Posts Page - CloudCentric

Siemens Simcenter Femap

Written by on February 15, 2024. Posted in CISA-Published Industrial Control System Vulnerabilities.

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens’ ProductCERT Security Advisories (CERT Services | Services | Siemens Global).

View CSAF

1. EXECUTIVE SUMMARY

CVSS v4 7.3
ATTENTION: Low Attack Complexity
Vendor: Siemens
Equipment: Simcenter Femap
Vulnerabilities: Out-of-bounds Write, Improper Restriction of Operations within the Bounds of a Memory Buffer, Out-of-bounds Read, Access of Uninitialized Pointer

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to crash the application or execute arbitrary code if a user is tricked to open a malicious file on an affected product.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following Siemens products are affected:

Simcenter Femap: Versions prior to V2401.0000 (CVE-2024-24920, CVE-2024-24921,
CVE-2024-24922, CVE-2024-24923)
Simcenter Femap: Versions prior to V2306.0001 (CVE-2024-24923)
Simcenter Femap: Versions prior to V2306.0000 (CVE-2024-24924, CVE-2024-24925)

3.2 Vulnerability Overview

3.2.1 OUT-OF-BOUNDS WRITE CWE-787

The affected application contains an out of bounds write past the end of an allocated buffer while parsing a specially crafted Catia MODEL file. This could allow an attacker to execute code in the context of the current process. (ZDI-CAN-21710)

CVE-2024-24920 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been assigned; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-24920. A base score of 7.3 has been assigned; the CVSS vector string is (CVSS:4.0/AV:L/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.2 IMPROPER RESTRICTION OF OPERATIONS WITHIN THE BOUNDS OF A MEMORY BUFFER CWE-119

The affected application is vulnerable to memory corruption while parsing specially crafted Catia MODEL files. This could allow an attacker to execute code in the context of the current process. (ZDI-CAN-21712)

CVE-2024-24921 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been assigned; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-24921. A base score of 7.3 has been assigned; the CVSS vector string is (CVSS:4.0/AV:L/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.3 OUT-OF-BOUNDS WRITE CWE-787

CVE-2024-24922 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been assigned; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-24922. A base score of 7.3 has been assigned; the CVSS vector string is (CVSS:4.0/AV:L/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.4 OUT-OF-BOUNDS READ CWE-125

The affected applications contain an out of bounds read past the end of an allocated structure while parsing specially crafted Catia MODEL files. This could allow an attacker to execute code in the context of the current process. (ZDI-CAN-22055)

CVE-2024-24923 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been assigned; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-24923. A base score of 7.3 has been assigned; the CVSS vector string is (CVSS:4.0/AV:L/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.5 OUT-OF-BOUNDS WRITE CWE-787

CVE-2024-24924 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been assigned; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-24924. A base score of 7.3 has been assigned; the CVSS vector string is (CVSS:4.0/AV:L/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.6 ACCESS OF UNINITIALIZED POINTER CWE-824

The affected application is vulnerable to uninitialized pointer access while parsing specially crafted Catia MODEL files. An attacker could leverage this vulnerability to execute code in the context of the current process. (ZDI-CAN-22060)

CVE-2024-24925 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been assigned; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-24925. A base score of 7.3 has been assigned; the CVSS vector string is (CVSS:4.0/AV:L/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: World
COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

Siemens reported these vulnerabilities to CISA.

4. MITIGATIONS

Siemens has identified the following specific workarounds and mitigations users can apply to reduce risk:

For CVE-2024-24920, CVE-2024-24921,
CVE-2024-24922, CVE-2024-24923: Update to V2401.0000 or later version
For CVE-2024-24923: Update to V2306.0001 or later version
For CVE-2024-24924, CVE-2024-24925: Update to V2306.0000 or later version

Additionally, Siemens recommends that customers do not open untrusted Catia MODEL files from using Simcenter Femap.

As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens’ operational guidelines for industrial security and following recommendations in the product manuals.

Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage.

For more information see the associated Siemens security advisory SSA-000072 in HTML and CSAF.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

Do not click web links or open attachments in unsolicited email messages.
Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time. These vulnerabilities are not exploitable remotely.

5. UPDATE HISTORY

February 15, 2024: Initial Publication

Siemens Tecnomatix Plant Simulation

Written by on February 15, 2024. Posted in CISA-Published Industrial Control System Vulnerabilities.

View CSAF

1. EXECUTIVE SUMMARY

CVSS v4 7.3
ATTENTION: Low Attack Complexity
Vendor: Siemens
Equipment: Tecnomatix Plant Simulation
Vulnerabilities: Out-of-bounds Write, Heap-based Buffer Overflow, Stack-based Buffer Overflow, NULL Pointer Dereference, Out-of-bounds Read

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to crash the application or execute arbitrary code if a user is tricked into opening a malicious file.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following Siemens products are affected:

Tecnomatix Plant Simulation V2201: Versions prior to V2201.0012 (CVE-2024-23795, CVE-2024-23796,
CVE-2024-23797, CVE-2024-23798, CVE-2024-
23802, CVE-2024-23804)
Tecnomatix Plant Simulation V2201: All versions (CVE-2024-23799, CVE-2024-23800,
CVE-2024-23801, CVE-2024-23803)
Tecnomatix Plant Simulation V2302: Versions prior to V2302.0006 (CVE-2024-23795, CVE-2024-23796,
CVE-2024-23797, CVE-2024-23798, CVE-2024-
23802, CVE-2024-23804)
Tecnomatix Plant Simulation V2302: Versions prior to V2302.0007 (CVE-2024-23799, CVE-2024-23800,
CVE-2024-23801, CVE-2024-23803)

3.2 Vulnerability Overview

3.2.1 OUT-OF-BOUNDS WRITE CWE-787

The affected application contains an out of bounds write past the end of an allocated buffer while parsing a specially crafted WRL file. This could allow an attacker to execute code in the context of the current process.

CVE-2024-23795 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been assigned; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-23795. A base score of 7.3 has been assigned; the CVSS vector string is (CVSS:4.0/AV:L/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.2 HEAP-BASED BUFFER OVERFLOW CWE-122

The affected application is vulnerable to heap-based buffer overflow while parsing specially crafted WRL files. This could allow an attacker to execute code in the context of the current process.

CVE-2024-23796 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been assigned; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-23796. A base score of 7.3 has been assigned; the CVSS vector string is (CVSS:4.0/AV:L/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.3 STACK-BASED BUFFER OVERFLOW CWE-121

The affected applications contain a stack overflow vulnerability while parsing specially crafted WRL files. This could allow an attacker to execute code in the context of the current process.

CVE-2024-23797 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been assigned; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-23797. A base score of 7.3 has been assigned; the CVSS vector string is (CVSS:4.0/AV:L/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.4 STACK-BASED BUFFER OVERFLOW CWE-121

The affected applications contain a stack overflow vulnerability while parsing specially crafted WRL files. This could allow an attacker to execute code in the context of the current process.

CVE-2024-23798 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been assigned; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-23798. A base score of 7.3 has been assigned; the CVSS vector string is (CVSS:4.0/AV:L/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.5 NULL POINTER DEREFERENCE CWE-476

The affected applications contain a null pointer dereference vulnerability while parsing specially crafted SPP files. An attacker could leverage this vulnerability to crash the application causing denial of service condition.

CVE-2024-23799 has been assigned to this vulnerability. A CVSS v3 base score of 3.3 has been assigned; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L).

A CVSS v4 score has also been calculated for CVE-2024-23799. A base score of 4.8 has been assigned; the CVSS vector string is (CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N).

3.2.6 NULL POINTER DEREFERENCE CWE-476

CVE-2024-23800 has been assigned to this vulnerability. A CVSS v3 base score of 3.3 has been assigned; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L).

A CVSS v4 score has also been calculated for CVE-2024-23800. A base score of 4.8 has been assigned; the CVSS vector string is (CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N).

3.2.7 NULL POINTER DEREFERENCE CWE-476

CVE-2024-23801 has been assigned to this vulnerability. A CVSS v3 base score of 3.3 has been assigned; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L).

A CVSS v4 score has also been calculated for CVE-2024-23801. A base score of 4.8 has been assigned; the CVSS vector string is (CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N).

3.2.8 OUT-OF-BOUNDS READ CWE-125

The affected applications contain an out of bounds read past the end of an allocated structure while parsing specially crafted SPP files. This could allow an attacker to execute code in the context of the current process.

CVE-2024-23802 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been assigned; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-23802. A base score of 7.3 has been assigned; the CVSS vector string is (CVSS:4.0/AV:L/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.9 OUT-OF-BOUNDS WRITE CWE-787

The affected application contains an out of bounds write past the end of an allocated buffer while parsing a specially crafted SPP file. This could allow an attacker to execute code in the context of the current process.

CVE-2024-23803 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been assigned; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-23803. A base score of 7.3 has been assigned; the CVSS vector string is (CVSS:4.0/AV:L/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.10 STACK-BASED BUFFER OVERFLOW CWE-121

The affected applications contain a stack overflow vulnerability while parsing specially crafted PSOBJ files. This could allow an attacker to execute code in the context of the current process.

CVE-2024-23804 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been assigned; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-23804. A base score of 7.3 has been assigned; the CVSS vector string is (CVSS:4.0/AV:L/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

Siemens reported these vulnerabilities to CISA.

4. MITIGATIONS

Siemens has identified the following specific workarounds and mitigations users can apply to reduce risk:

Tecnomatix Plant Simulation V2201 (CVE-2024-23795, CVE-2024-23796,
CVE-2024-23797, CVE-2024-23798, CVE-2024-23802, CVE-2024-23804): Update to V2201.0012 or later version
Tecnomatix Plant Simulation V2201 (CVE-2024-23799, CVE-2024-23800, CVE-2024-23801, CVE-2024-23803): Currently no fix is planned
Tecnomatix Plant Simulation V2302 (CVE-2024-23795, CVE-2024-23796,
CVE-2024-23797, CVE-2024-23798, CVE-2024-23802, CVE-2024-23804): Update to V2302.0006 or later version
Tecnomatix Plant Simulation V2302 (CVE-2024-23799, CVE-2024-23800, CVE-2024-23801, CVE-2024-23803): Update to V2302.0007 or later version

Siemens also recommends users do not open untrusted WRL, PSOBJ, or SPP files from using Tecnomatix Plant Simulation

Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage.

For more information see the associated Siemens security advisory SSA-017796 in HTML and CSAF.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time. These vulnerabilities are not exploitable remotely.

5. UPDATE HISTORY

February 15, 2024: Initial Publication

Siemens SCALANCE SC-600 Family

Written by on February 15, 2024. Posted in CISA-Published Industrial Control System Vulnerabilities.

View CSAF

1. EXECUTIVE SUMMARY

CVSS v3 9.1
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Siemens
Equipment: SCALANCE SC-600 Family
Vulnerabilities: Acceptance of Extraneous Untrusted Data With Trusted Data, Use of Weak Hash, Forced Browsing, Uncontrolled Resource Consumption, Unchecked Return Value, Injection, OS Command Injection

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to escalate privileges, execute arbitrary code, or spawn a system root shell on the affected system.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following Siemens products are affected:

SCALANCE SC622-2C (6GK5622-2GS00-2AC2) (CVE-2023-44317, CVE-2023-44373, CVE-2023-49691, CVE-2023-49692): Versions prior to V3.0.2
SCALANCE SC622-2C (6GK5622-2GS00-2AC2) (CVE-2023-44319, CVE-2023-44320, CVE-2023-44322): Versions prior to V3.1
SCALANCE SC622-2C (6GK5622-2GS00-2AC2) (CVE-2023-44321): All versions
SCALANCE SC626-2C (6GK5626-2GS00-2AC2) (CVE-2023-44317, CVE-2023-44373, CVE-2023-49691, CVE-2023-49692): Versions prior to V3.0.2
SCALANCE SC626-2C (6GK5626-2GS00-2AC2) (CVE-2023-44319, CVE-2023-44320, CVE-2023-44322): Versions prior to V3.1
SCALANCE SC626-2C (6GK5626-2GS00-2AC2) (CVE-2023-44321): All versions
SCALANCE SC632-2C (6GK5632-2GS00-2AC2) (CVE-2023-44317, CVE-2023-44373, CVE-2023-49691, CVE-2023-49692): Versions prior to V3.0.2
SCALANCE SC632-2C (6GK5632-2GS00-2AC2) (CVE-2023-44319, CVE-2023-44320, CVE-2023-44322): Versions prior to V3.1
SCALANCE SC632-2C (6GK5632-2GS00-2AC2) (CVE-2023-44321): All versions
SCALANCE SC636-2C (6GK5636-2GS00-2AC2) (CVE-2023-44317, CVE-2023-44373, CVE-2023-49691, CVE-2023-49692): Versions prior to V3.0.2
SCALANCE SC636-2C (6GK5636-2GS00-2AC2) (CVE-2023-44319, CVE-2023-44320, CVE-2023-44322): Versions prior to V3.1
SCALANCE SC636-2C (6GK5636-2GS00-2AC2) (CVE-2023-44321): All versions
SCALANCE SC642-2C (6GK5642-2GS00-2AC2) (CVE-2023-44317, CVE-2023-44373, CVE-2023-49691, CVE-2023-49692): Versions prior to V3.0.2
SCALANCE SC642-2C (6GK5642-2GS00-2AC2) (CVE-2023-44319, CVE-2023-44320, CVE-2023-44322): Versions prior to V3.1
SCALANCE SC642-2C (6GK5642-2GS00-2AC2) (CVE-2023-44321): All versions
SCALANCE SC646-2C (6GK5646-2GS00-2AC2) (CVE-2023-44317, CVE-2023-44373, CVE-2023-49691, CVE-2023-49692): Versions prior to V3.0.2
SCALANCE SC646-2C (6GK5646-2GS00-2AC2) (CVE-2023-44319, CVE-2023-44320, CVE-2023-44322): Versions prior to V3.1
SCALANCE SC646-2C (6GK5646-2GS00-2AC2)(CVE-2023-44321): All versions

3.2 Vulnerability Overview

3.2.1 ACCEPTANCE OF EXTRANEOUS UNTRUSTED DATA WITH TRUSTED DATA CWE-349

Affected products do not properly validate the content of uploaded X509 certificates which could allow an attacker with administrative privileges to execute arbitrary code on the device.

CVE-2023-44317 has been assigned to this vulnerability. A CVSS v3 base score of 7.2 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).

3.2.2 USE OF WEAK HASH CWE-328

Affected devices use a weak checksum algorithm to protect the configuration backup that an administrator can export from the device. This could allow an authenticated attacker with administrative privileges or an attacker that tricks a legitimate administrator to upload a modified configuration file to change the configuration of an affected device.

CVE-2023-44319 has been assigned to this vulnerability. A CVSS v3 base score of 4.9 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N).

3.2.3 DIRECT REQUEST (‘FORCED BROWSING’) CWE-425

Affected devices do not properly validate the authentication when performing certain modifications in the web interface allowing an authenticated attacker to influence the user interface configured by an administrator.

CVE-2023-44320 has been assigned to this vulnerability. A CVSS v3 base score of 4.3 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N).

3.2.4 UNCONTROLLED RESOURCE CONSUMPTION CWE-400

Affected devices do not properly validate the length of inputs when performing certain configuration changes in the web interface allowing an authenticated attacker to cause a denial-of-service condition. The device needs to be restarted for the web interface to become available again.

CVE-2023-44321 has been assigned to this vulnerability. A CVSS v3 base score of 2.7 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L).

3.2.5 UNCHECKED RETURN VALUE CWE-252

Affected devices can be configured to send emails when certain events occur on the device. When presented with an invalid response from the SMTP server, the device triggers an error that disrupts email sending. An attacker with access to the network can use this to do disable notification of users when certain events occur.

CVE-2023-44322 has been assigned to this vulnerability. A CVSS v3 base score of 3.7 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).

3.2.6 IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS IN OUTPUT USED BY A DOWNSTREAM COMPONENT (‘INJECTION’) CWE-74

Affected devices do not properly sanitize an input field. This could allow an authenticated remote attacker with administrative privileges to inject code or spawn a system root shell. Follow-up of CVE-2022-36323.

CVE-2023-44373 has been assigned to this vulnerability. A CVSS v3 base score of 9.1 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H).

3.2.7 IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS USED IN AN OS COMMAND (‘OS COMMAND INJECTION’) CWE-78

An improper neutralization of special elements used in an OS command with root privileges vulnerability exists in the handling of the DDNS configuration. This could allow malicious local administrators to issue commands on system level after a successful IP address update.

CVE-2023-49691 has been assigned to this vulnerability. A CVSS v3 base score of 7.2 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).

3.2.8 IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS USED IN AN OS COMMAND (‘OS COMMAND INJECTION’) CWE-78

An improper neutralization of special elements used in an OS command with root privileges vulnerability exists in the parsing of the IPSEC configuration. This could allow malicious local administrators to issue commands on system level after a new connection is established.

CVE-2023-49692 has been assigned to this vulnerability. A CVSS v3 base score of 7.2 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

Siemens reported these vulnerabilities to CISA.

4. MITIGATIONS

Siemens has released new versions for several affected products and recommends users update to the latest versions. Siemens recommends countermeasures for products where fixes are not, or not yet available:

For CVE-2023-44317, CVE-2023-44373, CVE-2023-49691, CVE-2023-49692: Update to V3.0.2 or later version
For CVE-2023-44319, CVE-2023-44320, CVE-2023-44322: Update to V3.1 or later version
For CVE-2023-44321: Currently no fix is planned

Siemens also recommends users restrict access to application webserver for trusted users only.

Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage.

For more information see the associated Siemens security advisory SSA-602936 in HTML and CSAF.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY

February 15, 2024: Initial Publication

Siemens Unicam FX

Written by on February 15, 2024. Posted in CISA-Published Industrial Control System Vulnerabilities.

View CSAF

1. EXECUTIVE SUMMARY

CVSS v4 8.5
ATTENTION: Low Attack Complexity
Vendor: Siemens
Equipment: Unicam FX
Vulnerability: Incorrect Use of Privileged APIs

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to gain SYSTEM privileges.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following Siemens products are affected:

Unicam FX: All versions

3.2 Vulnerability Overview

3.2.1 INCORRECT USE OF PRIVILEGED APIS CWE-648

The windows installer agent used in affected product contains incorrect use of privileged APIs that trigger the Windows Console Host (conhost.exe) as a child process with SYSTEM privileges. This could be exploited by an attacker to perform a local privilege escalation attack.

CVE-2024-22042 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been assigned; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-22042. A base score of 8.5 has been assigned; the CVSS vector string is (CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Multiple Sector
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

Siemens reported this vulnerability to CISA.

4. MITIGATIONS

Siemens has identified the following specific workarounds and mitigations users can apply to reduce risk:

Unicam FX: Currently no fix is planned

Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage.

For more information see the associated Siemens security advisory SSA-543502 in HTML and CSAF.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability is not exploitable remotely.

5. UPDATE HISTORY

February 15, 2024: Initial Publication

Siemens SIDIS Prime

Written by on February 15, 2024. Posted in CISA-Published Industrial Control System Vulnerabilities.

View CSAF

1. EXECUTIVE SUMMARY

CVSS v4 9.1
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Siemens
Equipment: SIDIS Prime
Vulnerabilities: Use of Insufficiently Random Values, NULL Pointer Dereference, Infinite Loop

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an unauthenticated attacker with access to the network where SIDIS Prime is installed to reuse OPC UA client credentials, create a denial-of-service condition of the SIDIS Prime OPC UA client, or create a denial-of-service condition of the SIDIS Prime TLS service.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following Siemens products are affected:

SIDIS Prime: All versions prior to V4.0.400

3.2 Vulnerability Overview

3.2.1 USE OF INSUFFICIENTLY RANDOM VALUES CWE-330

In OPC Foundation OPC UA .NET Standard codebase 1.4.357.28, servers do not create sufficiently random numbers in OPCFoundation.NetStandard.Opc.Ua before 1.4.359.31, which allows man-in-the-middle attackers to reuse encrypted user credentials sent over the network.

CVE-2019-19135 has been assigned to this vulnerability. A CVSS v3 base score of 7.4 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N).

A CVSS v4 score has also been calculated for CVE-2019-19135. A base score of 9.1 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N.

3.2.2 NULL POINTER DEREFERENCE CWE-476

Server or client applications that call the SSL_check_chain() function during or after a TLS 1.3 handshake may crash due to a NULL pointer dereference as a result of incorrect handling of the “signature_algorithms_cert” TLS extension. The crash occurs if an invalid or unrecognized signature algorithm is received from the peer. This could be exploited by a malicious peer in a denial-of-service attack.

CVE-2020-1967 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

A CVSS v4 score has also been calculated for CVE-2020-1967. A base score of 8.7 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N.

3.2.3 NULL POINTER DEREFERENCE CWE-476

The X.509 GeneralName type is a generic type for representing different types of names. One of those name types is known as EDIPartyName. OpenSSL provides a function GENERAL_NAME_cmp which compares different instances of a GENERAL_NAME to see if they are equal or not. This function behaves incorrectly when both GENERAL_NAMEs contain an EDIPARTYNAME. A NULL pointer dereference and a crash may occur leading to a possible denial-of-service attack. OpenSSL itself uses the GENERAL_NAME_cmp function for two purposes: 1) Comparing CRL distribution point names between an available CRL and a CRL distribution point embedded in an X509 certificate. 2) When verifying that a timestamp response token signer matches the timestamp authority name (exposed via the API functions TS_RESP_verify_response and TS_RESP_verify_token). If an attacker can control both items being compared, then that attacker could trigger a crash. For example, if the attacker can trick a client or server into checking a malicious certificate against a malicious CRL, then this may occur. Note that some applications automatically download CRLs based on a URL embedded in a certificate. This checking happens prior to the signatures on the certificate and CRL being verified. OpenSSL’s s_server, s_client and verify tools have support for the “-crl_download” option which implements automatic CRL downloading and this attack has been demonstrated to work against those tools. Note that an unrelated bug means that affected versions of OpenSSL cannot parse or construct correct encodings of EDIPARTYNAME. However, it is possible to construct a malformed EDIPARTYNAME that OpenSSL’s parser will accept and hence trigger this attack.

CVE-2020-1971 has been assigned to this vulnerability. A CVSS v3 base score of 5.9 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H).

A CVSS v4 score has also been calculated for CVE-2020-1971. A base score of 8.2 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N.

3.2.4 LOOP WITH UNREACHABLE EXIT CONDITION (‘INFINITE LOOP’) CWE-835

The BN_mod_sqrt() function in openSSL, which computes a modular square root, contains a bug that can cause it to loop forever for non-prime moduli. Internally this function is used when parsing certificates that contain elliptic curve public keys in compressed form or explicit elliptic curve parameters with a base point encoded in compressed form. It is possible to trigger an infinite loop by crafting a certificate that has invalid explicit curve parameters. Since certificate parsing happens prior to verification of the certificate signature, any process that parses an externally supplied certificate may thus be subject to a denial-of-service attack. The infinite loop can also be reached when parsing crafted private keys as they can contain explicit elliptic curve parameters.

CVE-2022-0778 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

A CVSS v4 score has also been calculated for CVE-2022-0778. A base score of 8.7 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N.

3.2.5 LOOP WITH UNREACHABLE EXIT CONDITION (‘INFINITE LOOP’) CWE-835

An infinite loop in OPC UA .NET Standard Stack 1.04.368 allows a remote attackers to cause the application to hang via a crafted message.

CVE-2022-29862 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

A CVSS v4 score has also been calculated for CVE-2022-29862. A base score of 8.7 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N.

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Multiple Sectors
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

Siemens reported these vulnerabilities to CISA.

4. MITIGATIONS

Siemens has released a new version of SIDIS Prime and recommends users update to the latest version:

Update to V4.0.400 or later version

Siemens has identified the following specific workarounds and mitigations users can apply to reduce risk:

Enable encrypted communication between the affected product (OPC UA client) and the OPC UA server(s)

Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage.

For more information see the associated Siemens security advisory SSA-108696 in HTML and CSAF.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY

February 15, 2024: Initial Publication

Siemens CP343-1 Devices

Written by on February 15, 2024. Posted in CISA-Published Industrial Control System Vulnerabilities.

View CSAF

1. EXECUTIVE SUMMARY

CVSS v4 8.7
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Siemens
Equipment: SIMATIC CP 343-1, SIMATIC CP 343-1Lean, SIPLUS NET CP 343-1, SIPLUS NET CP 343-1 Lean
Vulnerability: Improper Verification of Source of a Communication Channel

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an unauthenticated remote attacker to create a denial-of-service condition by injecting spoofed TCP RST packets.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following Siemens products are affected:

SIMATIC CP 343-1 (6GK7343-1EX30-0XE0): All versions
SIMATIC CP 343-1 Lean (6GK7343-1CX10-0XE0): All versions
SIPLUS NET CP 343-1 (6AG1343-1EX30-7XE0): All versions
SIPLUS NET CP 343-1 Lean (6AG1343-1CX10-2XE0): All versions

3.2 Vulnerability Overview

3.2.1 IMPROPER VERIFICATION OF SOURCE OF A COMMUNICATION CHANNEL CWE-940

Affected products incorrectly validate TCP sequence numbers. This could allow an unauthenticated remote attacker to create a denial-of-service condition by injecting spoofed TCP RST packets.

CVE-2023-51440 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

A CVSS v4 score has also been calculated for CVE-2023-51440. A base score of 8.7 has been assigned; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Multiple Sectors
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

Siemens reported this vulnerability to CISA.

4. MITIGATIONS

Siemens has identified the following specific workarounds and mitigations users can apply to reduce risk:

Apply network segmentation and defense-in-depth practices to reduce likelihood of a threat actor to be able to reach a potentially vulnerable device.

Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage.

For more information see the associated Siemens security advisory SSA-516818 in HTML and CSAF.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

February 15, 2024: Initial Publication

Siemens SIMATIC RTLS Gateways

Written by on February 15, 2024. Posted in CISA-Published Industrial Control System Vulnerabilities.

View CSAF

1. EXECUTIVE SUMMARY

CVSS v4 7.7
ATTENTION: Exploitable from adjacent network
Vendor: Siemens
Equipment: SIMATIC RTLS Gateway RTLS4030G, SIMATIC RTLS Gateway RTLS4430G
Vulnerability: Improper Handling of Length Parameter Inconsistency

2. RISK EVALUATION

The Treck TCP/IP stack on affected devices improperly handles length parameter inconsistencies. Unauthenticated remote attackers may be able to send specially crafted IP packets which could lead to a denial of service condition or remote code execution.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following Siemens products are affected:

SIMATIC RTLS Gateway RTLS4030G, CMIIT (6GT2701-5DB23): All versions
SIMATIC RTLS Gateway RTLS4030G, ETSI (6GT2701-5DB03): All versions
SIMATIC RTLS Gateway RTLS4030G, FCC (6GT2701-5DB13): All versions
SIMATIC RTLS Gateway RTLS4030G, ISED (6GT2701-5DB33): All versions
SIMATIC RTLS Gateway RTLS4430G, Chirp, ETSI, FCC, ISED, IP65 (6GT2701-5CB03): All versions

3.2 Vulnerability Overview

3.2.1 IMPROPER HANDLING OF LENGTH PARAMETER INCONSISTENCY CWE-130

CVE-2020-11896 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been assigned; the CVSS vector string is (CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2020-11896. A base score of 7.7 has been assigned; the CVSS vector string is (CVSS4.0/AV:A/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Multiple Sectors
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

Siemens reported this vulnerability to CISA.

4. MITIGATIONS

Siemens has identified the following specific workarounds and mitigations users can apply to reduce risk:

SIMATIC RTLS Gateway RTLS4030G, CMIIT (6GT2701-5DB23), SIMATIC RTLS Gateway RTLS4030G, ETSI (6GT2701-5DB03), SIMATIC RTLS Gateway RTLS4030G, FCC (6GT2701-5DB13), SIMATIC RTLS Gateway RTLS4030G, ISED (6GT2701-5DB33), SIMATIC RTLS Gateway RTLS4430G, Chirp, ETSI, FCC, ISED, IP65 (6GT2701-5CB03): Currently no fix is planned. Implement Security recommendations according to the product manual

Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage.

For more information see the associated Siemens security advisory SSA-647068 in HTML and CSAF.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability is not exploitable remotely. This vulnerability has a high attack complexity.

5. UPDATE HISTORY

February 15, 2024: Initial Publication

Siemens SCALANCE W1750D

Written by on February 15, 2024. Posted in CISA-Published Industrial Control System Vulnerabilities.

View CSAF

1. EXECUTIVE SUMMARY

CVSS v3 9.8
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Siemens
Equipment: SCALANCE W1750D
Vulnerabilities: Classic Buffer Overflow, Improper Input Validation, Command Injection

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to inject commands or exploit buffer overflow vulnerabilities which could lead to sensitive information disclosure, unauthenticated denial-of-service or unauthenticated remote code execution.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following products of Siemens, are affected:

SCALANCE W1750D (JP) (6GK5750-2HX01-1AD0): All versions
SCALANCE W1750D (ROW) (6GK5750-2HX01-1AA0): All versions
SCALANCE W1750D (USA) (6GK5750-2HX01-1AB0): All versions

3.2 Vulnerability Overview

3.2.1 BUFFER COPY WITHOUT CHECKING SIZE OF INPUT (‘CLASSIC BUFFER OVERFLOW’) CWE-120

There are buffer overflow vulnerabilities in the underlying CLI service that could lead to unauthenticated remote code execution by sending specially crafted packets destined to the PAPI (Aruba’s access point management protocol) UDP port (8211). Successful exploitation of these vulnerabilities result in the ability to execute arbitrary code as a privileged user on the underlying operating system.

CVE-2023-45614 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

3.2.2 BUFFER COPY WITHOUT CHECKING SIZE OF INPUT (‘CLASSIC BUFFER OVERFLOW’) CWE-120

CVE-2023-45615 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

3.2.3 BUFFER COPY WITHOUT CHECKING SIZE OF INPUT (‘CLASSIC BUFFER OVERFLOW’) CWE-120

There is a buffer overflow vulnerability in the underlying AirWave client service that could lead to unauthenticated remote code execution by sending specially crafted packets destined to the PAPI (Aruba’s access point management protocol) UDP port (8211). Successful exploitation of this vulnerability results in the ability to execute arbitrary code as a privileged user on the underlying operating system.

CVE-2023-45616 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

3.2.4 IMPROPER INPUT VALIDATION CWE-20

There are arbitrary file deletion vulnerabilities in the CLI service accessed by PAPI (Aruba’s access point management protocol). Successful exploitation of these vulnerabilities result in the ability to delete arbitrary files on the underlying operating system, which could lead to the ability to interrupt normal operation and impact the integrity of the access point.

CVE-2023-45617 has been assigned to this vulnerability. A CVSS v3 base score of 8.2 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H).

3.2.5 IMPROPER INPUT VALIDATION CWE-20

There are arbitrary file deletion vulnerabilities in the AirWave client service accessed by PAPI (Aruba’s access point management protocol). Successful exploitation of these vulnerabilities result in the ability to delete arbitrary files on the underlying operating system, which could lead to the ability to interrupt normal operation and impact the integrity of the access point.

CVE-2023-45618 has been assigned to this vulnerability. A CVSS v3 base score of 8.2 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H).

3.2.6 IMPROPER INPUT VALIDATION CWE-20

There is an arbitrary file deletion vulnerability in the RSSI service accessed by PAPI (Aruba’s access point management protocol). Successful exploitation of this vulnerability results in the ability to delete arbitrary files on the underlying operating system, which could lead to the ability to interrupt normal operation and impact the integrity of the access point.

CVE-2023-45619 has been assigned to this vulnerability. A CVSS v3 base score of 8.2 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H).

3.2.7 IMPROPER INPUT VALIDATION CWE-20

Unauthenticated Denial-of-Service (DoS) vulnerabilities exist in the CLI service accessed via the PAPI protocol. Successful exploitation of these vulnerabilities result in the ability to interrupt the normal operation of the affected access point.

CVE-2023-45620 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

3.2.8 IMPROPER INPUT VALIDATION CWE-20

CVE-2023-45621 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

3.2.9 IMPROPER INPUT VALIDATION CWE-20

Unauthenticated Denial-of-Service (DoS) vulnerabilities exist in the BLE daemon service accessed via the PAPI protocol. Successful exploitation of these vulnerabilities result in the ability to interrupt the normal operation of the affected access point.

CVE-2023-45622 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

3.2.10 IMPROPER INPUT VALIDATION CWE-20

Unauthenticated Denial-of-Service (DoS) vulnerabilities exist in the Wi-Fi Uplink service accessed via the PAPI protocol. Successful exploitation of these vulnerabilities result in the ability to interrupt the normal operation of the affected access point.

CVE-2023-45623 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

3.2.11 IMPROPER INPUT VALIDATION CWE-20

An unauthenticated Denial-of-Service (DoS) vulnerability exists in the soft ap daemon accessed via the PAPI protocol. Successful exploitation of this vulnerability results in the ability to interrupt the normal operation of the affected access point.

CVE-2023-45624 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

3.2.12 IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS USED IN A COMMAND (‘COMMAND INJECTION’) CWE-77

Multiple authenticated command injection vulnerabilities exist in the command line interface. Successful exploitation of these vulnerabilities result in the ability to execute arbitrary commands as a privileged user on the underlying operating system.

CVE-2023-45625 has been assigned to this vulnerability. A CVSS v3 base score of 7.2 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).

3.2.13 IMPROPER INPUT VALIDATION CWE-20

An authenticated vulnerability has been identified allowing an attacker to effectively establish highly privileged persistent arbitrary code execution across boot cycles.

CVE-2023-45626 has been assigned to this vulnerability. A CVSS v3 base score of 7.2 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).

3.2.14 IMPROPER INPUT VALIDATION CWE-20

An authenticated Denial-of-Service (DoS) vulnerability exists in the CLI service. Successful exploitation of this vulnerability results in the ability to interrupt the normal operation of the affected access point.

CVE-2023-45627 has been assigned to this vulnerability. A CVSS v3 base score of 6.5 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Multiple
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

Siemens ProductCERT reported these vulnerabilities to CISA.

4. MITIGATIONS

Siemens has identified the following specific workarounds and mitigations users can apply to reduce risk:

CVE-2023-45614, CVE-2023-45615, CVE-2023-45616, CVE-2023-45617, CVE-2023-45618, CVE-2023-45619, CVE-2023-45620, CVE-2023-45621, CVE-2023-45622, CVE-2023-45623, CVE-2023-45624: Enabling cluster-security via the cluster-security command will prevent the vulnerabilities from being exploited.
CVE-2023-45625, CVE-2023-45626, CVE-2023-45627: The CLI and web-based management interfaces should be restricted to a dedicated layer 2 segment/VLAN and/or controlled by firewall policies at layer 3 and above.

Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage.

For more information see the associated Siemens security advisory SSA-716164 in HTML and CSAF.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY

February 15, 2024: Initial Publication

Mitsubishi Electric MELSEC iQ-R Series Safety CPU

Written by on February 13, 2024. Posted in CISA-Published Industrial Control System Vulnerabilities.

View CSAF

1. EXECUTIVE SUMMARY

CVSS v3 6.5
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Mitsubishi Electric
Equipment: MELSEC iQ-R Series Safety CPU and SIL2 Process CPU Module
Vulnerability: Incorrect Privilege Assignment

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow a non-administrator user to disclose the credentials (user ID and password) of a user with a lower access level than themselves.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

Mitsubishi Electric reports that the following MELSEC iQ-R Series products are affected:

MELSEC iQ-R Series Safety CPU R08SFCPU: All versions
MELSEC iQ-R Series Safety CPU R16SFCPU: All versions
MELSEC iQ-R Series Safety CPU R32SFCPU: All versions
MELSEC iQ-R Series Safety CPU R120SFCPU: All versions
MELSEC iQ-R Series SIL2 Process CPU R08PSFCPU: All versions
MELSEC iQ-R Series SIL2 Process CPU R16PSFCPU: All versions
MELSEC iQ-R Series SIL2 Process CPU R32PSFCPU: All versions
MELSEC iQ-R Series SIL2 Process CPU R120PSFCPU: All versions

3.2 Vulnerability Overview

3.2.1 INCORRECT PRIVILEGE ASSIGNMENT CWE-266

Information disclosure vulnerability due to incorrect privilege assignment exists in MELSEC iQ-R Series Safety CPU and SIL2 Process CPU modules. After a remote attacker logs into the CPU module as a non-administrator user, the attacker may disclose the credentials (user ID and password) of a user with a lower access level than the attacker by sending a specially crafted packet.

CVE-2023-6815 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Japan

3.4 RESEARCHER

Reid Wightman of Dragos Inc. reported this vulnerability to Mitsubishi Electric.

4. MITIGATIONS

When MELSEC iQ-R Series Safety CPU versions 27 or later is used with GX Works3 versions 1.087R or later, this attack can be prevented by enabling “communicating with only the enhanced version of vulnerability management of GX Works3” when writing user information to the CPU module. Mitsubishi Electric will implement the workaround in other products in the near future. Please contact your local Mitsubishi Electric representative to update your CPU module to the one listed above.

Mitsubishi Electric recommends that users take the following mitigation measures to minimize the risk of exploiting this vulnerability:

Use a firewall or virtual private network (VPN), etc., to prevent unauthorized access when Internet access is required.
Use within a LAN and block access from untrusted networks and hosts through firewalls.
Use IP filter function to block access from untrusted hosts. For details on the IP filter function, please refer to the following manual for each product. “1.13 Security” – “IP filter” in the MELSEC iQ-R Ethernet User’s Manual (Application).
Restrict physical access to the affected product as well as to the personal computers and the network devices that can communicate with it.
Install antivirus software on your personal computer that can access the affected product.

For specific update instructions and additional details, see Mitsubishi Electric advisory 2023-021.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

February 13, 2024: Initial Publication

Qolsys IQ Panel 4, IQ4 HUB

Written by on February 8, 2024. Posted in CISA-Published Industrial Control System Vulnerabilities.

View CSAF

1. EXECUTIVE SUMMARY

CVSS v3 7.3
ATTENTION: Low attack complexity
Vendor: Qolsys, Inc.
Equipment: IQ Panel 4, IQ4 Hub
Vulnerability: Exposure of Sensitive Information to an Unauthorized Actor

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow the panel software, under certain circumstances, to provide unauthorized access to settings.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following products from Qolsys, Inc, a subsidiary of Johnson Controls, are affected:

Qolsys IQ Panel 4: Versions prior to 4.4.2
Qolsys IQ4 Hub: Versions prior to 4.4.2

3.2 Vulnerability Overview

3.2.1 EXPOSURE OF SENSITIVE INFORMATION TO AN UNAUTHORIZED ACTOR CWE-200

In Qolsys IQ Panel 4 and IQ4 Hub versions prior to 4.4.2, panel software, under certain circumstances, could allow unauthorized access to settings.

CVE-2024-0242 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.3 has been calculated; the CVSS vector string is (AV:P/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:H).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Ireland

3.4 RESEARCHER

Cody Jung reported this vulnerability to Johnson Controls, Inc.

4. MITIGATIONS

Johnson Controls has provided the following recommendations for its subsidiary company, Qolsys, Inc, to help reduce the risk of the vulnerability:

Upgrade IQ Panel 4, IQ4 Hub to version 4.4.2.
The firmware can be updated remotely to all available devices in the field.
The firmware update can also be manually loaded by applying the patch tag “iqpanel4.4.2” on the device after navigating to its firmware update page.
For more detailed mitigation instructions, please see Johnson Controls Product Security Advisory JCI-PSA-2024-03.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability is not exploitable remotely.

5. UPDATE HISTORY

February 8, 2024: Initial Publication