 and FortiProxy version 7.2.0 through 7.2.1 and before 7.0.7 allows an unauthenticated attacker to perform an XSS attack via crafted HTTP GET requests.

CVE-2022-41330 has been assigned to this vulnerability. A CVSS v3 base score of 8.8 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

3.2.6 IMPROPER NEUTRALIZATION OF INPUT DURING WEB PAGE GENERATION (‘CROSS-SITE SCRIPTING’) CWE-79

An improper neutralization of input during web page generation [CWE-79] vulnerability in FortiOS versions 7.0.0 to 7.0.7 and 7.2.0 to 7.2.3 may allow a remote, unauthenticated attacker to launch a cross site scripting (XSS) attack via the “redir” parameter of the URL seen when the “Sign in with FortiCloud” button is clicked.

CVE-2022-41334 has been assigned to this vulnerability. A CVSS v3 base score of 8.8 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

3.2.7 PERMISSIVE LIST OF ALLOWED INPUTS CWE-183

A permissive list of allowed inputs vulnerability [CWE-183] in FortiGate version 7.2.3 and below, version 7.0.9 and below Policy-based NGFW Mode may allow an authenticated SSL-VPN user to bypass the policy via bookmarks in the web portal.

CVE-2022-42469 has been assigned to this vulnerability. A CVSS v3 base score of 4.3 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N).

3.2.8 RELATIVE PATH TRAVERSAL CWE-23

A relative path traversal vulnerability [CWE-23] in Fortinet FortiOS version 7.2.0 through 7.2.3, version 7.0.0 through 7.0.9 and before 6.4.12, FortiProxy version 7.2.0 through 7.2.1 and 7.0.0 through 7.0.7, FortiSwitchManager version 7.2.0 through 7.2.1 and before 7.0.1 allows an privileged attacker to delete arbitrary directories from the filesystem through crafted HTTP requests.

CVE-2022-42474 has been assigned to this vulnerability. A CVSS v3 base score of 6.5 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H).

3.2.9 RELATIVE PATH TRAVERSAL CWE-23

A relative path traversal vulnerability [CWE-23] in Fortinet FortiOS version 7.2.0 through 7.2.2, 7.0.0 through 7.0.8 and before 6.4.11, FortiProxy version 7.2.0 through 7.2.2 and 7.0.0 through 7.0.8 allows privileged VDOM administrators to escalate their privileges to super admin of the box via crafted CLI requests.

CVE-2022-42476 has been assigned to this vulnerability. A CVSS v3 base score of 8.2 has been assigned; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H).

3.2.10 IMPROPER RESTRICTION OF EXCESSIVE AUTHENTICATION ATTEMPTS CWE-307

An improper restriction of excessive authentication attempts vulnerability [CWE-307] in Fortinet FortiOS version 7.2.0 through 7.2.3 and before 7.0.10, FortiProxy version 7.2.0 through 7.2.2 and before 7.0.8 administrative interface allows an attacker with a valid user account to perform brute-force attacks on other user accounts via injecting valid login sessions.

CVE-2022-43947 has been assigned to this vulnerability. A CVSS v3 base score of 5.0 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L).

3.2.11 USE OF EXTERNALLY-CONTROLLED FORMAT STRING CWE-134

A use of externally-controlled format string in Fortinet FortiOS version 7.2.0 through 7.2.4, FortiOS all versions 7.0, FortiOS all versions 6.4, FortiOS all versions 6.2, FortiProxy version 7.2.0 through 7.2.1, FortiProxy version 7.0.0 through 7.0.7 allows attacker to execute unauthorized code or commands via specially crafted commands.

CVE-2022-43953 has been assigned to this vulnerability. A CVSS v3 base score of 6.7 has been assigned; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).

3.2.12 ACCESS OF UNINITIALIZED POINTER CWE-824

An access of uninitialized pointer vulnerability [CWE-824] in the SSL VPN portal of Fortinet FortiOS version 7.2.0 through 7.2.3, version 7.0.0 through 7.0.9 and before 6.4.11 and FortiProxy version 7.2.0 through 7.2.1, version 7.0.0 through 7.0.7 and before 2.0.11 allows a remote authenticated attacker to crash the sslvpn daemon via an HTTP GET request.

CVE-2022-45861 has been assigned to this vulnerability. A CVSS v3 base score of 6.5 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

3.2.13 OUT-OF-BOUNDS WRITE CWE-787

A out-of-bounds write in Fortinet FortiOS version 7.2.0 through 7.2.3, FortiOS version 7.0.0 through 7.0.10, FortiOS version 6.4.0 through 6.4.12, FortiOS all versions 6.2, FortiOS all versions 6.0, FortiProxy version 7.2.0 through 7.2.2, FortiProxy version 7.0.0 through 7.0.8, FortiProxy all versions 2.0, FortiProxy all versions 1.2, FortiProxy all versions 1.1, FortiProxy all versions 1.0 allows attacker to escalation of privilege via specifically crafted commands.

CVE-2023-22639 has been assigned to this vulnerability. A CVSS v3 base score of 6.7 has been assigned; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).

3.2.14 OUT-OF-BOUNDS WRITE CWE-787

A out-of-bounds write in Fortinet FortiOS version 7.2.0 through 7.2.3, FortiOS version 7.0.0 through 7.0.10, FortiOS version 6.4.0 through 6.4.11, FortiOS version 6.2.0 through 6.2.13, FortiOS all versions 6.0, FortiProxy version 7.2.0 through 7.2.1, FortiProxy version 7.0.0 through 7.0.7, FortiProxy all versions 2.0, FortiProxy all versions 1.2, FortiProxy all versions 1.1, FortiProxy all versions 1.0 allows an authenticated attacker to execute unauthorized code or commands via specifically crafted requests.

CVE-2023-22640 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H).

3.2.15 URL REDIRECTION TO UNTRUSTED SITE (‘OPEN REDIRECT’) CWE-601

A url redirection to untrusted site (‘open redirect’) in Fortinet FortiOS version 7.2.0 through 7.2.3, FortiOS version 7.0.0 through 7.0.9, FortiOS versions 6.4.0 through 6.4.12, FortiOS all versions 6.2, FortiOS all versions 6.0, FortiProxy version 7.2.0 through 7.2.2, FortiProxy version 7.0.0 through 7.0.8, FortiProxy all versions 2.0, FortiProxy all versions 1.2, FortiProxy all versions 1.1, FortiProxy all versions 1.0 allows an authenticated attacker to execute unauthorized code or commands via specially crafted requests.

CVE-2023-22641 has been assigned to this vulnerability. A CVSS v3 base score of 4.1 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:N).

3.2.16 IMPROPER INPUT VALIDATION CWE-20

A buffer underwrite (‘buffer underflow’) vulnerability in FortiOS, FortiManager, FortiAnalyzer, FortiWeb, FortiProxy & FortiSwitchManager administrative interface may allow a remote unauthenticated attacker to execute arbitrary code on the device and/or perform a DoS on the GUI, via specifically crafted requests.

CVE-2023-25610 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

3.2.17 INSERTION OF SENSITIVE INFORMATION INTO LOG FILE CWE-532

An insertion of sensitive information into log file vulnerability in Fortinet FortiOS 7.2.0 through 7.2.4 and FortiProxy 7.0.0 through 7.0.10. 7.2.0 through 7.2.1 allows an attacker to read certain passwords in plain text.

CVE-2023-26207 has been assigned to this vulnerability. A CVSS v3 base score of 3.3 has been assigned; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N).

3.2.18 HEAP-BASED BUFFER OVERFLOW CWE-122

A heap-based buffer overflow vulnerability [CWE-122] in FortiOS version 7.2.4 and below, version 7.0.11 and below, version 6.4.12 and below, version 6.0.16 and below and FortiProxy version 7.2.3 and below, version 7.0.9 and below, version 2.0.12 and below, version 1.2 all versions, version 1.1 all versions SSL-VPN may allow a remote attacker to execute arbitrary code or commands via specifically crafted requests.

CVE-2023-27997 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

3.2.19 INSUFFICIENT SESSION EXPIRATION CWE-613

An insufficient session expiration in Fortinet FortiOS 7.0.0 – 7.0.12 and 7.2.0 – 7.2.4 allows an attacker to execute unauthorized code or commands via reusing the session of a deleted user in the REST API.

CVE-2023-28001 has been assigned to this vulnerability. A CVSS v3 base score of 4.1 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:L).

3.2.20 IMPROPER VALIDATION OF INTEGRITY CHECK VALUE CWE-354

An improper validation of integrity check value vulnerability [CWE-354] in FortiOS VMs may allow a local attacker with admin privileges to boot a malicious image on the device and bypass the filesystem integrity check in place.

CVE-2023-28002 has been assigned to this vulnerability. A CVSS v3 base score of 6.7 has been assigned; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).

3.2.21 IMPROPER CERTIFICATE VALIDATION CWE-295

An improper certificate validation vulnerability [CWE-295] in FortiOS 6.2 all versions, 6.4 all versions, 7.0.0 through 7.0.10, 7.2.0 and FortiProxy 1.2 all versions, 2.0 all versions, 7.0.0 through 7.0.9, 7.2.0 through 7.2.3 may allow a remote and unauthenticated attacker to perform a Man-in-the-Middle attack on the communication channel between the vulnerable device and the remote FortiGuard’s map server.

CVE-2023-29175 has been assigned to this vulnerability. A CVSS v3 base score of 4.8 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N).

3.2.22 ACCESS OF UNINITIALIZED POINTER CWE-824

A access of uninitialized pointer vulnerability [CWE-824] in Fortinet FortiProxy version 7.2.0 through 7.2.3 and before 7.0.9 and FortiOS version 7.2.0 through 7.2.4 and before 7.0.11 allows an authenticated attacker to repetitively crash the httpsd process via crafted HTTP or HTTPS requests.

CVE-2023-29178 has been assigned to this vulnerability. A CVSS v3 base score of 4.3 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L).

3.2.23 IMPROPER INPUT VALIDATION CWE-20

A NULL pointer dereference vulnerability [CWE-476] in FortiOS may allow an authenticated attacker to crash the SSL-VPN daemon via specially crafted HTTP requests to the /proxy endpoint

CVE-2023-29179 has been assigned to this vulnerability. A CVSS v3 base score of 6.5 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

3.2.24 IMPROPER INPUT VALIDATION CWE-20

A NULL pointer dereference vulnerability [CWE-476] in FortiOS may allow a remote unauthenticated attacker to crash the SSL-VPN daemon via specially crafted HTTP requests.

CVE-2023-29180 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

3.2.25 IMPROPER INPUT VALIDATION CWE-20

A use of externally-controlled format string vulnerability [CWE-134] in the Fclicense daemon of FortiOS may allow a remote authenticated attacker to execute arbitrary code or commands via specially crafted requests.

CVE-2023-29181 has been assigned to this vulnerability. A CVSS v3 base score of 8.8 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

3.2.26 IMPROPER NEUTRALIZATION OF INPUT DURING WEB PAGE GENERATION (‘CROSS-SITE SCRIPTING’) CWE-79

An improper neutralization of input during web page generation (‘Cross-site Scripting’) vulnerability [CWE-79] in FortiProxy 7.2.0 through 7.2.4, 7.0.0 through 7.0.10 and FortiOS 7.2.0 through 7.2.4, 7.0.0 through 7.0.11, 6.4.0 through 6.4.12, 6.2.0 through 6.2.14 GUI may allow an authenticated attacker to trigger malicious JavaScript code execution via crafted guest management setting.

CVE-2023-29183 has been assigned to this vulnerability. A CVSS v3 base score of 8.0 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H).

3.2.27 IMPROPER ACCESS CONTROL CWE-284

An improper access control vulnerability in Fortinet FortiOS 7.2.0 – 7.2.4 and 7.4.0 allows an attacker to access a restricted resource from a non-trusted host.

CVE-2023-33301 has been assigned to this vulnerability. A CVSS v3 base score of 6.5 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N).

3.2.28 LOOP WITH UNREACHABLE EXIT CONDITION (‘INFINITE LOOP’) CWE-835

A loop with unreachable exit condition (‘infinite loop’) in Fortinet FortiOS version 7.2.0 through 7.2.4, FortiOS version 7.0.0 through 7.0.10, FortiOS 6.4 all versions, FortiOS 6.2 all versions, FortiOS 6.0 all versions, FortiProxy version 7.2.0 through 7.2.3, FortiProxy version 7.0.0 through 7.0.9, FortiProxy 2.0 all versions, FortiProxy 1.2 all versions, FortiProxy 1.1 all versions, FortiProxy 1.0 all versions, FortiWeb version 7.2.0 through 7.2.1, FortiWeb version 7.0.0 through 7.0.6, FortiWeb 6.4 all versions, FortiWeb 6.3 all versions allows attacker to perform a denial of service via specially crafted HTTP requests.

CVE-2023-33305 has been assigned to this vulnerability. A CVSS v3 base score of 4.9 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

3.2.29 NULL POINTER DEREFERENCE CWE-476

A NULL pointer dereference vulnerability [CWE-476] in SSL-VPN may allow an authenticated remote attacker to trigger a crash of the SSL-VPN service via crafted requests.

CVE-2023-33306 has been assigned to this vulnerability. A CVSS v3 base score of 6.5 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

3.2.30 NULL POINTER DEREFERENCE CWE-476

A NULL pointer dereference vulnerability [CWE-476] in SSL-VPN may allow an authenticated remote attacker to trigger a crash of the SSL-VPN service via crafted requests.

CVE-2023-33307 has been assigned to this vulnerability. A CVSS v3 base score of 6.5 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

3.2.31 STACK-BASED BUFFER OVERFLOW CWE-121

A stack-based overflow vulnerability [CWE-124] in Fortinet FortiOS version 7.0.0 through 7.0.10 and 7.2.0 through 7.2.3 and FortiProxy version 7.0.0 through 7.0.9 and 7.2.0 through 7.2.2 allows a remote unauthenticated attacker to execute arbitrary code or command via crafted packets reaching proxy policies or firewall policies with proxy mode alongside deep or full packet inspection.

CVE-2023-33308 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

3.2.32 IMPROPER NEUTRALIZATION OF SCRIPT-RELATED HTML TAGS IN A WEB PAGE (BASIC XSS) CWE-80

An improper neutralization of script-related html tags in a web page (basic xss) in Fortinet FortiOS 7.2.0 – 7.2.4 allows an attacker to execute unauthorized code or commands via the SAML and Security Fabric components.

CVE-2023-36555 has been assigned to this vulnerability. A CVSS v3 base score of 3.9 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L).

3.2.33 USE OF EXTERNALLY-CONTROLLED FORMAT STRING CWE-134

A use of externally-controlled format string in Fortinet FortiProxy versions 7.2.0 through 7.2.4, 7.0.0 through 7.0.10, FortiOS versions 7.4.0, 7.2.0 through 7.2.4, 7.0.0 through 7.0.11, 6.4.0 through 6.4.12, 6.2.0 through 6.2.15, 6.0.0 through 6.0.17, FortiPAM versions 1.0.0 through 1.0.3 allows attacker to execute unauthorized code or commands via specially crafted API requests.

CVE-2023-36639 has been assigned to this vulnerability. A CVSS v3 base score of 7.2 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).

3.2.34 NULL POINTER DEREFERENCE CWE-476

A null pointer dereference [CWE-476] in FortiOS and FortiProxy SSL VPN may allow an authenticated attacker to perform a DoS attack on the device via specifically crafted HTTP requests.

CVE-2023-36641 has been assigned to this vulnerability. A CVSS v3 base score of 6.5 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

3.2.35 USE OF GET REQUEST METHOD WITH SENSITIVE QUERY STRINGS CWE-598

A use of GET request method with sensitive query strings vulnerability in Fortinet FortiOS 7.0.0 – 7.0.12, 7.2.0 – 7.2.5 and 7.4.0 allows an attacker to view plaintext passwords of remote services such as RDP or VNC, if the attacker is able to read the GET requests to those services.

CVE-2023-37935 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

3.2.36 INTERPRETATION CONFLICT CWE-436

A interpretation conflict in Fortinet IPS Engine versions 7.321, 7.166 and 6.158 allows attacker to evade IPS features via crafted TCP packets.

CVE-2023-40718 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N).

3.2.37 USE AFTER FREE CWE-416

A use after free vulnerability [CWE-416] in FortiOS version 7.2.0 through 7.2.4 and version 7.0.0 through 7.0.10 and FortiProxy version 7.2.0 through 7.2.2 and version 7.0.0 through 7.0.8 may allow an unauthenticated remote attacker to crash the WAD process via multiple crafted packets reaching proxy policies or firewall policies with proxy mode alongside SSL deep packet inspection.

CVE-2023-41675 has been assigned to this vulnerability. A CVSS v3 base score of 5.3 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).

3.2.38 IMPROPER AUTHORIZATION CWE-285

An improper authorization vulnerability in Fortinet FortiOS 7.0.0 – 7.0.11 and 7.2.0 – 7.2.4 allows an attacker belonging to the prof-admin profile to perform elevated actions.

CVE-2023-41841 has been assigned to this vulnerability. A CVSS v3 base score of 8.1 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Energy
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

Siemens reported these vulnerabilities to CISA.

4. MITIGATIONS

Siemens has identified the following specific workarounds and mitigations users can apply to reduce risk:

Update Fortigate NGFW to V7.4.1. Contact customer support to receive patch and update information.
For CVE-2023-25610: Disable HTTP/HTTPS administrative interface OR Limit IP addresses that can reach the administrative interface (see
https://www.fortiguard.com/psirt/FG-IR-23-001)
For CVE-2023-27997: Disable SSL-VPN (see
https://www.fortiguard.com/psirt/FG-IR-23-097)
For CVE-2023-33308: Disable HTTP/2 support on SSL inspection profiles used by proxy policies or firewall policies with proxy mode (see
https://www.fortiguard.com/psirt/FG-IR-23-183)

Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage.

For more information see the associated Siemens security advisory SSA-366067 in HTML and CSAF.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY

March 14, 2024: Initial Publication

Siemens SCALANCE XB-200/XC-200/XP-200/XF-200BA/XR-300WG Family

Written by on March 14, 2024. Posted in CISA-Published Industrial Control System Vulnerabilities.

View CSAF

1. EXECUTIVE SUMMARY

CVSS v4 5.1
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Siemens
Equipment: SCALANCE XB-200/XC-200/XP-200/XF-200BA/XR-300WG Family
Vulnerabilities: Use of Hard-coded Cryptographic Key, Uncontrolled Resource Consumption

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an authenticated attacker to cause a denial-of-service condition or extract configuration information from a configuration backup file.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following products of Siemens, are affected:

SCALANCE XB205-3 (SC, PN) (6GK5205-3BB00-2AB2): All versions
SCALANCE XB205-3 (ST, E/IP) (6GK5205-3BB00-2TB2): All versions
SCALANCE XB205-3 (ST, E/IP) (6GK5205-3BD00-2TB2): All versions
SCALANCE XB205-3 (ST, PN) (6GK5205-3BD00-2AB2): All versions
SCALANCE XB205-3LD (SC, E/IP) (6GK5205-3BF00-2TB2): All versions
SCALANCE XB205-3LD (SC, PN) (6GK5205-3BF00-2AB2): All versions
SCALANCE XB208 (E/IP) (6GK5208-0BA00-2TB2): All versions
SCALANCE XB208 (PN) (6GK5208-0BA00-2AB2): All versions
SCALANCE XB213-3 (SC, E/IP) (6GK5213-3BD00-2TB2): All versions
SCALANCE XB213-3 (SC, PN) (6GK5213-3BD00-2AB2): All versions
SCALANCE XB213-3 (ST, E/IP) (6GK5213-3BB00-2TB2): All versions
SCALANCE XB213-3 (ST, PN) (6GK5213-3BB00-2AB2): All versions
SCALANCE XB213-3LD (SC, E/IP) (6GK5213-3BF00-2TB2): All versions
SCALANCE XB213-3LD (SC, PN) (6GK5213-3BF00-2AB2): All versions
SCALANCE XB216 (E/IP) (6GK5216-0BA00-2TB2): All versions
SCALANCE XB216 (PN) (6GK5216-0BA00-2AB2): All versions
SCALANCE XC206-2 (SC) (6GK5206-2BD00-2AC2): All versions
SCALANCE XC206-2 (ST/BFOC) (6GK5206-2BB00-2AC2): All versions
SCALANCE XC206-2G PoE (6GK5206-2RS00-2AC2): All versions
SCALANCE XC206-2G PoE (54 V DC) (6GK5206-2RS00-5AC2): All versions
SCALANCE XC206-2G PoE EEC (54 V DC) (6GK5206-2RS00-5FC2): All versions
SCALANCE XC206-2SFP (6GK5206-2BS00-2AC2): All versions
SCALANCE XC206-2SFP EEC (6GK5206-2BS00-2FC2): All versions
SCALANCE XC206-2SFP G (6GK5206-2GS00-2AC2): All versions
SCALANCE XC206-2SFP G (EIP DEF.) (6GK5206-2GS00-2TC2): All versions
SCALANCE XC206-2SFP G EEC (6GK5206-2GS00-2FC2): All versions
SCALANCE XC208 (6GK5208-0BA00-2AC2): All versions
SCALANCE XC208EEC (6GK5208-0BA00-2FC2): All versions
SCALANCE XC208G (6GK5208-0GA00-2AC2): All versions
SCALANCE XC208G (EIP def.) (6GK5208-0GA00-2TC2): All versions
SCALANCE XC208G EEC (6GK5208-0GA00-2FC2): All versions
SCALANCE XC208G PoE (6GK5208-0RA00-2AC2): All versions
SCALANCE XC208G PoE (54 V DC) (6GK5208-0RA00-5AC2): All versions
SCALANCE XC216 (6GK5216-0BA00-2AC2): All versions
SCALANCE XC216-3G PoE (6GK5216-3RS00-2AC2): All versions
SCALANCE XC216-3G PoE (54 V DC) (6GK5216-3RS00-5AC2): All versions
SCALANCE XC216-4C (6GK5216-4BS00-2AC2): All versions
SCALANCE XC216-4C G (6GK5216-4GS00-2AC2): All versions
SCALANCE XC216-4C G (EIP Def.) (6GK5216-4GS00-2TC2): All versions
SCALANCE XC216-4C G EEC (6GK5216-4GS00-2FC2): All versions
SCALANCE XC216EEC (6GK5216-0BA00-2FC2): All versions
SCALANCE XC224 (6GK5224-0BA00-2AC2): All versions
SCALANCE XC224-4C G (6GK5224-4GS00-2AC2): All versions
SCALANCE XC224-4C G (EIP Def.) (6GK5224-4GS00-2TC2): All versions
SCALANCE XC224-4C G EEC (6GK5224-4GS00-2FC2): All versions
SCALANCE XF204 (6GK5204-0BA00-2GF2): All versions
SCALANCE XF204 DNA (6GK5204-0BA00-2YF2): All versions
SCALANCE XF204-2BA (6GK5204-2AA00-2GF2): All versions
SCALANCE XF204-2BA DNA (6GK5204-2AA00-2YF2): All versions
SCALANCE XP208 (6GK5208-0HA00-2AS6): All versions
SCALANCE XP208 (Ethernet/IP) (6GK5208-0HA00-2TS6): All versions
SCALANCE XP208EEC (6GK5208-0HA00-2ES6): All versions
SCALANCE XP208PoE EEC (6GK5208-0UA00-5ES6): All versions
SCALANCE XP216 (6GK5216-0HA00-2AS6): All versions
SCALANCE XP216 (Ethernet/IP) (6GK5216-0HA00-2TS6): All versions
SCALANCE XP216EEC (6GK5216-0HA00-2ES6): All versions
SCALANCE XP216POE EEC (6GK5216-0UA00-5ES6): All versions
SCALANCE XR324WG (24 x FE, AC 230V) (6GK5324-0BA00-3AR3): All versions
SCALANCE XR324WG (24 X FE, DC 24V) (6GK5324-0BA00-2AR3): All versions
SCALANCE XR326-2C PoE WG (6GK5326-2QS00-3AR3): All versions
SCALANCE XR326-2C PoE WG (without UL) (6GK5326-2QS00-3RR3): All versions
SCALANCE XR328-4C WG (24xFE,4xGE,AC230V) (6GK5328-4FS00-3AR3): All versions
SCALANCE XR328-4C WG (24xFE,4xGE,AC230V) (6GK5328-4FS00-3RR3): All versions
SCALANCE XR328-4C WG (24XFE, 4XGE, 24V) (6GK5328-4FS00-2AR3): All versions
SCALANCE XR328-4C WG (24xFE, 4xGE,DC24V) (6GK5328-4FS00-2RR3): All versions
SCALANCE XR328-4C WG (28xGE, AC 230V) (6GK5328-4SS00-3AR3): All versions
SCALANCE XR328-4C WG (28xGE, DC 24V) (6GK5328-4SS00-2AR3): All versions
SIPLUS NET SCALANCE XC206-2 (6AG1206-2BB00-7AC2): All versions
SIPLUS NET SCALANCE XC206-2SFP (6AG1206-2BS00-7AC2): All versions
SIPLUS NET SCALANCE XC208 (6AG1208-0BA00-7AC2): All versions
SIPLUS NET SCALANCE XC216-4C (6AG1216-4BS00-7AC2): All versions

3.2 Vulnerability Overview

3.2.1 USE OF HARD-CODED CRYPTOGRAPHIC KEY CWE-321

Affected devices use a hardcoded key to obfuscate the configuration backup that an administrator can export from the device. This could allow an authenticated attacker with administrative privileges or an attacker that obtains a configuration backup to extract configuration information from the exported file.

CVE-2023-44318 has been assigned to this vulnerability. A CVSS v3 base score of 4.9 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N).

3.2.2 UNCONTROLLED RESOURCE CONSUMPTION CWE-400

Affected devices do not properly validate the length of inputs when performing certain configuration changes in the web interface allowing an authenticated attacker to cause a denial-of-service condition. The device needs to be restarted for the web interface to become available again.

CVE-2023-44321 has been assigned to this vulnerability. A CVSS v3 base score of 2.7 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L).

A CVSS v4 score has also been calculated for CVE-2023-44321. A base score of 5.1 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Energy
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

Siemens reported these vulnerabilities to CISA.

4. MITIGATIONS

Siemens is preparing fix versions and recommends countermeasures for products where fixes are not yet available.

Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage.

For more information see the associated Siemens security advisory SSA-353002 in HTML and CSAF.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY

March 14, 2024: Initial Publication

Siemens RUGGEDCOM APE1808

Written by on March 14, 2024. Posted in CISA-Published Industrial Control System Vulnerabilities.

View CSAF

1. EXECUTIVE SUMMARY

CVSS v4 8.7
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Siemens
Equipment: RUGGEDCOM APE1808
Vulnerabilities: Heap-based Buffer Overflow, External Control of File Name or Path, Improper Privilege Management, Uncontrolled Resource Consumption, Improper Certificate Validation, Out-of-bounds Write, Use of Externally-Controlled Format String

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to execute elevated actions, cause a denial-of-service, or execute arbitrary commands or code.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of Siemens RUGGEDCOM APE1808, an application hosting platform, are affected:

RUGGEDCOM APE1808: All versions with Fortinet NGFW

3.2 Vulnerability Overview

3.2.1 HEAP-BASED BUFFER OVERFLOW CWE-122

A heap-based buffer overflow vulnerability in the SOCKS5 proxy handshake in the Curl package. If Curl is unable to resolve the address itself, it passes the hostname to the SOCKS5 proxy. However, the maximum length of the hostname that can be passed is 255 bytes. If the hostname is longer, then Curl switches to the local name resolving and passes the resolved address only to the proxy. The local variable that instructs Curl to “let the host resolve the name” could obtain the wrong value during a slow SOCKS5 handshake, resulting in the too-long hostname being copied to the target buffer instead of the resolved address, which was not the intended behavior.

CVE-2023-38545 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.7 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).

3.2.2 EXTERNAL CONTROL OF FILE NAME OR PATH CWE-73

This flaw allows an attacker to insert cookies at will into a running program using libcurl, if the specific series of conditions are met. libcurl performs transfers. In its API, an application creates “easy handles” that are the individual handles for single transfers. libcurl provides a function call that duplicates an easy handle called curl_easy_duphandle. If a transfer has cookies enabled when the handle is duplicated, the cookie-enable state is also cloned – but without cloning the actual cookies. If the source handle did not read any cookies from a specific file on disk, the cloned version of the handle would instead store the file name as none (using the four ASCII letters, no quotes). Subsequent use of the cloned handle that does not explicitly set a source to load cookies from would then inadvertently load cookies from a file named none – if such a file exists and is readable in the current directory of the program using libcurl, and if using the correct file format of course.

CVE-2023-38546 has been assigned to this vulnerability. A CVSS v3.1 base score of 3.7 has been calculated; the CVSS vector string is (AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).

3.2.3 IMPROPER PRIVILEGE MANAGEMENT CWE-269

An improper privilege management vulnerability in a Fortinet FortiOS HA cluster version 7.4.0 through 7.4.1 and 7.2.5 and in a FortiProxy HA cluster version 7.4.0 through 7.4.1 allows an authenticated attacker to perform elevated actions via crafted HTTP or HTTPS requests.

CVE-2023-44250 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

3.2.4 UNCONTROLLED RESOURCE CONSUMPTION CWE-400

The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.

CVE-2023-44487 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

A CVSS v4 score has been calculated for CVE-2023-44487. A base score of 8.7 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N).

3.2.5 IMPROPER CERTIFICATE VALIDATION CWE-295

An improper certificate validation vulnerability in Fortinet FortiOS 7.0.0 – 7.0.13, 7.2.0 – 7.2.6 and 7.4.0 – 7.4.1 allows a remote and unauthenticated attacker to perform a Man-in-the-Middle attack on the FortiLink communication channel between the FortiOS device and FortiSwitch.

CVE-2023-47537 has been assigned to this vulnerability. A CVSS v3.1 base score of 4.8 has been calculated; the CVSS vector string is (AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N).

3.2.6 OUT-OF-BOUNDS WRITE CWE-787

A out-of-bounds write vulnerability in Fortinet FortiOS versions 7.4.0 through 7.4.2, 7.2.0 through 7.2.6, 7.0.0 through 7.0.13, 6.4.0 through 6.4.14, 6.2.0 through 6.2.15, 6.0.0 through 6.0.17, FortiProxy versions 7.4.0 through 7.4.2, 7.2.0 through 7.2.8, 7.0.0 through 7.0.14, 2.0.0 through 2.0.13, 1.2.0 through 1.2.13, 1.1.0 through 1.1.6, 1.0.0 through 1.0.7 allows attacker to execute unauthorized code or commands via specifically crafted requests.

CVE-2024-21762 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

3.2.7 USE OF EXTERNALLY-CONTROLLED FORMAT STRING CWE-134

A use of externally-controlled format string vulnerability in FortiOS fgfmd daemon may allow
a remote unauthenticated attacker to execute arbitrary code or commands via specially crafted requests.

CVE-2024-23113 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

Siemens reported these vulnerabilities to CISA.

4. MITIGATIONS

Siemens has identified the following specific workarounds and mitigations users can apply to reduce risk:

RUGGEDCOM APE1808: Contact customer support to receive patch and update information.

RUGGEDCOM APE1808 (CVE-2024-21762): Disable SSL VPN (disable webmode is NOT a valid workaround) (see https://www.fortiguard.com/psirt/FG-IR-24-015).

RUGGEDCOM APE1808 (CVE-2024-23113): For each interface, remove the fgfm access (see https://www.fortiguard.com/psirt/FG-IR-24-029).

Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage.

For more information see the associated Siemens security advisory SSA-832273 in HTML and CSAF.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY

March 14, 2024: Initial Publication