View CSAF

1. EXECUTIVE SUMMARY

• CVSS v3 5.9
• ATTENTION: Exploitable remotely
• Vendor: Hitachi Energy
• Equipment: RTU500 series CMU
• Vulnerability: Buffer Copy without Checking Size of Input (‘Classic Buffer Overflow’)

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to cause a denial-of-service condition.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following Hitachi Energy products are affected:

• RTU500 series CMU Firmware: Versions 12.0.1 through 12.0.14
• RTU500 series CMU Firmware: Versions 12.2.1 through 12.2.11
• RTU500 series CMU Firmware: Versions 12.4.1 through 12.4.11
• RTU500 series CMU Firmware: Versions 12.6.1 through 12.6.9
• RTU500 series CMU Firmware: Versions 12.7.1 through 12.7.6
• RTU500 series CMU Firmware: Versions 13.2.1 through 13.2.6
• RTU500 series CMU Firmware: Versions 13.4.1 through 13.4.3
• RTU500 series CMU Firmware: Version 13.5.1

3.2 Vulnerability Overview

3.2.1 Buffer Copy without Checking Size of Input (‘Classic Buffer Overflow’) CWE-120

A vulnerability exists in SCI IEC 60870-5-104 and HCI IEC 60870-5-104 that affects the RTU500 series product. Specially crafted messages sent to the mentioned components are not validated properly and can result in buffer overflow and as final consequence to a reboot of an RTU500 CMU.

CVE-2023-6711 has been assigned to this vulnerability. A CVSS v3 base score of 5.9 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Energy
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: Switzerland

3.4 RESEARCHER

Toralf Gimpel from GAI NetConsult GmbH reported this vulnerability to Hitachi Energy.

4. MITIGATIONS

Hitachi Energy recommends that users update to the respective series CMU firmware version as below.

• Hitachi Energy RTU500 series CMU Firmware 12.0.15
• Hitachi Energy RTU500 series CMU Firmware 12.2.12
• Hitachi Energy RTU500 series CMU Firmware 12.4.12
• Hitachi Energy RTU500 series CMU Firmware 12.6.10
• Hitachi Energy RTU500 series CMU Firmware 12.7.7
• Hitachi Energy RTU500 series CMU Firmware 13.2.7
• Hitachi Energy RTU500 series CMU Firmware 13.4.4
• Hitachi Energy RTU500 series CMU Firmware 13.5.2

Hitachi Energy recommends that users follow the “Remote Terminal Units Security Deployment Guideline” as well to apply mitigation as described below.

Hitachi Energy recommends users implementing recommended security practices and firewall configurations to help protect the process control network from attacks originating from outside the network. Process control systems should be physically protected from direct access by unauthorized personnel, have no direct connections to the Internet, and be separated from other networks by means of a firewall system with a minimal number of ports exposed. Process control systems should not be used for Internet surfing, instant messaging, or receiving e-mails. Portable computers and removable storage media should be carefully scanned for viruses before they are connected to a control system.

For more information, see Hitachi Energy Cybersecurity Advisory “DoS Vulnerability in Hitachi Energy’s RTU500 series products”.

For additional information and support please contact your product provider or Hitachi Energy service organization at https://www.hitachienergy.com/contact-us/.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability has a high attack complexity.

5. UPDATE HISTORY

• December 19, 2024: Initial Publication

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v4 9.3
• ATTENTION: Exploitable remotely/low attack complexity
• Vendor: Schneider Electric
• Equipment: Modicon M241 / M251 / M258 / LMC058
• Vulnerability: Improper Input Validation

2. RISK EVALUATION

Successful exploitation of this vulnerability could lead to a denial-of-service and a loss of confidentiality and integrity in the controller.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

Schneider Electric reports that following Modicon PLCs are affected:

• Modicon Controllers M241: All versions
• Modicon Controllers M251: All versions
• Modicon Controllers M258: All versions
• Modicon Controllers LMC058: All versions

3.2 Vulnerability Overview

3.2.1 IMPROPER INPUT VALIDATION CWE-20

An improper input validation vulnerability exists that could lead to a denial-of-service and a loss of confidentiality and integrity in the controller when an unauthenticated crafted Modbus packet is sent to the device.

CVE-2024-11737 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-11737. A base score of 9.3 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Commercial Facilities, Critical Manufacturing, Energy
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: France

3.4 RESEARCHER

Wooyeon Jo and Irfan Ahmed of Virginia Commonwealth University reported this vulnerability to Schneider Electric.

4. MITIGATIONS

Schneider Electric is establishing a remediation plan for all future versions of Modicon M241/M251/M258/LMC058 that will include a fix for this vulnerability. They will update SEVD-2024-345-03 when the remediation is available. Until then, users should immediately apply the following mitigations to reduce the risk of exploit:

• Use controllers and devices only in a protected environment to minimize network exposure and ensure that they are not accessible from public internet or untrusted networks.
• Filter ports and IP through the embedded firewall.
• Setup network segmentation and implement a firewall to block all unauthorized access to Port 502/TCP.
• Disable all unused protocols (default configuration).
• For more details refer to “Cybersecurity Guidelines for EcoStruxure Machine Expert, Modicon and PacDrive Controllers and Associated Equipment Guide”

To ensure users are informed of all updates, including details on affected products and remediation plans, Schneider Electric recommends subscription to their security notification service.

Schneider Electric strongly recommends the following industry cybersecurity best practices:

• Locate control and safety system networks and remote devices behind firewalls and isolate them from the business network.
• Install physical controls so no unauthorized personnel can access your industrial control and safety systems, components, peripheral equipment, and networks.
• Place all controllers in locked cabinets and never leave them in the “Program” mode.
• Never connect programming software to any network other than the network intended for that device.
• Scan all methods of mobile data exchange with the isolated network such as CDs, USB drives, etc. before use in the terminals or any node connected to these networks.
• Never allow mobile devices that have connected to any other network besides the intended network to connect to the safety or control networks without proper sanitation.
• Minimize network exposure for all control system devices and systems and ensure that they are not accessible from the Internet.
• When remote access is required, use secure methods, such as virtual private networks (VPNs). Recognize that VPNs may have vulnerabilities and should be updated to the most current version available. Also, understand that VPNs are only as secure as the connected devices.

For more information refer to the Schneider Electric recommended cybersecurity best practices document.

For more information, see Schneider Electric security notification “SEVD-2024-345-03 Modicon M241 / M251 / M258 / LMC058”

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

• December 17, 2024: Initial Publication

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v3 8.0
• ATTENTION: Exploitable from adjacent network
• Vendor: Hitachi Energy
• Equipment: SDM600
• Vulnerabilities: Origin Validation Error, Incorrect Authorization

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to escalate privileges and access sensitive information.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

Hitachi Energy reports that the following products are affected:

• Hitachi Energy SDM600: Versions prior to 1.3.4

3.2 Vulnerability Overview

3.2.1 ORIGIN VALIDATION ERROR CWE-346

A vulnerability exists in the too permissive HTTP response header web server settings of the SDM600. An attacker can take advantage of this and possibly carry out privileged actions and access sensitive information.

CVE-2024-2377 has been assigned to this vulnerability. A CVSS v3 base score of 7.6 has been assigned; the CVSS vector string is (CVSS:3.1/AV:A/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H).

3.2.2 INCORRECT AUTHORIZATION CWE-863

A vulnerability exists in the web-authentication component of the SDM600. If exploited an attacker could escalate privileges on affected installations.

CVE-2024-2378 has been assigned to this vulnerability. A CVSS v3 base score of 8.0 has been assigned; the CVSS vector string is (CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Energy
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: Switzerland

3.4 RESEARCHER

Hitachi Energy PSIRT reported these vulnerabilities to CISA.

4. MITIGATIONS

Hitachi Energy has identified the following specific workarounds and mitigations users can apply to reduce risk:

• SDM600 versions below 1.3.4: Update to version 1.3.4 (Build Number 1.3.4.574).

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

• Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
• Locate control system networks and remote devices behind firewalls and isolating them from business networks.
• When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

• Do not click web links or open attachments in unsolicited email messages.
• Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
• Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time. These vulnerabilities are not exploitable remotely. These vulnerabilities have a high attack complexity.

5. UPDATE HISTORY

• December 19, 2024: Initial Publication

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v4 8.5
• ATTENTION: Low attack complexity
• Vendor: Delta Electronics
• Equipment: DTM Soft
• Vulnerability: Deserialization of Untrusted Data

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following Delta Electronics products are affected:

• DTM Soft: Versions 1.30 and prior

3.2 Vulnerability Overview

3.2.1 DESERIALIZATION OF UNTRUSTED DATA CWE-502

The affected product deserializes objects, which could allow an attacker to execute arbitrary code.

CVE-2024-12677 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-12677. A base score of 8.5 has been calculated; the CVSS vector string is (CVSS4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: Taiwan

3.4 RESEARCHER

kimiya working with Trend Micro Zero Day Initiative reported this vulnerability to CISA.

4. MITIGATIONS

Delta Electronics recommends users update DTM Soft to version 1.60.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

• Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
• Locate control system networks and remote devices behind firewalls and isolating them from business networks.
• When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability is not exploitable remotely.

5. UPDATE HISTORY

• December 19, 2024: Initial Publication

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, see Siemens’ ProductCERT Security Advisories (CERT Services | Services | Siemens Global).

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v4 9.3
• ATTENTION: Exploitable remotely/low attack complexity
• Vendor: Siemens
• Equipment: User Management Component (UMC)
• Vulnerability: Heap-based Buffer Overflow

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an unauthenticated remote attacker arbitrary code execution.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

Siemens reports the following products are affected:

• Opcenter Execution Foundation: All versions
• Opcenter Intelligence: All versions
• Opcenter Quality: All versions
• Opcenter RDL: All versions
• SIMATIC PCS neo V4.0: All versions
• SIMATIC PCS neo V4.1: All versions
• SIMATIC PCS neo V5.0: All versions prior to V5.0 Update 1
• SINEC NMS: All versions
• Totally Integrated Automation Portal (TIA Portal) V16: All versions
• Totally Integrated Automation Portal (TIA Portal) V17: All versions
• Totally Integrated Automation Portal (TIA Portal) V18: All versions
• Totally Integrated Automation Portal (TIA Portal) V19: All versions

3.2 Vulnerability Overview

3.2.1 HEAP-BASED BUFFER OVERFLOW CWE-122

Affected products contain a heap-based buffer overflow vulnerability in the integrated UMC component. This could allow an unauthenticated remote attacker to execute arbitrary code.

CVE-2024-49775 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-49775. A base score of 9.3 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

Tenable reported this vulnerability to Siemens.

4. MITIGATIONS

Siemens has released new versions for several affected products and recommends updating to the latest versions. Siemens is preparing further fix versions and recommends countermeasures for products where fixes are not, or are not yet, available.

• SIMATIC PCS neo V5.0: Update to V5.0 Update 1 or later version
• SINEC NMS: Update SINEC NMS to V3.0 SP2 or later version and UMC to V2.15 or later version. Contact customer support to receive patch and update information.

Siemens has identified the following specific workarounds and mitigations users can apply to reduce risk:

• Filter the Ports 4002 and 4004 to only accept connections to/from the IP addresses of machines that run UMC and are part of the UMC network e.g. with an external firewall
• In addition if no RT server machines are used, Port 4004 can be blocked completely.

As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens’ operational guidelines for industrial security and following recommendations in the product manuals.

Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage.

For more information see the associated Siemens security advisory SSA-928984 in HTML and CSAF.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

• December 19, 2024: Initial Publication

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v4 8.7
• ATTENTION: Exploitable remotely/low attack complexity
• Vendor: Tibbo
• Equipment: AggreGate Network Manager
• Vulnerability: Unrestricted Upload of File with Dangerous Type

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to achieve code execution on the affected device.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following Tibbo products are affected:

• Aggregate Network Manager: Versions 6.34.02 and prior

3.2 Vulnerability Overview

3.2.1 Unrestricted Upload of File with Dangerous Type CWE-434

There is an unrestricted file upload vulnerability where it is possible for an authenticated user (low privileged) to upload an jsp shell and execute code with the privileges of user running the web server.

CVE-2024-12700 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-12700. A base score of 8.7 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Communications, Critical Manufacturing
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: Taiwan

3.4 RESEARCHER

Vu Khanh Trinh (@Sonicrr) of VNPT Cyber Immunity working with Trend Micro Zero Day Initiative reported this vulnerability to CISA.

4. MITIGATIONS

Tibbo recommends users update to Versions 6.40.02, 6.34.03, or latest version.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

• Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the Internet.
• Locate control system networks and remote devices behind firewalls and isolating them from business networks.
• When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

• Do not click web links or open attachments in unsolicited email messages.
• Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
• Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

• December 19, 2024: Initial Publication

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v3 7.5
• ATTENTION: Exploitable remotely/low attack complexity
• Vendor: Schneider Electric
• Equipment: Accutech Manager

• Vulnerability: Classic Buffer Overflow

  2. RISK EVALUATION

Successful exploitation could allow an attacker to cause a crash of the Accutech Manager when receiving a specially crafted request over port 2536/TCP.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

Schneider Electric reports that the following products are affected:

• Schneider Electric Accutech Manager: Versions 2.08.01 and prior

3.2 Vulnerability Overview

3.2.1 BUFFER COPY WITHOUT CHECKING SIZE OF INPUT (‘CLASSIC BUFFER OVERFLOW’) CWE-120

A Classic Buffer Overflow vulnerability exists that could cause a crash of the Accutech Manager when receiving a specially crafted request over port 2536/TCP.

CVE-2024-6918 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Energy, Water and Wastewater, Critical Manufacturing
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: France

3.4 RESEARCHER

Schneider Electric reported this vulnerability to CISA.

4. MITIGATIONS

Schneider Electric has identified the following specific workarounds and mitigations users can apply to reduce risk:

• Update Schneider Electric Accutech Manager to version 2.10.0.
• Instructions are provided with the software installation package on how to verify software revision.

For more information refer to the Schneider Electric Recommended Cybersecurity Best Practices document and the associated Schneider Electric Security Notification SEVD-2024-226-01 in PDF and CSAF.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

• Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
• Locate control system networks and remote devices behind firewalls and isolating them from business networks.
• When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

• December 19, 2024: Initial Publication

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v3 5.4
• ATTENTION: Exploitable remotely/low attack complexity
• Vendor: Schneider Electric
• Equipment: Modicon Controllers
• Vulnerability: Cross-site Scripting

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to cause a victim’s browser to run arbitrary JavaScript when visiting a page containing injected payload.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

Schneider Electric reports that the following products are affected:

• Schneider Electric Modicon Controllers M258 / LMC058: All versions
• Schneider Electric Modicon Controllers M262: Versions prior to 5.2.8.26
• Schneider Electric Modicon Controllers M251: Versions prior to 5.2.11.24
• Schneider Electric Modicon Controllers M241: Versions prior to 5.2.11.24

3.2 Vulnerability Overview

3.2.1 IMPROPER NEUTRALIZATION OF INPUT DURING WEB PAGE GENERATION (‘CROSS-SITE SCRIPTING’) CWE-79

A Cross-site Scripting  vulnerability exists  where an attacker could cause a victim’s browser run arbitrary JavaScript when they visit a page containing the injected payload.

CVE-2024-6528 has been assigned to this vulnerability. A CVSS v3 base score of 5.4 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Commercial Facilities, Critical Manufacturing, and Energy
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: France

3.4 RESEARCHER

Schneider Electric CPCERT reported this vulnerability to CISA.

4. MITIGATIONS

Schneider Electric has identified the following specific workarounds and mitigations users can apply to reduce risk:

• Schneider Electric Modicon Controllers Version prior to v5.2.11.24: Modicon Controller M241 Firmware version 5.2.11.24 delivered with EcoStruxure Machine Expert v2.2.2 includes a fix for this vulnerability and can be updated through the Schneider Electric Software Update (SESU) application. https://www.se.com/ww/en/product-range/2226-ecostruxure-machine-expert-software/ On the engineering workstation, update to v2.2.2 of EcoStruxure Machine Expert. Update Modicon Controller M241 to the latest Firmware and perform reboot
• Schneider Electric Modicon Controllers Version prior to v5.2.11.24: Modicon Controller M251 Firmware version 5.2.11.24 delivered with EcoStruxure Machine Expert v2.2.2 includes a fix for this vulnerability and can be updated through the Schneider Electric Software Update (SESU) application. https://www.se.com/ww/en/product-range/2226-ecostruxure-machine-expert-software/ On the engineering workstation, update to v2.2.2 of EcoStruxure Machine Expert. Update Modicon Controller M251 to the latest Firmware and perform reboot
• Schneider Electric Modicon Controllers M262 Versions prior to v5.2.8.26: Modicon Controller M262 Firmware version 5.2.8.26 delivered with EcoStruxure Machine Expert v2.2.2 includes a fix for this vulnerability and can be updated through the Schneider Electric Software Update (SESU) application.https://www.se.com/ww/en/product-range/2226-ecostruxure-machine-expert-software/ On the engineering workstation, update to v2.2.2 of EcoStruxure Machine Expert. Update Modicon Controller M262 to the latest Firmware and perform reboot
• Schneider Electric Modicon Controllers Version prior to v5.2.11.24, Schneider Electric Modicon Controllers M258 / LMC058 All versions , Schneider Electric Modicon Controllers M262 Versions prior to v5.2.8.26, Schneider Electric Modicon Controllers Version prior to v5.2.11.24: Users should immediately apply the following mitigations to reduce the risk of exploit: Use controllers and devices only in a protected environment to minimize network exposure and ensure that they are not accessible from public internet or untrusted networks. Ensure usage of user management and password features. User rights are enabled by default and forced to create a strong password at first use. Deactivate the Webserver after use when not needed. Use encrypted communication links. Setup network segmentation and implement a firewall to block all unauthorized access to port 80/HTTP and 443/HTTPS. Use VPN (Virtual Private Networks) tunnels if remote access is required. The “Cybersecurity Guidelines for EcoStruxure Machine Expert, Modicon and PacDrive Controllers and Associated Equipment” provide product specific chapters to ensure you are informed of all updates, including details on affected products and remediation plans, subscribe to Schneider Electric’s security notification service here

For more information refer to the Schneider Electric Recommended Cybersecurity Best Practices document and the associated Schneider Electric Security Notification SEVD-2024-191-04 in PDF and CSAF.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

• Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
• Locate control system networks and remote devices behind firewalls and isolating them from business networks.
• When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

• Do not click web links or open attachments in unsolicited email messages.
• Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
• Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

• December 19, 2024: Initial Publication

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v4 7.0
• ATTENTION: Low Attack Complexity
• Vendor: Beckhoff Automation
• Equipment: TwinCAT Package Manager
• Vulnerability: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)

2. RISK EVALUATION

Successful exploitation this vulnerability could allow a local attacker with administrative access rights to execute arbitrary OS commands on the affected system.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following Beckhoff Automation products are affected:

• TwinCAT Package Manager: Versions prior to 1.0.603.0

3.2 Vulnerability Overview

3.2.1 IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS USED IN AN OS COMMAND (‘OS COMMAND INJECTION’) CWE-78

A local user with administrative access rights can enter specially crafted values for settings at the user interface (UI) of the TwinCAT Package Manager which then causes arbitrary OS commands to be executed.

CVE-2024-8934 has been assigned to this vulnerability. A CVSS v3 base score of 6.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-8934. A base score of 7.0 has been calculated; the CVSS vector string is (CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N)

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

elcazator of Elex Feigong Research Institute of Elex CyberSecurity, Inc. reported this vulnerability to CISA.

4. MITIGATIONS

Beckhoff Automation recommends users update to at least version 1.0.613.0.

Additionally, Beckhoff Automation has identified the following specific workarounds and mitigations users can apply to reduce risk:

• Administrative users should always act thoroughly and inspect the values which they enter.
• Please update to a recent version of the affected product.

For more information CERT@VDE has released security advisory VDE-2024-064

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

• Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
• Locate control system networks and remote devices behind firewalls and isolating them from business networks.
• When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability is not exploitable remotely.

5. UPDATE HISTORY

• November 7, 2024: Initial Publication

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v4 8.7
• ATTENTION: Exploitable remotely/low attack complexity
• Vendor: Bosch Rexroth
• Equipment: IndraDrive
• Vulnerability: Uncontrolled Resource Consumption

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to cause a denial-of-service, rendering the device unresponsive by sending arbitrary UDP messages.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

Bosch Rexroth reports that the following versions of IndraDrive, servo drive system, are affected:

• Bosch Rexroth AG IndraDrive FWA-INDRV*–MP*: 17VRS < 20V36

3.2 Vulnerability Overview

3.2.1 Uncontrolled Resource Consumption CWE-400

A vulnerability in the PROFINET stack implementation of the IndraDrive of Bosch Rexroth allows an attacker to cause a denial-of-service, rendering the device unresponsive by sending arbitrary UDP messages.

CVE-2024-48989 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

A CVSS v4 score has also been calculated for CVE-2024-48989. A base score of 8.7 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

Roni Gavrilov from OTORIO reported this vulnerability to CISA.

4. MITIGATIONS

Bosch Rexroth has fixed this vulnerability starting with FWA-INDRV-MP-20V36. Bosch Rexroth recommends updating as soon as possible.

In use cases in which a device update is not possible or not feasible, Bosch Rexroth recommends compensatory measures which prevent or at least complicate taking advantage of the vulnerability. Always define such compensatory measures individually, in the context of the operational environment.

Some possible measures are described in “Security Manual Electric Drives and Controls”, like network segmentation. In general, it is highly recommended to implement the measures described in “Security Manual Drives and Controls”.

For more information, refer to the Bosch PSIRT Security Advisory BOSCH-SA-2584444

Please contact the Bosch PSIRT if you have feedback, comments, or additional information about this vulnerability at: psirt@bosch.com .

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

• Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
• Locate control system networks and remote devices behind firewalls and isolating them from business networks.
• When remote access is required, use more secure methods, such as virtual private networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

• Do not click web links or open attachments in unsolicited email messages.
• Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
• Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

• November 7, 2024: Initial Publication