Posts Page - CloudCentric

Siemens SENTRON PAC3200 Devices

Written by on October 10, 2024. Posted in CISA-Published Industrial Control System Vulnerabilities.

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens’ ProductCERT Security Advisories (CERT Services | Services | Siemens Global).

View CSAF

1. EXECUTIVE SUMMARY

CVSS v4 9.3
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Siemens
Equipment: SENTRON 7KM PAC3200
Vulnerability: Improper Authentication

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to access clear text communication.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of Siemens SENTRON PAC3200 devices are affected:

SENTRON 7KM PAC3200: All versions

3.2 Vulnerability Overview

3.2.1 IMPROPER AUTHENTICATION CWE-287

Affected devices only provide a 4-digit PIN to protect from administrative access via Modbus TCP interface. Attackers with access to the Modbus TCP interface could easily bypass this protection by brute-force attacks or by sniffing the Modbus clear text communication.

CVE-2024-41798 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-41798. A base score of 9.3 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

Michael Messner from Siemens Energy reported this vulnerability to Siemens. Siemens reported this vulnerability to CISA.

4. MITIGATIONS

Siemens has identified the following specific workarounds and mitigations users can apply to reduce risk:

SENTRON 7KM PAC3200: Currently no fix is planned
Consider the PIN as protection against unauthorized operation (i.e., protection against inadvertent operating errors), not as protection against malicious access attempts, such as through brute-force attacks; for details see the FAQ article at https://support.industry.siemens.com/cs/ww/en/view/109975235/

As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens’ operational guidelines for industrial security and following recommendations in the product manuals.

Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage

For more information see the associated Siemens security advisory SSA-850560 in HTML and CSAF.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

October 10, 2024: Initial Publication

Siemens PSS SINCAL

Written by on October 10, 2024. Posted in CISA-Published Industrial Control System Vulnerabilities.

View CSAF

1. EXECUTIVE SUMMARY

CVSS v4 9.3
ATTENTION: Low Attack Complexity
Vendor: Siemens
Equipment: PSS SINCAL
Vulnerabilities: Improper Restriction of Operations within the Bounds of a Memory Buffer

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to cause a denial-of-service condition or kernel memory corruption on the affected device.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following Siemens products are affected if WibuKey dongles are used:

PSS SINCAL: All versions

3.2 Vulnerability Overview

3.2.1 IMPROPER RESTRICTION OF OPERATIONS WITHIN THE BOUNDS OF A MEMORY BUFFER CWE-119

An issue was discovered in WibuKey64.sys in WIBU-SYSTEMS WibuKey before v6.70 and fixed in v.6.70. An improper bounds check allows crafted packets to cause an arbitrary address write, resulting in kernel memory corruption.

CVE-2024-45181 has been assigned to this vulnerability. A CVSS v3 base score of 8.8 has been assigned; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-45181. A base score of 9.3 has been calculated; the CVSS vector string is (CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H).

3.2.2 IMPROPER RESTRICTION OF OPERATIONS WITHIN THE BOUNDS OF A MEMORY BUFFER CWE-119

An issue was discovered in WibuKey64.sys in WIBU-SYSTEMS WibuKey before v6.70 and fixed in v.6.70 An improper bounds check allows specially crafted packets to cause an arbitrary address read, resulting in denial of service.

CVE-2024-45182 has been assigned to this vulnerability. A CVSS v3 base score of 6.5 has been assigned; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H).

A CVSS v4 score has also been calculated for CVE-2024-45182. A base score of 8.2 has been calculated; the CVSS vector string is (CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Energy
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

Siemens reported these vulnerabilities to CISA.

4. MITIGATIONS

WIBU Systems has released a new version for WibuKey for Windows. Siemens recommends users update WibuKey Runtime for Windows to V6.70 or later version (https://www.wibu.com/us/support/user/downloads-user-software.html) on affected Windows client installations, where WibuKey Dongles are used.

Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage

For more information see the associated Siemens security advisory SSA-368868 in HTML and CSAF.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time. These vulnerabilities are not exploitable remotely.

5. UPDATE HISTORY

October 10, 2024: Initial Publication

Siemens Teamcenter Visualization and JT2Go

Written by on October 10, 2024. Posted in CISA-Published Industrial Control System Vulnerabilities.

View CSAF

1. EXECUTIVE SUMMARY

CVSS v4 7.3
ATTENTION: Low attack complexity
Vendor: Siemens
Equipment: Teamcenter Visualization and JT2Go
Vulnerabilities: Stack-based Buffer Overflow, NULL Pointer Dereference

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to crash the application or perform arbitrary code execution.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of Siemens Teamcenter Visualization and JT2Go are affected:

JT2Go: All versions prior to V2406.0003
Teamcenter Visualization V14.2: All versions prior to V14.2.0.13
Teamcenter Visualization V14.3: All versions prior to V14.3.0.11
Teamcenter Visualization V2312: All versions prior to V2312.0008
Teamcenter Visualization V2406: All versions prior to V2406.0003

3.2 Vulnerability Overview

3.2.1 NULL POINTER DEREFERENCE CWE-476

The affected applications contain a null pointer dereference vulnerability while parsing specially crafted XML files. An attacker could leverage this vulnerability to crash the application causing denial of service condition.

CVE-2024-37996 has been assigned to this vulnerability. A CVSS v3.1 base score of 3.3 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L).

A CVSS v4 score has also been calculated for CVE-2024-37996. A base score of 4.8 has been calculated; the CVSS vector string is (CVSS4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N).

3.2.2 STACK-BASED BUFFER OVERFLOW CWE-121

The affected applications contain a stack-based overflow vulnerability while parsing specially crafted XML files. This could allow an attacker to execute code in the context of the current process.

CVE-2024-37997 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-37997. A base score of 7.3 has been calculated; the CVSS vector string is (CVSS4.0/AV:L/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

Siemens reported these vulnerabilities to CISA.

4. MITIGATIONS

Siemens has identified the following specific workarounds and mitigations users can apply to reduce risk:

JT2Go: Update to V2406.0003 or later version
Teamcenter Visualization V14.2: Update to V14.2.0.13 or later version
Teamcenter Visualization V14.3: Update to V14.3.0.11 or later version
Teamcenter Visualization V2312: Update to V2312.0008 or later version
Teamcenter Visualization V2406: Update to V2406.0003 or later version

Siemens has identified the following specific workarounds and mitigations that users can apply to reduce the risk:

CVE-2024-37996, CVE-2024-37997: Do not open untrusted XML files in affected applications

Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage

For more information see the associated Siemens security advisory SSA-959281 in HTML and CSAF.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

Do not click web links or open attachments in unsolicited email messages.
Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time. These vulnerabilities are not exploitable remotely.

5. UPDATE HISTORY

October 10, 2024: Initial Publication

Siemens SINEC Security Monitor

Written by on October 10, 2024. Posted in CISA-Published Industrial Control System Vulnerabilities.

View CSAF

1. EXECUTIVE SUMMARY

CVSS v4 9.4
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Siemens
Equipment: SINEC Security Monitor
Vulnerabilities: Argument Injection, Command Injection, Path Traversal, Permissive List of Allowed Inputs

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to execute arbitrary code, execute privileged commands, or compromise the integrity of the configuration of the affected application.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of Siemens SINEC Security Monitor, a modular cyber security software, are affected:

SINEC Security Monitor: All versions prior to V4.9.0

3.2 Vulnerability Overview

3.2.1 IMPROPER NEUTRALIZATION OF ARGUMENT DELIMITERS IN A COMMAND(‘ARGUMENT INJECTION’) CWE-88

The affected application does not properly validate user input to the ssmctl-client command. This could allow an authenticated, lowly privileged remote attacker to execute arbitrary code with root privileges on the underlying OS.

CVE-2024-47553 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.9 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-47553. A base score of 9.4 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H).

3.2.2 IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS USED IN A COMMAND (‘COMMAND INJECTION’) CWE-77

The affected application does not properly neutralize special elements in user input to the ssmctl-client command. This could allow an authenticated, lowly privileged local attacker to execute privileged commands in the underlying OS.

CVE-2024-47562 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-47562. A base score of 9.3 has been calculated; the CVSS vector string is (CVSS4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H).

3.2.3 IMPROPER LIMITATION OF A PATHNAME TO A RESTRICTED DIRECTORY (‘PATH TRAVERSAL’) CWE-22

The affected application does not properly validate a file path that is supplied to an endpoint intended to create CSR files. This could allow an unauthenticated remote attacker to create files in writable directories outside the intended location and thus compromise integrity of files in those writable directories.

CVE-2024-47563 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.3 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N).

A CVSS v4 score has also been calculated for CVE-2024-47563. A base score of 6.9 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N).

3.2.4 PERMISSIVE LIST OF ALLOWED INPUTS CWE-183

The affected application does not properly validate that user input complies with a list of allowed values. This could allow an authenticated remote attacker to compromise the integrity of the configuration of the affected application.

CVE-2024-47565 has been assigned to this vulnerability. A CVSS v3.1 base score of 4.3 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N).

A CVSS v4 score has also been calculated for CVE-2024-47565. A base score of 5.3 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

Siemens reported these vulnerabilities to CISA.

4. MITIGATIONS

Siemens has identified the following specific workarounds and mitigations users can apply to reduce risk:

SINEC Security Monitor: Update to V4.9.0 or later version

Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage

For more information see the associated Siemens security advisory SSA-430425 in HTML and CSAF.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY

October 10, 2024: Initial Publication

Siemens HiMed Cockpit

Written by on October 10, 2024. Posted in CISA-Published Industrial Control System Vulnerabilities.

View CSAF

1. EXECUTIVE SUMMARY

CVSS v4 9.3
ATTENTION: Low attack complexity
Vendor: Siemens
Equipment: HiMed Cockpit
Vulnerability: Improper Protection of Alternate Path

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to escape the restricted environment and gain access to the underlying operating system.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of Siemens HiMed Cockpit, a multimedia terminal, are affected:

HiMed Cockpit 12 pro (J31032-K2017-H259): Versions V11.5.1 up to but not including V11.6.2
HiMed Cockpit 14 pro+ (J31032-K2017-H435): Versions V11.5.1 up to but not including V11.6.2
HiMed Cockpit 18 pro (J31032-K2017-H260): Versions V11.5.1 up to but not including V11.6.2
HiMed Cockpit 18 pro+ (J31032-K2017-H436): Versions V11.5.1 up to but not including V11.6.2

3.2 Vulnerability Overview

3.2.1 IMPROPER PROTECTION OF ALTERNATE PATH CWE-424

The Kiosk Mode of the affected devices contains a restricted desktop environment escape vulnerability. This could allow an unauthenticated local attacker to escape the restricted environment and gain access to the underlying operating system.

CVE-2023-52952 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.5 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:H).

A CVSS v4 score has also been calculated for CVE-2023-52952. A base score of 9.3 has been calculated; the CVSS vector string is (CVSS4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:H).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

Tamay Caliskan reported this vulnerability to Siemens. Siemens reported this vulnerability to CISA.

4. MITIGATIONS

Siemens has identified the following specific workarounds and mitigations users can apply to reduce risk:

HiMed Cockpit 12 pro (J31032-K2017-H259): Update to V11.6.2 or later version
HiMed Cockpit 14 pro+ (J31032-K2017-H435): Update to V11.6.2 or later version
HiMed Cockpit 18 pro (J31032-K2017-H260): Update to V11.6.2 or later version
HiMed Cockpit 18 pro+ (J31032-K2017-H436): Update to V11.6.2 or later version

Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage

For more information see the associated Siemens security advisory SSA-540493 in HTML and CSAF.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability is not exploitable remotely.

5. UPDATE HISTORY

October 10, 2024: Initial Publication

Siemens Questa and ModelSim

Written by on October 10, 2024. Posted in CISA-Published Industrial Control System Vulnerabilities.

View CSAF

1. EXECUTIVE SUMMARY

CVSS v4 5.4
ATTENTION: Exploitable locally
Vendor: Siemens
Equipment: Questa and ModelSim
Vulnerabilities: Uncontrolled Search Path Element

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to inject arbitrary code and escalate privileges.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of Siemens Questa and ModelSim are affected:

ModelSim: All versions prior to V2024.3
Questa: All versions prior to V2024.3

3.2 Vulnerability Overview

3.2.1 UNCONTROLLED SEARCH PATH ELEMENT CWE-427

vish2.exe in affected applications allows a specific DLL file to be loaded from the current working directory. This could allow an authenticated local attacker to inject arbitrary code and escalate privileges in installations where administrators or processes with elevated privileges launch vish2.exe from a user-writable directory.

CVE-2024-47194 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.7 has been calculated; the CVSS vector string is (AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-47194. A base score of 5.4 has been calculated; the CVSS vector string is (CVSS4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.2 UNCONTROLLED SEARCH PATH ELEMENT CWE-427

gdb.exe in affected applications allows a specific executable file to be loaded from the current working directory. This could allow an authenticated local attacker to inject arbitrary code and escalate privileges in installations where administrators or processes with elevated privileges launch gdb.exe from a user-writable directory.

CVE-2024-47195 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.7 has been calculated; the CVSS vector string is (AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-47195. A base score of 5.4 has been calculated; the CVSS vector string is (CVSS4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.3 UNCONTROLLED SEARCH PATH ELEMENT CWE-427

vsimk.exe in affected applications allows a specific tcl file to be loaded from the current working directory. This could allow an authenticated local attacker to inject arbitrary code and escalate privileges in installations where administrators or processes with elevated privileges launch vsimk.exe from a user-writable directory.

CVE-2024-47196 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.7 has been calculated; the CVSS vector string is (AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-47196. A base score of 5.4 has been calculated; the CVSS vector string is (CVSS4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

ycdxsb reported these vulnerabilities to Siemens. Siemens reported these vulnerabilities to CISA.

4. MITIGATIONS

Siemens has identified the following specific workarounds and mitigations users can apply to reduce risk:

ModelSim: Update to V2024.3 or later version
Questa: Update to V2024.3 or later version
Harden the application server to prevent local access by untrusted personnel

Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage

For more information see the associated Siemens security advisory SSA-426509 in HTML and CSAF.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time. These vulnerabilities are not exploitable remotely. These vulnerabilities have a high attack complexity.

5. UPDATE HISTORY

October 10, 2024: Initial Publication

Subnet Solutions Inc. PowerSYSTEM Center

Written by on October 3, 2024. Posted in CISA-Published Industrial Control System Vulnerabilities.

View CSAF

1. EXECUTIVE SUMMARY

CVSS v3 7.5
ATTENTION: Exploitable remotely/Low attack complexity
Vendor: Subnet Solutions Inc.
Equipment: PowerSYSTEM Center
Vulnerabilities: Server-Side Request Forgery (SSRF), Inefficient Regular Expression Complexity, Cross-Site Request Forgery (CSRF)

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could result in an attacker bypassing a proxy, creating a denial-of-service condition, or viewing sensitive information.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of PowerSYSTEM Center are affected:

PowerSYSTEM Center: PSC 2020 v5.21.x and prior

3.2 Vulnerability Overview

3.2.1 SERVER-SIDE REQUEST FORGERY (SSRF) CWE-918

Vulnerable versions of PowerSYSTEM Center utilize Axios NPM package 0.21.0, which contains a Server-Side Request Forgery (SSRF) vulnerability where an attacker is able to bypass a proxy by providing a URL that responds with a redirect to a restricted host or IP address.

CVE-2020-28168 has been assigned to this vulnerability. A CVSS v3 base score of 5.9 has been calculated; the CVSS vector string is (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N).

3.2.2 INEFFICIENT REGULAR EXPRESSION COMPLEXITY CWE-1333

Vulnerable versions of PowerSYSTEM Center utilize Axios, which is vulnerable to Inefficient Regular Expression Complexity.

CVE-2021-3749 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

3.2.3 CROSS-SITE REQUEST FORGERY (CSRF) CWE-352

Vulnerable versions of PowerSYSTEM Center utilize Axios 1.5.1, which can inadvertently reveal the confidential XSRF-TOKEN stored in cookies by including it in the HTTP header X-XSRF-TOKEN for every request made to any host, allowing attackers to view sensitive information.

CVE-2023-45857 has been assigned to this vulnerability. A CVSS v3 base score of 6.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing, Energy
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Canada

3.4 RESEARCHER

Subnet Solutions Inc. reported this vulnerability to CISA.

4. MITIGATIONS

Subnet Solutions Inc. recommends users update to PowerSYSTEM Center 2020 Update 22, which can be located in the PowerSYSTEM Center by accessing Settings > Overview > Version. Users may also contact Subnet Solution’s Customer Service.

Subnet Solutions Inc. strongly recommends users update to the latest version. If this is not possible, the following paragraphs describe the security control compensation(s), mitigation(s), or workaround(s) available for identified vulnerabilities:

For all vulnerabilities, users can disable usage of previous UI extensions.
For CVE-2020-28168 and CVE-2023-45857, users can limit outbound connection requests from the PowerSYSTEM Center security zone to external websites.
For CVE-2023-45857 and CVE-2021-3749, users can disable PowerSYSTEM Center Client Access Server user’s ability to access the browser’s F12 Developer Tools to limit user ability to see HTTP headers and corresponding XSRF-TOKEN, and to manipulate requests to the PowerSYSTEM Center website.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY

October 3, 2024: Initial Publication

TEM Opera Plus FM Family Transmitter

Written by on October 3, 2024. Posted in CISA-Published Industrial Control System Vulnerabilities.

View CSAF

1. EXECUTIVE SUMMARY

CVSS v4 9.3
ATTENTION: Exploitable remotely/low attack complexity/public exploits are available
Vendor: TEM
Equipment: Opera Plus FM Family Transmitter
Vulnerabilities: Missing Authentication for Critical Function, Cross-Site Request Forgery (CSRF)

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to perform remote code execution.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of TEM Opera Plus FM Family Transmitter, a FM Transmitter, are affected:

Opera Plus FM Family Transmitter: Version 35.45

3.2 Vulnerability Overview

3.2.1 Missing Authentication for Critical Function CWE-306

TEM Opera Plus FM Family Transmitter allows access to an unprotected endpoint that allows MPFS File System binary image upload without authentication. This file system serves as the basis for the HTTP2 web server module but is also used by the SNMP module and is available to other applications that require basic read-only storage capabilities. This can be exploited to overwrite the flash program memory that holds the web server’s main interfaces and execute arbitrary code.

CVE-2024-41988 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-41988. A base score of 9.3 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.2 Cross-Site Request Forgery (CSRF) CWE-352

The TEM Opera Plus FM Family Transmitter application interface allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to perform certain actions with administrative privileges if a logged-in user visits a malicious web site.

CVE-2024-41987 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.6 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-41987. A base score of 8.6 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Communications
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Italy

3.4 RESEARCHER

CISA discovered a public Proof of Concept (PoC) as authored by Gjoko Krstic and reported it to TEM.

4. MITIGATIONS

TEM has not responded to requests to work with CISA to mitigate these vulnerabilities. Users of the affected products are encouraged to contact TEM for additional information.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY

October 03, 2024: Initial Publication

Delta Electronics DIAEnergie

Written by on October 3, 2024. Posted in CISA-Published Industrial Control System Vulnerabilities.

View CSAF

1. EXECUTIVE SUMMARY

CVSS v4 9.3
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Delta Electronics
Equipment: DIAEnergie
Vulnerabilities: SQL Injection

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to retrieve records or cause a denial of service.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of Delta Electronics DIAEnergie, an industrial energy management system, are affected:

DIAEnergie: Versions v1.10.01.008 and prior.

3.2 Vulnerability Overview

3.2.1 SQL Injection CWE-89

Delta Electronics DIAEnergie is vulnerable to an SQL injection in the script AM_RegReport.aspx. An unauthenticated attacker may be able to exploit this issue to obtain records contained in the targeted product.

CVE-2024-43699 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-43699. A base score of 9.3 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.2 SQL Injection CWE-89

Delta Electronics DIAEnergie is vulnerable to an SQL injection in the script Handler_CFG.ashx. An authenticated attacker may be able to exploit this issue to cause delay in the targeted product.

CVE-2024-42417 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-42417. A base score of 8.7 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Taiwan

3.4 RESEARCHER

Michael Heinzl reported these vulnerabilities to CISA.

4. MITIGATIONS

Delta recommends users update to DIAEnergie v1.10.01.009. Users can request this version of DIAEnergie from Delta Electronics’ regional sales or agents.

For more information on this issue, please see the Delta product cybersecurity advisory.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as virtual private networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY

October 3, 2024: Initial Publication

Optigo Networks ONS-S8 Spectra Aggregation Switch

Written by on October 1, 2024. Posted in CISA-Published Industrial Control System Vulnerabilities.

View CSAF

1. EXECUTIVE SUMMARY

CVSS v4 9.3
ATTENTION: Exploitable remotely/Low attack complexity
Vendor: Optigo Networks
Equipment: ONS-S8 – Spectra Aggregation Switch
Vulnerabilities: Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’), Weak Authentication

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to achieve remote code execution, arbitrary file upload, or bypass authentication.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of ONS-S8 – Spectra Aggregation Switch, an OT network management device, are affected:

ONS-S8 – Spectra Aggregation Switch: 1.3.7 and prior

3.2 Vulnerability Overview

3.2.1 IMPROPER CONTROL OF FILENAME FOR INCLUDE/REQUIRE STATEMENT IN PHP PROGRAM (‘PHP REMOTE FILE INCLUSION’) CWE-98

The web service for ONS-S8 – Spectra Aggregation Switch includes functions which do not properly validate user input, allowing an attacker to traverse directories, bypass authentication, and execute remote code.

CVE-2024-41925 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-41925. A base score of 9.3 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.2 WEAK AUTHENTICATION CWE-1390

The web server for ONS-S8 – Spectra Aggregation Switch includes an incomplete authentication process, which can lead to an attacker authenticating without a password.

CVE-2024-45367 has been assigned to this vulnerability. A CVSS v3 base score of 9.1 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N).

A CVSS v4 score has also been calculated for CVE-2024-45367. A base score of 9.3 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Canada

3.4 RESEARCHER

Claroty Team82 reported this vulnerability to CISA.

4. MITIGATIONS

Optigo Networks recommends users always use a unique management VLAN for the port on the ONS-S8 that is used to connect to OneView.

Optigo Networks also recommends users implement at least one of the following additional mitigations:

Use a dedicated NIC on the BMS computer and exclusively this computer for connecting to OneView to manage your OT network configuration.
Set up a router firewall with a white list for the devices permitted to access OneView.
Connect to OneView via secure VPN.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY

October 1, 2024: Initial Publication