Site Pages and Categories
- Locations
- Newsletter Sign-up and Archive
- IT Services and IT Projects
- Microsoft Office 365 Suite
- Full I.T. Outsourcing
- Agility Network IT Services
- VCIO Services & Engagements
- Emergency Network Support
- Help Desk Services
- Remote I.T. Management Tools
- Network Management Chicago
- I.T. System Management (Hourly/As-Needed)
- Computer Network Outsourcing Services
- Comprehensive Chicago I.T. Services
- Chicago IT Services
- Schaumburg I.T. Outsoucing Services
- Network Consulting General Service Delivery Overview
- Our Remote Management and Monitoring Tools
- Chicago IT Outsourcing
- Chicago IT Consulting Services
- Chicago IT Consulting Network Management
- Chicago IT Consulting Services
- Chicago IT Company
- Comprehensive Overview of Services
- Cloud Migration Services
- I.T. Audits And I.T. Assessments
- Business Continuity
- Wireless Products / Services
- Systems Virtualization & Consolidation
- I.T. Network Security Services
- I.T. Security: Threat Solution Management & Ethical Hacking
- Pen Testing (perimeter / firewalls)
- Pen Testing (applications)
- Phishing Testing
- Anti-Virus & Anti-Malware – I.T. Security
- Cylance Protect End-Point Security / On-Site MSSP Consulting
- Firewalls
- Cisco Meraki Products and Licensing
- I.T. Security Services Overview
- FAQ Cybersecurity Network Security Services
- Firewall Pen Testing Services Cost
- Gdown – Google explains dec 2020 Outage Post
- Exploitation Of Fortinet FortiOS Vulnerabilities
- Multi Factor Authentication
- PEN Testing Vulnerability and Social Engineering for Cost Form
- What To Do With An “Out-of-Band” Issue
- Wireless Installation Services In Chicago
- Book Chicago IT Firm Time
- Sitemap
- Privacy Policy
- Service Request
- Frameworkit
- Client Portal
- Please Read
- Estimate Received
- Newsletter Sign Up
- IT Services Projects 2
- Thank You for Contacting Us
- Form Fill and We Will Respond
- Cookie Policy
- Contact Information
- Managed I.T. Services Provider
- Agent Core – Two Factor Authentication
- AMP Enterprise
- Chicago MSP Cost Calculator Cost Estimator
- MSP Core Help Desk Services
- Fixed Fee IT Services Monthly Cost Estimation Calculator
- Hybrid Management
- Managed Services
- More Managed I.T Services
- MSP Agent Core – Back Up
- MSP Agent Core Anti-Virus – Anti-Malware
- MSP Core Remote Network Management
- Remote Monitoring and Management – RMM
- Anti-Virus & Anti-Malware
- Managed I.T. Services Provider Details
- About Agility
- reviewus
- Agility Careers
- Home New
- Why Choose Agility
- Copy of Why Choose Agility
- Contact Information Old
Blog Posts
- CISA has added one new vulnerability to its Known Exploited Vulnerabilities Catalog , based on evidence of active exploitation. CVE-2023-28771 Zyxel Multiple Firewalls OS Command Injection Vulnerability These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise. Note: To view other newly added vulnerabilities in the catalog, click on the arrow in the “Date Added to Catalog” column—which will sort by descending dates. Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information. Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria . This product is provided subject to this Notification and this Privacy & Use policy.CISAraw:1f454eb2acb90c4efe7a280575e90486 – 2023-05-31T21:56:06.000Z
- CISA has added one new vulnerability to its Known Exploited Vulnerabilities Catalog , based on evidence of active exploitation. CVE-2023-28771 Zyxel Multiple Firewalls OS Command Injection Vulnerability These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise. Note: To view other newly added vulnerabilities in the catalog, click on the arrow in the “Date Added to Catalog” column—which will sort by descending dates. Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information. Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria . This product is provided subject to this Notification and this Privacy & Use policy.CISAraw:ddb31194dfb744533ca878e167328a01 – 2023-05-31T15:36:16.000Z
- CISA released one Industrial Control Systems (ICS) advisory on May 30, 2023. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS. ICSA-23-150-01 Advantech WebAccess/SCADA CISA encourages users and administrators to review the newly released ICS advisory for technical details and mitigations.CISAraw:371523216a544a231ef2c71c89a8dc30 – 2023-05-30T14:59:16.000Z
- 1. EXECUTIVE SUMMARY CVSS v3 7.3 ATTENTION: Low attack complexity Vendor: Advantech Equipment: WebAccess/SCADA Vulnerabilities: Insufficient Type Distinction 2. RISK EVALUATION Successful exploitation of this vulnerability could allow an attacker full control over the supervisory control and data acquisition (SCADA) server. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS Advantech reports this vulnerability affect the following WebAccess/SCADA product: WebAccess/SCADA: version 8.4.5 3.2 VULNERABILITY OVERVIEW 3.2.1 INSUFFICIENT TYPE DISTINCTION CWE-351 If an attacker can trick an authenticated user into loading a maliciously crafted .zip file onto Advantech WebAccess version 8.4.5, a web shell could be used to give the attacker full control of the SCADA server. CVE-2023-2866 has been assigned to this vulnerability. A CVSS v3 base score of 7.3 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H ). 3.3 BACKGROUND CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing, Energy, Water and Wastewater Systems COUNTRIES/AREAS DEPLOYED: East Asia, Europe, United States COMPANY HEADQUARTERS LOCATION: Taiwan 3.4 RESEARCHER Marlon Luis Petry reported this vulnerability to CISA. 4. MITIGATIONS Advantech recommends users locate and delete the “WADashboardSetup.msi” file to avoid this issue. If users wish to remedy this problem in version 8.4.5, they can uninstall “WebAccess Dashboard” from the control panel. Delete all the files: \Inetpub\wwwroot\broadweb\WADashboard \WebAccess\Node\WADashboardSetup.msi Advantech released a new version V9.1.4 to address the problem by not including these files. CISA recommends users take the following measures to protect themselves from social engineering attacks: Do not click web links or open attachments in unsolicited email messages. Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams. Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics . Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies . Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies . Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. No known public exploits specifically target this vulnerability. This vulnerability is not exploitable remotely.CISAraw:c4a2fbfa520b7a445d2f8825412405fe – 2023-05-30T14:59:15.000Z
- CISA has added one new vulnerability to its Known Exploited Vulnerabilities Catalog , based on evidence of active exploitation. CVE-2023-2 868 Barracuda Networks ESG Appliance Improper Input Validation Vulnerability These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise. Note: To view other newly added vulnerabilities in the catalog, click on the arrow in the “Date Added to Catalog” column—which will sort by descending dates. Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information. Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria . This product is provided subject to this Notification and this Privacy & Use policy.CISAraw:c10caedb098110c81742083ca1bb7557 – 2023-05-30T12:15:47.000Z
- CISA has added one new vulnerability to its Known Exploited Vulnerabilities Catalog , based on evidence of active exploitation. CVE-2023-2 868 Barracuda Networks ESG Appliance Improper Input Validation Vulnerability These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise. Note: To view other newly added vulnerabilities in the catalog, click on the arrow in the “Date Added to Catalog” column—which will sort by descending dates. Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information. Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria . This product is provided subject to this Notification and this Privacy & Use policy.CISAraw:750720923d0bad309449ad3f150687d9 – 2023-05-26T17:30:31.000Z
- CISA released one Industrial Control Systems (ICS) advisory on May 25, 2023. This advisory provides timely information about current security issues, vulnerabilities, and exploits surrounding ICS. ICSA-23-145-01 Moxa MXsecurity Series CISA encourages users and administrators to review the newly released ICS advisory for technical details and mitigations.CISAraw:749c5fdcaa51e1bbc4192b9637bc2f11 – 2023-05-25T15:25:10.000Z
- 1. EXECUTIVE SUMMARY CVSS v3 9.8 ATTENTION: Exploitable remotely/low attack complexity Vendor: Moxa Equipment: MXsecurity Series Vulnerabilities: Command Injection and Use of Hard-Coded Credentials 2. RISK EVALUATION Successful exploitation of these vulnerabilities could allow an unauthorized user to bypass authentication or to execute arbitrary commands on the device. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS Moxa reports these vulnerabilities affect the following MXsecurity Series: MXsecurity Series: Software v1.0 3.2 VULNERABILITY OVERVIEW 3.2.1 COMMAND INJECTION CWE-77 A remote attacker, who has gained authorization privileges, could execute arbitrary commands on the device. CVE-2023-33235 has been assigned to this vulnerability. A CVSS v3 base score of 7.2 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H ). 3.2.2 USE OF HARD-CODED CREDENTIALS CWE-798 An attacker could bypass authentication for web-based application programmable interfaces (APIs). CVE-2023-33236 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H ). 3.3 BACKGROUND CRITICAL INFRASTRUCTURE SECTORS: Multiple Sectors COUNTRIES/AREAS DEPLOYED: Worldwide COMPANY HEADQUARTERS LOCATION: Taiwan 3.4 RESEARCHER Simon Janz, working with Trend Micro Zero Day Initiative, reported these vulnerabilities to CISA. 4. MITIGATIONS Moxa has developed a solution to address these vulnerabilities. Users should upgrade to software v1.0.1 or higher . Users are encouraged to visit Moxa’s security advisory MPSA-230301 for more information. CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. Specifically, users should: Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet . Locate control system networks and remote devices behind firewalls and isolate them from business networks. When remote access is required, use secure methods, such as virtual private networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics . Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies . Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies . Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. No known public exploits specifically target these vulnerabilities. These vulnerabilities are exploitable remotely. These vulnerabilities have low attack complexity.CISAraw:66fa049b99d25d316ca59a4333911833 – 2023-05-25T15:18:29.000Z
- CISA urges users to remain on alert for malicious cyber activity following a natural disaster such as a hurricane or typhoon, as attackers target potential disaster victims by leveraging social engineering tactics, techniques, and procedures (TTPs). Social engineering TTPs include phishing attacks that use email or malicious websites to solicit personal information by posing as a trustworthy organization, notably as charities providing relief. Exercise caution in handling emails with hurricane/typhoon-related subject lines, attachments, or hyperlinks to avoid compromise. In addition, be wary of social media pleas, texts, or door-to-door solicitations related to severe weather events. CISA encourages users to review the Federal Trade Commission’s Staying Alert to Disaster-related Scams and Before Giving to a Charity , and CISA’s Using Caution with Email Attachments and Tips on Avoiding Social Engineering and Phishing Attacks to avoid falling victim to malicious attacks.CISAraw:2b86043637f9323f355ba5df60ae7264 – 2023-05-25T15:18:28.000Z
- Today, CISA joined the National Security Agency (NSA), the Federal Bureau of Investigation (FBI), and international partners in releasing a joint cybersecurity advisory highlighting recently discovered activities conducted by a People’s Republic of China (PRC) state-sponsored cyber threat actor. This advisory highlights how PRC cyber actors use techniques called “living off the land” to evade detection by using built-in networking administration tools to compromise networks and conduct malicious activity. This enables the cyber actor to blend in with routine Windows system and network activities, limit activity and data captured in default logging configurations, and avoid endpoint detection and response (EDR) products that could alert to the introduction of third-party applications on the host or network. Private sector partners have identified that this activity affects networks across U.S. critical infrastructure sectors, and the authoring agencies believe the actor could apply the same techniques against these and other sectors worldwide. The authoring agencies have identified potential indicators associated with these techniques. To hunt for this activity, CISA and partners encourage network defenders to use the actor’s commands and detection signatures provided in this advisory . CISA and partners further encourage network defenders to view the indicators of compromise (IOCs) and mitigations summaries to detect this activity.CISAraw:5dfb2cab96b92389a648a9a6840d48e4 – 2023-05-24T20:07:20.000Z
- 1. EXECUTIVE SUMMARY CVSS v3 10.0 ATTENTION: Exploitable remotely/low attack complexity Vendor: Mitsubishi Electric Corporation Equipment: MELSEC Series CPU module Vulnerabilities: Classic Buffer Overflow 2. RISK EVALUATION Successful exploitation of this vulnerability could allow a remote attacker to cause a denial-of-service condition or execute malicious code on a target product by sending specially crafted packets. The attacker needs to understand the internal structure of products to execute malicious code. Therefore, it is difficult to execute malicious code. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS Mitsubishi Electric reports this vulnerability affects the following MELSEC Series CPU module: MELSEC iQ-F Series FX5U-xMy/z x=32,64,80, y=T,R, z=ES,DS,ESS,DSS: Serial number 17X**** or later, version 1.220 and later MELSEC iQ-F Series FX5UC-xMy/z x=32,64,96, y=T, z=D,DSS: Serial number 17X**** or later, version 1.220 and later MELSEC iQ-F Series FX5UC-32MT/DS-TS, FX5UC-32MT/DSS-TS, FX5UC-32MR/DS-TS: version 1.220 and later 3.2 VULNERABILITY OVERVIEW 3.2.1 CLASSIC BUFFER OVERFLOW CWE-120 A vulnerability, due to copying buffers without checking size of input, exists in affected MELSEC Series CPU modules. Exploitation may allow a denial-of-service condition and malicious code execution. CVE-2023-1424 has been assigned to this vulnerability. A CVSS v3 base score of 10.0 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H ). 3.3 BACKGROUND CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing COUNTRIES/AREAS DEPLOYED: Worldwide COMPANY HEADQUARTERS LOCATION: Japan 3.4 RESEARCHER Matt Wiseman of Cisco Talos reported this vulnerability to Mitsubishi Electric. 4. MITIGATIONS Mitsubishi Electric has created firmware version 1.290 to address this issue and encourages users to update. The following should be referred to when updating: “5 FIRMWARE UPDATE FUNCTION” in the MELSEC iQ-F FX5 User’s Manual (Application). Mitsubishi Electric recommends that users take the following mitigation measures to minimize the risk of exploiting this vulnerability: Use a firewall or virtual private network (VPN) etc., to prevent unauthorized access when internet access is required. Use the product within a local area network (LAN) and use firewalls to block access from untrusted networks and hosts. Use IP filter function to block access from untrusted hosts. For details regarding the IP filter function, users can refer to “12.1 IP Filter Function” in the MELSEC iQ-F FX5 User’s Manual (Ethernet Communication). Restrict physical access to the LAN that is connected by affected products. For specific update instructions and additional details see the Mitsubishi Electric advisory . CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics . Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies . Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies . Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. No known public exploits specifically target this vulnerability. This vulnerability is exploitable remotely. This vulnerability has low attack complexity.CISAraw:42ed69bc2f8ecaa5826d7d36cb00b5c8 – 2023-05-24T17:05:37.000Z
- Today, CISA, the Federal Bureau of Investigation (FBI), the National Security Agency (NSA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) published an updated version of the #StopRansomware Guide , as ransomware actors have accelerated their tactics and techniques since its initial release in 2020. The update incorporates lessons learned from the past two years and includes additional recommended actions, resources, and tools to maximize its relevancy and effectiveness and to further help reduce the prevalence and impacts of ransomware. The #StopRansomware Guide serves as a one-stop resource to help organizations reduce the risk of ransomware incidents through best practices to detect, prevent, respond, and recover, including step-by-step approaches to address potential attacks. The authoring organizations recommend that entities review this joint guide to prepare and protect their facilities, personnel, and customers from the impacts of ransomware and data exfiltration. For more information and to access the latest resources about how to stop ransomware, please visit stopransomware.gov . This j oint guide was developed through the Joint Ransomware Task Force (JRTF), an interagency collaborative effort to reduce the prevalence and impact of ransomware attacks. JRTF was established by Congress in 2022 and is co-chaired by CISA and FBI. For additional information about the JRTF, please visit CISA’s newly launched Joint Ransomware Task Force (JRTF) webpage .CISAraw:505f3a6866fb2b8623014c616e3e3059 – 2023-05-23T17:26:00.000Z
- 1. EXECUTIVE SUMMARY CVSS v3 9.8 ATTENTION: Exploitable remotely/low attack complexity Vendor: Hitachi Energy Equipment: RTU500 Series Vulnerabilities: Type Confusion, Observable Timing Discrepancy, Out-of-bounds Read, Infinite Loop, Classic Buffer Overflow 2. RISK EVALUATION Successful exploitation of these vulnerabilities could allow an attacker to crash the device being accessed or cause a denial-of-service condition. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following versions of Hitachi Energy’s RTU500 Series Product, are affected: For CVE-2023-0286, CVE-2022-4304 RTU500 series CMU Firmware: version 12.0.1 through 12.0.15 RTU500 series CMU Firmware: version 12.2.1 through 12.2.12 RTU500 series CMU Firmware: version 12.4.1 through 12.4.12 RTU500 series CMU Firmware: version 12.6.1 through 12.6.9 RTU500 series CMU Firmware: version 12.7.1 through 12.7.6 RTU500 series CMU Firmware: version 13.2.1 through 13.2.6 RTU500 series CMU Firmware: version 13.3.1 through 13.3.3 RTU500 series CMU Firmware: version 13.4.1 through 13.4.2 For CVE-2022-23937, CVE-2022-0778, CVE-2021-3711, CVE-2021-3712 RTU500 series CMU Firmware: version 12.0.1 through 12.0.14 RTU500 series CMU Firmware: version 12.2.1 through 12.2.11 RTU500 series CMU Firmware: version 12.4.1 through 12.4.11 RTU500 series CMU Firmware: version 12.6.1 through 12.6.8 RTU500 series CMU Firmware: version 12.7.1 through 12.7.5 RTU500 series CMU Firmware: version 13.2.1 through 13.2.5 RTU500 series CMU Firmware: version 13.3.1 through 13.3.3 RTU500 series CMU Firmware: version 13.4.1 through 13.4.1 3.2 VULNERABILITY OVERVIEW 3.2.1 ACCESS OF RESOURCE USING INCOMPATIBLE TYPE (‘TYPE CONFUSION’) CWE-843 There is a type-confusion vulnerability affecting X.400 address processing within an X.509 GeneralName. This vulnerability could allow an attacker to pass arbitrary pointers to a memcmp call, enabling access to read memory contents or cause a denial-of-service condition. X.400 addresses parsed as an ASN1_STRING while the public structure definition for GENERAL_NAME incorrectly specifies the x400Address field type as ASN1_TYPE. CVE-2023-0286 has been assigned to this vulnerability. A CVSS v3 base score of 7.4 has been assigned; the CVSS vector string is (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H ). 3.2.2 OBSERVABLE TIMING DISCREPANCY CWE-208 A timing-based side channel exists in the OpenSSL RSA Decryption implementation. This could allow an attacker sufficient access to recover plaintext across a network to perform a Bleichenbacher style attack. The vulnerability affects all RSA padding modes: PKCS#1 v1.5, RSA-OEAP and RSASVE. CVE-2022-4304 has been assigned to this vulnerability. A CVSS v3 base score of 5.9 has been assigned; the CVSS vector string is (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N ). 3.2.3 OUT-OF-BOUNDS READ CWE-125 A vulnerability exists in the Wind River VxWorks version 6.9 affecting the RTU500 series product versions listed. An attacker could exploit the vulnerability by using a specific crafted packet that could lead to an out-of-bounds read during an IKE initial exchange scenario. CVE-2022-23937 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H ). 3.2.4 LOOP WITH UNREACHABLE EXIT CONDITION (‘INFINITE LOOP’) CWE-835 A vulnerability exists in the OpenSSL version 1.0.2 that affects the RTU500 Series product versions listed. An attacker can exploit the BN_mod_sqrt() function to compute a modular square root that contains a bug causing a continual loop for non-prime moduli. CVE-2022-0778 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H ). 3.2.5 BUFFER COPY WITHOUT CHECKING SIZE OF INPUT (‘CLASSIC BUFFER OVERFLOW’) CWE-120 A vulnerability exists in the OpenSSL Version 1.0.2 affecting the RTU500 Series product versions listed. An attacker with access to applications and the capability to present SM2 content for decryption could cause a buffer overflow up to a maximum of 62 bytes while altering contents of data present after the buffer. This vulnerability could allow an attacker to change application behavior or cause the application to crash. CVE-2021-3711 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H ). 3.2.6 OUT-OF-BOUNDS READ CWE-125 A vulnerability exists in the OpenSSL Version 1.0.2 affecting the RTU500 Series product versions listed. A malicious actor could cause an application to directly construct an ASN1_STRING and then process it through one of the affected OpenSSL functions. Exploiting this vulnerability could create a system crash causing a denial-of-service condition or a disclosure of private memory contents, such as private keys or sensitive plaintext. CVE-2021-3712 has been assigned to this vulnerability. A CVSS v3 base score of 7.4 has been assigned; the CVSS vector string is (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H ). 3.3 BACKGROUND CRITICAL INFRASTRUCTURE SECTORS: Energy COUNTRIES/AREAS DEPLOYED: Worldwide COMPANY HEADQUARTERS LOCATION: Switzerland 3.4 RESEARCHER Hitachi Energy reported these vulnerabilities to CISA. 4. MITIGATIONS Hitachi Energy has released the following mitigations/fixes: Until the updates are made available, follow the General Mitigation Factors/Workarounds Hitachi Energy recommends general mitigation factors/Workarounds: Recommended security practices and firewall configurations can help protect a process control network from attacks originating from outside the network including. Physically protect process control systems from direct access by unauthorized personnel. Do not allow process control systems direct connections to the internet. Separate process control systems from other networks by means of a firewall system that has a minimal number of ports exposed. Process control systems should not be used for internet surfing, instant messaging, or receiving emails. Portable computers and removable storage media should be carefully scanned for viruses before they are connected to a control system. For more information, see Hitachi Energy’s Security Advisories: 8DBD000150 8DBD000153 CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. Specifically, users should: Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet . Locate control system networks and remote devices behind firewalls and isolate them from business networks. When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics . Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies . Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies . Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. No known public exploits specifically target these vulnerabilities.CISAraw:8d908c99b869f53803659c83afc31f9f – 2023-05-23T15:39:20.000Z
- 1. EXECUTIVE SUMMARY CVSS v3 8.1 ATTENTION: Exploitable remotely/low attack complexity Vendor: Hitachi Energy Equipment: AFS65x, AFS67x, AFR67x and AFF66x series products Vulnerabilities: Use After Free 2. RISK EVALUATION Successful exploitation of these vulnerabilities could allow an attacker to disclose sensitive information or lead to a Denial-of-Service (DoS). 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following versions of Hitachi Energy’s AFS65x, AFS67x, AFR67x and AFF66x series products, are affected: AFS660/665S, AFS660/665C, AFS670v2: Firmware 7.1.05 and earlier AFS670/675, AFR67x: Firmware 9.1.07 and earlier AFF660/665: Firmware 03.0.02 and earlier AFS65x: All versions 3.2 VULNERABILITY OVERVIEW 3.2.1 USE AFTER FREE CWE-416 The libexpat library is incorporated in the AFS, AFR and AFF products family. Versions of libexpat before 2.4.9 have a use-after-free in the do-Content function in xmlparse.c. Successful exploitation of this vulnerability could lead to disclosure of sensitive information, addition or modification of data, or a denial-of-service condition. CVE-2022-40674 has been assigned to this vulnerability. A CVSS v3 base score of 8.1 has been assigned; the CVSS vector string is (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H ). 3.2.2 USE AFTER FREE CWE-416 The libexpat library is incorporated in the AFS, AFR and AFF products family. In versions of libexpat through 2.4.9, there is a use-after free caused by overeager destruction of a shared DTD in XML_ExternalEntityParserCreate in out-of-memory situations. Successful exploitation of this vulnerability could lead to a denial-of-service condition. CVE-2022-43680 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H ). 3.3 BACKGROUND CRITICAL INFRASTRUCTURE SECTORS: Energy COUNTRIES/AREAS DEPLOYED: Worldwide COMPANY HEADQUARTERS LOCATION: Switzerland 3.4 RESEARCHER Hitachi Energy reported these vulnerabilities to CISA. 4. MITIGATIONS Hitachi Energy has released the following mitigations/fixes: AFS660/665S, AFS660/665C, AFS670v2: Apply mitigation strategy as described in General Mitigation Factors Section or update to upcoming 7.1.08 when available. AFS670/675, AFR67x: Apply mitigation strategy as described in General Mitigation Factors Section or update to 9.1.08. AFS65x: EoL product – only mitigation available, no remediation expected. Apply mitigation strategy as described in General Mitigation Factors Section. AFF660/665: Apply mitigation strategy as described in General Mitigation Factors Section or update to upcoming release. Hitachi Energy also recommends general mitigations: Recommended security practices and firewall configurations can help protect a process control network from attacks originating from outside the network. Physically protect process control systems from direct access by unauthorized personnel. Ensure process control systems have no direct connections to the internet and are separated from other networks by a firewall system with a minimal number of exposed ports. Do not use process control systems for internet surfing, instant messaging, or receiving emails. Scan portable computers and removable storage media for malware prior connection to a control system. For more information, see Hitachi Energy’s Security Advisory: 8DBD000149 . CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. Specifically, users should: When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics . Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies . Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies . Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. No known public exploits specifically target these vulnerabilities.CISAraw:6ae4f0eb8d35eb8c9129f5b1d5d03e0c – 2023-05-23T15:39:18.000Z
- 1. EXECUTIVE SUMMARY CVSS v3 9.8 ATTENTION: Exploitable remotely/low attack complexity Vendor: Hitachi Energy Equipment: RTU500 Series Vulnerabilities: Type Confusion, Observable Timing Discrepancy, Out-of-bounds Read, Infinite Loop, Classic Buffer Overflow 2. RISK EVALUATION Successful exploitation of these vulnerabilities could allow an attacker to crash the device being accessed or cause a denial-of-service condition. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following versions of Hitachi Energy’s RTU500 Series Product, are affected: For CVE-2023-0286, CVE-2022-4304 RTU500 series CMU Firmware: version 12.0.1 through 12.0.15 RTU500 series CMU Firmware: version 12.2.1 through 12.2.12 RTU500 series CMU Firmware: version 12.4.1 through 12.4.12 RTU500 series CMU Firmware: version 12.6.1 through 12.6.9 RTU500 series CMU Firmware: version 12.7.1 through 12.7.6 RTU500 series CMU Firmware: version 13.2.1 through 13.2.6 RTU500 series CMU Firmware: version 13.3.1 through 13.3.3 RTU500 series CMU Firmware: version 13.4.1 through 13.4.2 For CVE-2022-23937, CVE-2022-0778, CVE-2021-3711, CVE-2021-3712 RTU500 series CMU Firmware: version 12.0.1 through 12.0.14 RTU500 series CMU Firmware: version 12.2.1 through 12.2.11 RTU500 series CMU Firmware: version 12.4.1 through 12.4.11 RTU500 series CMU Firmware: version 12.6.1 through 12.6.8 RTU500 series CMU Firmware: version 12.7.1 through 12.7.5 RTU500 series CMU Firmware: version 13.2.1 through 13.2.5 RTU500 series CMU Firmware: version 13.3.1 through 13.3.3 RTU500 series CMU Firmware: version 13.4.1 through 13.4.1 3.2 VULNERABILITY OVERVIEW 3.2.1 ACCESS OF RESOURCE USING INCOMPATIBLE TYPE (‘TYPE CONFUSION’) CWE-843 There is a type-confusion vulnerability affecting X.400 address processing within an X.509 GeneralName. This vulnerability could allow an attacker to pass arbitrary pointers to a memcmp call, enabling access to read memory contents or cause a denial-of-service condition. X.400 addresses parsed as an ASN1_STRING while the public structure definition for GENERAL_NAME incorrectly specifies the x400Address field type as ASN1_TYPE. CVE-2023-0286 has been assigned to this vulnerability. A CVSS v3 base score of 7.4 has been assigned; the CVSS vector string is (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H ). 3.2.2 OBSERVABLE TIMING DISCREPANCY CWE-208 A timing-based side channel exists in the OpenSSL RSA Decryption implementation. This could allow an attacker sufficient access to recover plaintext across a network to perform a Bleichenbacher style attack. The vulnerability affects all RSA padding modes: PKCS#1 v1.5, RSA-OEAP and RSASVE. CVE-2022-4304 has been assigned to this vulnerability. A CVSS v3 base score of 5.9 has been assigned; the CVSS vector string is (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N ). 3.2.3 OUT-OF-BOUNDS READ CWE-125 A vulnerability exists in the Wind River VxWorks version 6.9 affecting the RTU500 series product versions listed. An attacker could exploit the vulnerability by using a specific crafted packet that could lead to an out-of-bounds read during an IKE initial exchange scenario. CVE-2022-23937 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H ). 3.2.4 LOOP WITH UNREACHABLE EXIT CONDITION (‘INFINITE LOOP’) CWE-835 A vulnerability exists in the OpenSSL version 1.0.2 that affects the RTU500 Series product versions listed. An attacker can exploit the BN_mod_sqrt() function to compute a modular square root that contains a bug causing a continual loop for non-prime moduli. CVE-2022-0778 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H ). 3.2.5 BUFFER COPY WITHOUT CHECKING SIZE OF INPUT (‘CLASSIC BUFFER OVERFLOW’) CWE-120 A vulnerability exists in the OpenSSL Version 1.0.2 affecting the RTU500 Series product versions listed. An attacker with access to applications and the capability to present SM2 content for decryption could cause a buffer overflow up to a maximum of 62 bytes while altering contents of data present after the buffer. This vulnerability could allow an attacker to change application behavior or cause the application to crash. CVE-2021-3711 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H ). 3.2.6 OUT-OF-BOUNDS READ CWE-125 A vulnerability exists in the OpenSSL Version 1.0.2 affecting the RTU500 Series product versions listed. A malicious actor could cause an application to directly construct an ASN1_STRING and then process it through one of the affected OpenSSL functions. Exploiting this vulnerability could create a system crash causing a denial-of-service condition or a disclosure of private memory contents, such as private keys or sensitive plaintext. CVE-2021-3712 has been assigned to this vulnerability. A CVSS v3 base score of 7.4 has been assigned; the CVSS vector string is (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H ). 3.3 BACKGROUND CRITICAL INFRASTRUCTURE SECTORS: Energy COUNTRIES/AREAS DEPLOYED: Worldwide COMPANY HEADQUARTERS LOCATION: Switzerland 3.4 RESEARCHER Hitachi Energy reported these vulnerabilities to CISA. 4. MITIGATIONS Hitachi Energy has released the following mitigations/fixes: Until the updates are made available, follow the General Mitigation Factors/Workarounds Hitachi Energy recommends general mitigation factors/Workarounds: Recommended security practices and firewall configurations can help protect a process control network from attacks originating from outside the network including. Physically protect process control systems from direct access by unauthorized personnel. Do not allow process control systems direct connections to the internet. Separate process control systems from other networks by means of a firewall system that has a minimal number of ports exposed. Process control systems should not be used for internet surfing, instant messaging, or receiving emails. Portable computers and removable storage media should be carefully scanned for viruses before they are connected to a control system. For more information, see Hitachi Energy’s Security Advisories: 8DBD000150 8DBD000153 CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. Specifically, users should: Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet . Locate control system networks and remote devices behind firewalls and isolate them from business networks. When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics . Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies . Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies . Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. No known public exploits specifically target these vulnerabilities.CISAraw:37e6a3daf17682fb097c5a11f174a459 – 2023-05-23T15:31:29.000Z
- CISA released four Industrial Control Systems (ICS) advisories on May 23, 2023. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS. ICSA-23-143-01 Hitachi Energy AFS65x, AFS67x, AFR67x and AFF66x Products ICSA-23-143-02 Hitachi Energy RTU500 ICSA-23-143-03 Mitsubishi Electric MELSEC Series CPU module ICSA-23-143-04 Horner Automation Cscape CISA encourages users and administrators to review the newly released ICS advisories for technical details and mitigations.CISAraw:2c9f375421c7f809a20244982768a16d – 2023-05-23T15:31:28.000Z
- 1. EXECUTIVE SUMMARY CVSS v3 7.8 ATTENTION: Low attack complexity Vendor: Horner Automation Equipment: Cscape, Cscape EnvisionRV Vulnerabilities: Stack-based Buffer Overflow, Out-of-bounds Read, Use After Free, Access of Uninitialized Pointer, Improper Restriction of Operations within the Bounds of a Memory Buffer 2. RISK EVALUATION Successful exploitation of these vulnerabilities could allow an attacker to disclose information and to execute arbitrary code. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following versions of Horner Automation’s Cscape are affected: Cscape: v9.90 SP8 Cscape EnvisionRV: v4.70 3.2 VULNERABILITY OVERVIEW 3.2.1 STACK-BASED BUFFER OVERFLOW CWE-121 The affected application lacks proper validation of user-supplied data when parsing project files (e.g., CSP). This could lead to a stack-based buffer overflow. An attacker could leverage this vulnerability to execute arbitrary code in the context of the current process. CVE-2023-29503 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H ). 3.2.2 OUT-OF-BOUNDS READ CWE-125 The affected application lacks proper validation of user-supplied data when parsing project files (e.g., CSP). This could lead to an out-of-bounds read in the FontManager. An attacker could leverage this vulnerability to execute arbitrary code in the context of the current process. CVE-2023-32281 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H ). 3.2.3 OUT-OF-BOUNDS READ CWE-125 The affected application lacks proper validation of user-supplied data when parsing project files (e.g.., CSP). This could lead to an out-of-bounds read in IO_CFG. An attacker could leverage this vulnerability to execute arbitrary code in the context of the current process. CVE-2023-32289 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H ). 3.2.4 OUT-OF-BOUNDS READ CWE-125 The affected application lacks proper validation of user-supplied data when parsing project files (e.g., CSP). This could lead to an out-of-bounds read in Cscape!CANPortMigration. An attacker could leverage this vulnerability to execute arbitrary code in the context of the current process. CVE-2023-32545 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H ). 3.2.5 OUT-OF-BOUNDS READ CWE-125 The affected application lacks proper validation of user-supplied data when parsing font files (e.g., FNT). This could lead to an out-of-bounds read. An attacker could leverage this vulnerability to potentially execute arbitrary code in the context of the current process. CVE-2023-27916 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H ). 3.2.6 USE AFTER FREE CWE-416 The affected application lacks proper validation of user-supplied data when parsing project files (e.g., CSP). This could lead to a use-after-free vulnerability. An attacker could leverage this vulnerability to execute arbitrary code in the context of the current process. CVE-2023-28653 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H ). 3.2.7 ACCESS OF UNINITIALIZED POINTER CWE-824 The affected product does not properly validate user-supplied data. If a user opens a maliciously formed CSP file, then an attacker could execute arbitrary code within the current process by accessing an uninitialized pointer. CVE-2023-31244 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H ). 3.2.8 IMPROPER RESTRICTION OF OPERATIONS WITHIN THE BOUNDS OF A MEMORY BUFFER CWE-119 The affected application lacks proper validation of user-supplied data when parsing project files (e.g., HMI). This could lead to an out-of-bounds write at CScape_EnvisionRV+0x2e374b. An attacker could leverage this vulnerability to execute arbitrary code in the context of the current process. CVE-2023-32203 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H ). 3.2.9 IMPROPER RESTRICTION OF OPERATIONS WITHIN THE BOUNDS OF A MEMORY BUFFER CWE-119 The affected application lacks proper validation of user-supplied data when parsing project files (e.g., HMI). This could lead to an out-of-bounds write at CScape_EnvisionRV+0x2e3c04. An attacker could leverage this vulnerability to potentially execute arbitrary code in the context of the current process. CVE-2023-32539 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H ). 3.2.10 IMPROPER RESTRICTION OF OPERATIONS WITHIN THE BOUNDS OF A MEMORY BUFFER CWE-119 The affected application lacks proper validation of user-supplied data when parsing project files (e.g., HMI). This could lead to an out-of-bounds read. An attacker could leverage this vulnerability to potentially execute arbitrary code in the context of the current process. CVE-2023-31278 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H ). 3.3 BACKGROUND CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing COUNTRIES/AREAS DEPLOYED: Worldwide COMPANY HEADQUARTERS LOCATION: United States 3.4 RESEARCHER Michael Heinzl reported these vulnerabilities to CISA. 4. MITIGATIONS Horner Automation recommends upgrading the following software: Cscape: Update to v9.90 SP9 Cscape Envision RV: Update to v4.80 CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics . Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies . Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies . Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. CISA also recommends users take the following measures to protect themselves from social engineering attacks: Do not click web links or open attachments in unsolicited email messages. Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams. Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks. No known public exploits specifically target these vulnerabilities. These vulnerabilities are not exploitable remotely.CISAraw:00c51d627eeeeb5f89cf7bb3f3cae2df – 2023-05-23T15:31:28.000Z
- 1. EXECUTIVE SUMMARY CVSS v3 10.0 ATTENTION: Exploitable remotely/low attack complexity Vendor: Mitsubishi Electric Corporation Equipment: MELSEC Series CPU module Vulnerabilities: Classic Buffer Overflow 2. RISK EVALUATION Successful exploitation of this vulnerability could allow a remote attacker to cause a denial-of-service condition or execute malicious code on a target product by sending specially crafted packets. The attacker needs to understand the internal structure of products to execute malicious code. Therefore, it is difficult to execute malicious code. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS Mitsubishi Electric reports this vulnerability affects the following MELSEC Series CPU module: MELSEC iQ-F Series FX5U-xMy/z x=32,64,80, y=T,R, z=ES,DS,ESS,DSS: Serial number 17X**** or later, version 1.220 and later MELSEC iQ-F Series FX5UC-xMy/z x=32,64,96, y=T, z=D,DSS: Serial number 17X**** or later, version 1.220 and later MELSEC iQ-F Series FX5UC-32MT/DS-TS, FX5UC-32MT/DSS-TS, FX5UC-32MR/DS-TS: version 1.220 and later 3.2 VULNERABILITY OVERVIEW 3.2.1 CLASSIC BUFFER OVERFLOW CWE-120 A vulnerability, due to copying buffers without checking size of input, exists in affected MELSEC Series CPU modules. Exploitation may allow a denial-of-service condition and malicious code execution. CVE-2023-1424 has been assigned to this vulnerability. A CVSS v3 base score of 10.0 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H ). 3.3 BACKGROUND CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing COUNTRIES/AREAS DEPLOYED: Worldwide COMPANY HEADQUARTERS LOCATION: Japan 3.4 RESEARCHER Matt Wiseman of Cisco Talos reported this vulnerability to Mitsubishi Electric. 4. MITIGATIONS Mitsubishi Electric has created firmware version 1.290 to address this issue and encourages users to update. The following should be referred to when updating: “5 FIRMWARE UPDATE FUNCTION” in the MELSEC iQ-F FX5 User’s Manual (Application). Mitsubishi Electric recommends that users take the following mitigation measures to minimize the risk of exploiting this vulnerability: Use a firewall or virtual private network (VPN) etc., to prevent unauthorized access when internet access is required. Use the product within a local area network (LAN) and use firewalls to block access from untrusted networks and hosts. Use IP filter function to block access from untrusted hosts. For details regarding the IP filter function, users can refer to “12.1 IP Filter Function” in the MELSEC iQ-F FX5 User’s Manual (Ethernet Communication). Restrict physical access to the LAN that is connected by affected products. For specific update instructions and additional details see the Mitsubishi Electric advisory . CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics . Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies . Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies . Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. No known public exploits specifically target this vulnerability. This vulnerability is exploitable remotely. This vulnerability has low attack complexity.CISAraw:21635036df5bddb09f6ed8f9b9aab620 – 2023-05-23T15:31:27.000Z
- 1. EXECUTIVE SUMMARY CVSS v3 8.1 ATTENTION: Exploitable remotely/low attack complexity Vendor: Hitachi Energy Equipment: AFS65x, AFS67x, AFR67x and AFF66x series products Vulnerabilities: Use After Free 2. RISK EVALUATION Successful exploitation of these vulnerabilities could allow an attacker to disclose sensitive information or lead to a Denial-of-Service (DoS). 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following versions of Hitachi Energy’s AFS65x, AFS67x, AFR67x and AFF66x series products, are affected: AFS660/665S, AFS660/665C, AFS670v2: Firmware 7.1.05 and earlier AFS670/675, AFR67x: Firmware 9.1.07 and earlier AFF660/665: Firmware 03.0.02 and earlier AFS65x: All versions 3.2 VULNERABILITY OVERVIEW 3.2.1 USE AFTER FREE CWE-416 The libexpat library is incorporated in the AFS, AFR and AFF products family. Versions of libexpat before 2.4.9 have a use-after-free in the do-Content function in xmlparse.c. Successful exploitation of this vulnerability could lead to disclosure of sensitive information, addition or modification of data, or a denial-of-service condition. CVE-2022-40674 has been assigned to this vulnerability. A CVSS v3 base score of 8.1 has been assigned; the CVSS vector string is (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H ). 3.2.2 USE AFTER FREE CWE-416 The libexpat library is incorporated in the AFS, AFR and AFF products family. In versions of libexpat through 2.4.9, there is a use-after free caused by overeager destruction of a shared DTD in XML_ExternalEntityParserCreate in out-of-memory situations. Successful exploitation of this vulnerability could lead to a denial-of-service condition. CVE-2022-43680 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H ). 3.3 BACKGROUND CRITICAL INFRASTRUCTURE SECTORS: Energy COUNTRIES/AREAS DEPLOYED: Worldwide COMPANY HEADQUARTERS LOCATION: Switzerland 3.4 RESEARCHER Hitachi Energy reported these vulnerabilities to CISA. 4. MITIGATIONS Hitachi Energy has released the following mitigations/fixes: AFS660/665S, AFS660/665C, AFS670v2: Apply mitigation strategy as described in General Mitigation Factors Section or update to upcoming 7.1.08 when available. AFS670/675, AFR67x: Apply mitigation strategy as described in General Mitigation Factors Section or update to 9.1.08. AFS65x: EoL product – only mitigation available, no remediation expected. Apply mitigation strategy as described in General Mitigation Factors Section. AFF660/665: Apply mitigation strategy as described in General Mitigation Factors Section or update to upcoming release. Hitachi Energy also recommends general mitigations: Recommended security practices and firewall configurations can help protect a process control network from attacks originating from outside the network. Physically protect process control systems from direct access by unauthorized personnel. Ensure process control systems have no direct connections to the internet and are separated from other networks by a firewall system with a minimal number of exposed ports. Do not use process control systems for internet surfing, instant messaging, or receiving emails. Scan portable computers and removable storage media for malware prior connection to a control system. For more information, see Hitachi Energy’s Security Advisory: 8DBD000149 . CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. Specifically, users should: When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics . Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies . Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies . Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. No known public exploits specifically target these vulnerabilities.CISAraw:5456ec1367af336c1e07661c2d6bf4c5 – 2023-05-23T15:31:26.000Z
- CISA has added three new vulnerabilities to its Known Exploited Vulnerabilities Catalog , based on evidence of active exploitation. CVE-2023-32409 Apple Multiple Products WebKit Sandbox Escape Vulnerability CVE-2023-28204 Apple Multiple Products WebKit Out-of-Bounds Read Vulnerability CVE-2023-32373 Apple Multiple Products WebKit Use-After-Free Vulnerability These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise. Note: To view other newly added vulnerabilities in the catalog, click on the arrow in the “Date Added to Catalog” column—which will sort by descending dates. Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information. Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria .CISAraw:b41f61a7b70a29fe349a2285db7b54cc – 2023-05-22T15:49:09.000Z
- Cisco released a security advisory to address multiple vulnerabilities affecting the web-based user interface of certain Cisco Small Business Series Switches . A remote attacker could exploit these vulnerabilities to cause a denial-of-service condition or execute arbitrary code with root privileges on an affected device. CISA encourages users and administrators to review the following advisory and apply the necessary updates: • Cisco Small Business Series Switches Buffer Overflow Vulnerabilities For updates addressing lower severity vulnerabilities, see the Cisco Security Advisories page.CISAraw:6c11bfc9e3d3d74a9f7343de4ce306d9 – 2023-05-19T17:07:06.000Z
- 1. EXECUTIVE SUMMARY CVSS v3 7.5 ATTENTION: Exploitable remotely/low attack complexity Vendor: Mitsubishi Electric Equipment: WS0-GETH00200 Vulnerabilities: Active Debug Code 2. RISK EVALUATION Successful exploitation of this vulnerability could allow an attacker to bypass authentication and log in by connecting to the module via telnet to reset the module or, if certain conditions are met, either disclose or tamper with the module’s configuration, or rewrite the firmware. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following versions of Mitsubishi Electric MELSEC WS Series, an ethernet interface module, are affected: WS0-GETH00200: All versions 3.2 VULNERABILITY OVERVIEW 3.2.1 ACTIVE DEBUG CODE CWE-489 In the affected products, the hidden telnet function is enabled by default when shipped from the factory. An authentication bypass vulnerability could allow a remote unauthenticated attacker to log into the affected module by connecting to it via telnet. CVE-2023-1618 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N ). 3.3 BACKGROUND CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing COUNTRIES/AREAS DEPLOYED: Worldwide COMPANY HEADQUARTERS LOCATION: Japan 3.4 RESEARCHER Mitsubishi Electric reported this vulnerability to CISA. 4. MITIGATIONS Mitsubishi Electric has released the following mitigations/workarounds: Set password for telnet sessions that are difficult for third parties to guess. The password can be up to 15 characters long. Note that “[space]” in the input string represents a single-byte space. Users can change the password for the telnet session of the affected product by using the telnet client and performing: Password setting: Enter “telnet[space]” followed by the IP address of the affected product and press the Enter key. When “Password” is displayed, press the Enter key without entering anything. When “telnet>” is displayed, enter “password[space]” followed by the desired password string and press the Enter key. Enter “quit” and press the Enter key. Confirm the password is set: After the Password setting process, enter “telnet[space]” followed by the IP address of the affected product and press the Enter key. When “Password” is displayed, enter the password string set in the Password setting process and press the Enter key. If “telnet>” is displayed, the password is set correctly. Enter “quit” and press the Enter key. Alternatively, Mitsubishi Electric recommends that users take the following mitigation measures to minimize the risk of exploiting this vulnerability: Use a firewall, virtual private network (VPN), etc. to prevent unauthorized access when Internet access is required. Use product within a local area network (LAN) and use firewalls to block access from untrusted networks and hosts. Restrict physical access to prevent untrusted devices from connecting to the LAN. For more information, see Mitsubishi Electric’s Security Advisory . CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics . Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies . Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies . Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. No known public exploits specifically target this vulnerability.CISAraw:686afbfd93841e15b08f5d69372e8cda – 2023-05-19T15:19:23.000Z
- CISA has added three new vulnerabilities to its Known Exploited Vulnerabilities Catalog , based on evidence of active exploitation. CVE-2 004-1464 Cisco IOS Denial-of-Service Vulnerability CVE-201 6-6415 Cisco IOS, IOS XR, and IOS XE IKEv1 Information Disclosure Vulnerability CVE-2023-21 492 Samsung Mobile Devices Insertion of Sensitive Information Into Log File Vulnerability These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise. Note: To view other newly added vulnerabilities in the catalog, click on the arrow in the “Date Added to Catalog” column—which will sort by descending dates. Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information. Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria .CISAraw:373556adad91caaf0f5498a950f4ab4d – 2023-05-19T15:19:22.000Z
- 1. EXECUTIVE SUMMARY CVSS v3 9.8 ATTENTION: Exploitable remotely/low skill level to exploit Vendor: Rockwell Automation Equipment: FactoryTalk Diagnostics Vulnerabilities: Deserialization of Untrusted Data 2. UPDATE OR REPOSTED INFORMATION This updated advisory is a follow-up to the original advisory titled ICSA-20-051-02-Rockwell Automation FactoryTalk Diagnostics (Update A) that was published February 20, 2020, on the ICS webpage at cisa.gov/ICS. 3. RISK EVALUATION Successful exploitation of this vulnerability could allow a remote unauthenticated attacker to execute arbitrary code with SYSTEM level privileges. 4. TECHNICAL DETAILS 4.1 AFFECTED PRODUCTS The following versions of FactoryTalk Diagnostic software, a subsystem of the FactoryTalk Service Platform, are affected: FactoryTalk Diagnostics software: Versions 2.00 to 6.11 4.2 VULNERABILITY OVERVIEW 4.2.1 DESERIALIZATION OF UNTRUSTED DATA CWE-502 Factory Talk Diagnostics exposes a .NET Remoting endpoint via RNADiagnosticsSrv.exe at TCPtcp/8082, which can insecurely deserialize untrusted data. CVE-2020-6967 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H ). 4.3 BACKGROUND CRITICAL INFRASTRUCTURE SECTORS: Food and Agriculture, Transportation Systems, Water and Wastewater Systems COUNTRIES/AREAS DEPLOYED: Worldwide COMPANY HEADQUARTERS LOCATION: United States 4.4 RESEARCHER Trend Micro’s Zero Day Initiative, working with rgod of 9sg, reported this vulnerability to CISA. 5. MITIGATIONS Rockwell Automation will fully resolve this vulnerability in the next release of the FactoryTalk Service Platform. Rockwell Automation recommends affected users implement the following compensating controls, based on their needs: Upgrade to version 6.20 or later for versions that predate version 6.20; this version restricts connection settings to only the local port. ——— Begin Update B Part 1 of 1 ——— For FactoryTalk Services Platform version 6.31: Enable Microsoft Windows Commination Foundation (WCF) which avoids the vulnerability. For FactoryTalk Services Platform version 6.31: Enable .NET Remoting (system default) with connections restricted to a local port; mitigating the vulnerability. ——— End Update B Part 1 of 1 ——— Install the patch BF24822 to restrict connections settings to only the local port for versions 2.74, 2.80, 2.81, 2.90, 3.00, 6.10, or 6.11. Upgrade to a more recent version for versions that predate version 2.74. Disable the Remote Diagnostics Service if this service is not in use. Disabling this service does not result in data loss. Use Windows Firewall Configuration to help prevent remote connection to the affected port if the Remote Diagnostics Service is in use. For more information, please see Rockwell Automation’s security advisory (login required). CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should: Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet . Locate control system networks and remote devices behind firewalls, and isolate them from the business network. Use secure methods, such as Virtual Private Networks (VPNs), when remote access is required. Recognize that VPNs may have vulnerabilities and should be updated to the most current version available; VPN is only as secure as the connected devices. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage on us-cert.gov . Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies . Additional mitigation guidance and recommended practices are publicly available on the ICS webpage on us-cert.gov in the Technical Information Paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies . Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to CISA for tracking and correlation against other incidents. No known public exploits specifically target this vulnerability.CISAraw:3198ead0319f8e771cd211943211215c – 2023-05-18T15:43:41.000Z
- 1. EXECUTIVE SUMMARY CVSS v3 7.5 ATTENTION: Exploitable remotely/low attack complexity Vendor: Mitsubishi Electric Equipment: WS0-GETH00200 Vulnerabilities: Active Debug Code 2. RISK EVALUATION Successful exploitation of this vulnerability could allow an attacker to bypass authentication and log in by connecting to the module via telnet to reset the module or, if certain conditions are met, either disclose or tamper with the module’s configuration, or rewrite the firmware. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following versions of Mitsubishi Electric MELSEC WS Series, an ethernet interface module, are affected: WS0-GETH00200: All versions 3.2 VULNERABILITY OVERVIEW 3.2.1 ACTIVE DEBUG CODE CWE-489 In the affected products, the hidden telnet function is enabled by default when shipped from the factory. An authentication bypass vulnerability could allow a remote unauthenticated attacker to log into the affected module by connecting to it via telnet. CVE-2023-1618 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N ). 3.3 BACKGROUND CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing COUNTRIES/AREAS DEPLOYED: Worldwide COMPANY HEADQUARTERS LOCATION: Japan 3.4 RESEARCHER Mitsubishi Electric reported this vulnerability to CISA. 4. MITIGATIONS Mitsubishi Electric has released the following mitigations/workarounds: Set password for telnet sessions that are difficult for third parties to guess. The password can be up to 15 characters long. Note that “[space]” in the input string represents a single-byte space. Users can change the password for the telnet session of the affected product by using the telnet client and performing: Password setting: Enter “telnet[space]” followed by the IP address of the affected product and press the Enter key. When “Password” is displayed, press the Enter key without entering anything. When “telnet>” is displayed, enter “password[space]” followed by the desired password string and press the Enter key. Enter “quit” and press the Enter key. Confirm the password is set: After the Password setting process, enter “telnet[space]” followed by the IP address of the affected product and press the Enter key. When “Password” is displayed, enter the password string set in the Password setting process and press the Enter key. If “telnet>” is displayed, the password is set correctly. Enter “quit” and press the Enter key. Alternatively, Mitsubishi Electric recommends that users take the following mitigation measures to minimize the risk of exploiting this vulnerability: Use a firewall, virtual private network (VPN), etc. to prevent unauthorized access when Internet access is required. Use product within a local area network (LAN) and use firewalls to block access from untrusted networks and hosts. Restrict physical access to prevent untrusted devices from connecting to the LAN. For more information, see Mitsubishi Electric’s Security Advisory . CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics . Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies . Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies . Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. No known public exploits specifically target this vulnerability.CISAraw:e7da661327c27a84470d75d55d307203 – 2023-05-18T15:43:39.000Z
- 1. EXECUTIVE SUMMARY CVSS v3 10.0 ATTENTION: Exploitable remotely/low attack complexity Vendor: Johnson Controls Inc. Equipment: OpenBlue Enterprise Manager Data Collector Vulnerabilities: Improper Authentication, Exposure of Sensitive Information to an Unauthorized Actor 2. RISK EVALUATION Successful exploitation of these vulnerabilities could allow an attacker, under certain circumstances, to make application programming interface (API) calls to the OpenBlue Enterprise Manager Data Collector, which do not require authentication and may expose sensitive information to an unauthorized user. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following Johnson Controls products are affected: OpenBlue Enterprise Manager Data Collector: Firmware versions prior to 3.2.5.75 3.2 VULNERABILITY OVERVIEW 3.2.1 IMPROPER AUTHENTICATION CWE-287 Under certain circumstances, API calls to the OpenBlue Enterprise Manager Data Collector do not require authentication. CVE-2023-2024 has been assigned to this vulnerability. A CVSS v3 base score of 10.0 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N ). 3.2.2 EXPOSURE OF SENSITIVE INFORMATION TO AN UNAUTHORIZED ACTOR CWE-200 Under certain circumstances, API calls to the OpenBlue Enterprise Manager Data Collector may expose sensitive information to an unauthorized user. CVE-2023-2025 has been assigned to this vulnerability. A CVSS v3 base score of 5.0 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N ). 3.3 BACKGROUND CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing COUNTRIES/AREAS DEPLOYED: Worldwide COMPANY HEADQUARTERS LOCATION: Ireland 3.4 RESEARCHER Rushank Shetty, Security Researcher at Northwestern Mutual, reported this vulnerability to Johnson Controls, Inc.; Johnson Controls, Inc. reported this vulnerability to CISA. 4. MITIGATIONS Johnson Controls recommends updating OpenBlue Enterprise Manager Data Collector firmware to version 3.2.5.75. Users must contact Johnson Controls to obtain the update. For more information, refer to Johnson Controls Product Security Advisory JCI-PSA-2023-04 v1 CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. Specifically, users should: Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet . Locate control system networks and remote devices behind firewalls and isolate them from business networks. When remote access is required, use secure methods, such as virtual private networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics . Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies . Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies . Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. No known public exploits specifically target these vulnerabilities.CISAraw:ec963d73910dfc9080cf540972cd739a – 2023-05-18T15:43:38.000Z
- CISA released five Industrial Control Systems (ICS) advisories on May 16, 2023. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS. ICSA-23-138-01 Carlo Gavazzi Powersoft ICSA-23-138-02 Mitsubishi Electric MELSEC WS ICSA-23-138-03 Hitachi Energy MicroSCADA Pro/X SYS600 ICSA-23-138-04 Johnson Controls OpenBlue Enterprise Manager Data Collector ICSA-20-051-02 Rockwell Automation FactoryTalk Diagnostics Update B CISA encourages users and administrators to review the newly released ICS advisories for technical details and mitigations.CISAraw:5bac3ac5ac0b7e8443d28c576c04b145 – 2023-05-18T15:43:37.000Z
- 1. EXECUTIVE SUMMARY CVSS v3 6.7 ATTENTION: Public exploits are available Vendor: Hitachi Energy Equipment: MicroSCADA Pro/X SYS600 Products Vulnerabilities: Permissions, Privileges, and Access Controls 2. RISK EVALUATION Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected product. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following versions of Hitachi Energy’s MicroSCADA Pro/X SYS600 products are affected: SYS600: 9.4 FP2 Hotfix 5 and earlier SYS600: 10.1.1 and earlier 3.2 VULNERABILITY OVERVIEW 3.2.1 PERMISSIONS, PRIVILEGES, AND ACCESS CONTROLS CWE-264 The ActiveBar ActiveX control distributed in ActBar.ocx 1.0.3.8 in SYS600 product does not properly restrict the SetLayoutData method, which could allow attackers to execute arbitrary code via a crafted data argument. CVE-2011-1207 has been assigned to this vulnerability. A CVSS v3 base score of 6.7 has been calculated; the CVSS vector string is (AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H ). 3.3 BACKGROUND CRITICAL INFRASTRUCTURE SECTORS: Energy COUNTRIES/AREAS DEPLOYED: Worldwide COMPANY HEADQUARTERS LOCATION: Switzerland 3.4 RESEARCHER Hitachi Energy reported this vulnerability to CISA. 4. MITIGATIONS Hitachi Energy has released the following mitigations/fixes: SYS600 9.x: upgrade to at least SYS600 version 10.2 or apply general mitigation factors. SYS600 10.x update to at least SYS600 version 10.2 or apply general mitigation factors. Hitachi Energy recommends general mitigation factors and workarounds: Recommended security practices and firewall configurations can help protect a process control network from attacks originating from outside the network. Keep process control systems physically protected from direct access by unauthorized personnel. Ensure process control systems have no direct connections to the internet, are separated from other networks by means of a firewall system that has a minimal number of ports exposed, and other practices that must be evaluated case by case. Avoid using process control systems for internet surfing, instant messaging, or receiving emails. Carefully scan portable computers and removable storage media for malware before connection to a control system. Ensure proper password policies and processes are followed. Hitachi Energy recommends following the cybersecurity deployment guideline as follows: 1MRK511518 MicroSCADA X Cyber Security Deployment Guideline. For more information, see Hitachi Energy cybersecurity advisory 8DBD000142 . CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should: Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet . Locate control system networks and remote devices behind firewalls and isolate them from business networks. When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics . Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies . Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies . Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. CISA also recommends users take the following measures to protect themselves from social engineering attacks: Do not click web links or open attachments in unsolicited email messages. Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams. Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks. This vulnerability is not exploitable remotely. This vulnerability has a high attack complexity.CISAraw:2004b72f5246e71985700e60c4ef96e5 – 2023-05-18T15:43:36.000Z
- 1. EXECUTIVE SUMMARY CVSS v3 7.5 ATTENTION: Exploitable remotely/low attack complexity/public exploits are available Vendor: Carlo Gavazzi Equipment: Powersoft Vulnerabilities: Path Traversal 2. RISK EVALUATION Successful exploitation of this vulnerability could allow an attacker to access and retrieve any file from the server. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following versions of Carlo Gavazzi Powersoft, an energy management software, are affected: Powersoft: Versions 2.1.1.1 and prior 3.2 VULNERABILITY OVERVIEW 3.2.1 IMPROPER LIMITATION OF A PATHNAME TO A RESTRICTED DIRECTORY (‘PATH TRAVERSAL’) CWE-22 Carlo Gavazzi Powersoft versions 2.1.1.1 and prior have a directory traversal vulnerability that can allow an attacker to access and retrieve any file through specially crafted GET requests to the server. CVE-2017-20184 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N ). 3.3 BACKGROUND CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing COUNTRIES/AREAS DEPLOYED: Worldwide COMPANY HEADQUARTERS LOCATION: Switzerland 3.4 RESEARCHER CISA discovered a public proof-of-concept as authored by James Fitts. 4. MITIGATIONS Carlo Gavazzi will not issue a fix as this product is end-of-life. Users should contact Carlo Gavazzi for more information. CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should: Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet . Locate control system networks and remote devices behind firewalls and isolate them from business networks. When remote access is required, use secure methods, such as virtual private networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics . Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies . Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies . Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.CISAraw:7d84fba66a1b6bf5bae383aabc636fc2 – 2023-05-18T15:14:49.000Z
- 1. EXECUTIVE SUMMARY CVSS v3 8.6 ATTENTION: Exploitable remotely/low attack complexity Vendor: Snap One Equipment: OvrC Cloud, OvrC Pro Devices Vulnerabilities: Improper Input Validation, Observable Response Discrepancy, Improper Access Control, Cleartext Transmission of Sensitive Information, Insufficient Verification of Data Authenticity, Open Redirect, Use of Hard-coded Credentials, Hidden Functionality 2. RISK EVALUATION Successful exploitation of these vulnerabilities could allow an attacker to impersonate and claim devices, execute arbitrary code, and disclose information about the affected device. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following Snap One component is affected: OvrC Pro: All versions prior to 7.3 3.2 VULNERABILITY OVERVIEW 3.2.1 IMPROPER INPUT VALIDATION CWE-20 The Hub in the Snap One OvrC cloud platform is a device used to centralize and manage nested devices connected to it. A vulnerability exists in which an attacker could impersonate a hub and send device requests to claim already claimed devices. The OvrC cloud platform receives the requests but does not validate if the found devices are already managed by another user. CVE-2023-28649 has been assigned to this vulnerability. A CVSS v3 base score of 8.6 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H ). 3.2.2 OBSERVABLE RESPONSE DISCREPANCY CWE-204 When supplied with a random MAC address, Snap One OvrC cloud servers will return information about the device. The MAC address of devices can be enumerated in an attack and the OvrC cloud will disclose their information. CVE-2023-28412 has been assigned to this vulnerability. A CVSS v3 base score of 5.3 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N ). 3.2.3 IMPROPER ACCESS CONTROL CWE-284 Snap One OvrC cloud servers contain a route an attacker can use to bypass requirements and claim devices outright. CVE-2023-31241 has been assigned to this vulnerability. A CVSS v3 base score of 8.6 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H ). 3.2.4 CLEARTEXT TRANSMISSION OF SENSITIVE INFORMATION CWE-319 Snap One OvrC Pro versions prior to 7.3 use HTTP connections when downloading a program from their servers. Because they do not use HTTPS, OvrC Pro devices are susceptible to exploitation. CVE-2023-31193 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N ). 3.2.5 INSUFFICIENT VERIFICATION OF DATA AUTHENTICITY CWE-345 Snap One OvrC Pro devices versions 7.2 and prior do not validate firmware updates correctly. The device only calculates the MD5 hash of the firmware and does not check using a private-public key mechanism. The lack of complete PKI system firmware signature could allow attackers to upload arbitrary firmware updates, resulting in code execution. CVE-2023-28386 has been assigned to this vulnerability. A CVSS v3 base score of 8.6 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N ). 3.2.6 URL REDIRECTION TO UNTRUSTED SITE (‘OPEN REDIRECT’) CWE-601 Devices using Snap One OvrC cloud are sent to a web address when accessing a web management interface using a HTTP connection. Attackers could impersonate a device and supply malicious information about the device’s web server interface. By supplying malicious parameters, an attacker could redirect the user to arbitrary and dangerous locations on the web. CVE-2023-31245 has been assigned to this vulnerability. A CVSS v3 base score of 7.1 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L ). 3.2.7 USE OF HARD-CODED CREDENTIALS CWE-798 Snap One OvrC Pro versions prior to 7.2 have their own locally running web server accessible both from the local network and remotely. OvrC cloud contains a hidden superuser account =accessible through hard-coded credentials. CVE-2023-31240 has been assigned to this vulnerability. A CVSS v3 base score of 8.3 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L ). 3.2.8 HIDDEN FUNCTIONALITY CWE-912 In Snap One OvrC Pro versions prior to 7.2, when logged into the superuser account, a new functionality appears that could allow users to execute arbitrary commands on the hub device. CVE-2023-25183 has been assigned to this vulnerability. A CVSS v3 base score of 8.3 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L ). 3.3 BACKGROUND CRITICAL INFRASTRUCTURE SECTORS: Communications COUNTRIES/AREAS DEPLOYED: Worldwide COMPANY HEADQUARTERS LOCATION: United States 3.4 RESEARCHER Uri Katz of Claroty reported these vulnerabilities to CISA. 4. MITIGATIONS Snap One has released the following updates/fixes for the affected products: OvrC Pro v7.2 has been automatically pushed out to devices to update via OvrC cloud. OvrC Pro v7.3 has been automatically pushed out to devices to update via OvrC cloud. Disable UPnP. For more information, see Snap One’s Release Notes . CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. Specifically, users should: Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet . Locate control system networks and remote devices behind firewalls and isolate them from business networks. When remote access is required, use secure methods, such as virtual private networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics . Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies . Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies . No known public exploits specifically target these vulnerabilities.CISAraw:2247a39166bd004af20ced16009ca4ca – 2023-05-17T16:24:09.000Z
- 1. EXECUTIVE SUMMARY CVSS v3 7.0 ATTENTION: Exploitable remotely/low attack complexity Vendor: Rockwell Equipment: ArmorStart Vulnerabilities: Improper Input Validation 2. RISK EVALUATION Successful exploitation of these vulnerabilities could allow a malicious user to view and modify sensitive data or make the web page unavailable. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following versions of Rockwell ArmorStart are affected: ArmorStart ST281E: Version 2.004.06 and later ArmorStart ST284E: All versions ArmorStart ST280E: All versions 3.2 VULNERABILITY OVERVIEW 3.2.1 IMPROPER INPUT VALIDATION CWE-20 A cross site scripting vulnerability was discovered that could potentially allow a malicious user to view and modify sensitive data or make the web page unavailable. User interaction, such as a phishing attack, is required for successful exploitation of this vulnerability. CVE-2023-29031 has been assigned to this vulnerability. A CVSS v3 base score of 7.0 has been calculated; the CVSS vector string is (AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H ). 3.2.2 IMPROPER INPUT VALIDATION CWE-20 A cross site scripting vulnerability was discovered that could potentially allow a malicious user to view and modify sensitive data or make the web page unavailable. User interaction, such as a phishing attack, is required for successful exploitation of this vulnerability. CVE-2023-29030 has been assigned to this vulnerability. A CVSS v3 base score of 7.0 has been calculated; the CVSS vector string is (AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H ). 3.2.3 IMPROPER INPUT VALIDATION CWE-20 A cross site scripting vulnerability was discovered that could potentially allow a malicious user to view and modify sensitive data or make the web page unavailable. User interaction, such as a phishing attack, is required for successful exploitation of this vulnerability. CVE-2023-29023 has been assigned to this vulnerability. A CVSS v3 base score of 7.0 has been calculated; the CVSS vector string is (AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H ). 3.2.4 IMPROPER INPUT VALIDATION CWE-20 A cross site scripting vulnerability was discovered that could potentially allow a malicious user to view and modify sensitive data or make the web page unavailable. User interaction, such as a phishing attack, is required for successful exploitation of this vulnerability. CVE-2023-29024 has been assigned to this vulnerability. A CVSS v3 base score of 5.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L ). 3.2.5 IMPROPER INPUT VALIDATION CWE-20 A cross site scripting vulnerability was discovered that could potentially allow a malicious user with admin privileges and network access to view user data and modify the web interface. Additionally, a malicious user could potentially cause interruptions to the availability of the web page. CVE-2023-29025 has been assigned to this vulnerability. A CVSS v3 base score of 4.7 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L ). 3.2.6 IMPROPER INPUT VALIDATION CWE-20 A cross site scripting vulnerability was discovered that could potentially allow a malicious user with admin privileges and network access to view user data and modify the web interface. Additionally, a malicious user could potentially cause interruptions to the availability of the web page. CVE-2023-29026 has been assigned to this vulnerability. A CVSS v3 base score of 4.7 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L ). 3.2.7 IMPROPER INPUT VALIDATION CWE-20 A cross site scripting vulnerability was discovered that could potentially allow a malicious user with admin privileges and network access to view user data and modify the web interface. Additionally, a malicious user could potentially cause interruptions to the availability of the web page. CVE-2023-29027 has been assigned to this vulnerability. A CVSS v3 base score of 4.7 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L ). 3.2.8 IMPROPER INPUT VALIDATION CWE-20 A cross site scripting vulnerability was discovered that could potentially allow a malicious user with admin privileges and network access to view user data and modify the web interface. Additionally, a malicious user could potentially cause interruptions to the availability of the web page. CVE-2023-29028 has been assigned to this vulnerability. A CVSS v3 base score of 4.7 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L ). 3.2.9 IMPROPER INPUT VALIDATION CWE-20 A cross site scripting vulnerability was discovered that could potentially allow a malicious user with admin privileges and network access to view user data and modify the web interface. Additionally, a malicious user could potentially cause interruptions to the availability of the web page. CVE-2023-29029 has been assigned to this vulnerability. A CVSS v3 base score of 4.7 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L ). 3.2.10 IMPROPER INPUT VALIDATION CWE-20 A cross site scripting vulnerability was discovered that could potentially allow a malicious user with admin privileges and network access to view user data and modify the web interface. Additionally, a malicious user could potentially cause interruptions to the availability of the web page. CVE-2023-29022 has been assigned to this vulnerability. A CVSS v3 base score of 4.7 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L ). 3.3 BACKGROUND CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing COUNTRIES/AREAS DEPLOYED: Worldwide COMPANY HEADQUARTERS LOCATION: United States 3.4 RESEARCHER Rockwell Automation reported these vulnerabilities to CISA. 4. MITIGATIONS Rockwell Automation recommends users take the following measures to mitigate the risk of these vulnerabilities: Disable the webserver during normal use. The webserver is disabled by default and should only be enabled to modify configurations. After modifying configurations, the web server should be disabled. For information on how to mitigate security risks on industrial automation control systems (IACS) networks see the following publications: System Security Design Guidelines Reference Manual publication, SECURE-RM001 Configure System Security Features User Manual, SECURE-UM001 Additionally, Rockwell Automation encourages customers to implement their suggested Security Best Practices to minimize the risk of the vulnerabilities. CISA recommends users take defensive measures to minimize the risk of exploitation these vulnerabilities. Specifically, users should: Locate control system networks and remote devices behind firewalls and isolate them from business networks. When remote access is required, use secure methods, such as virtual private networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics . Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies . Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies . Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. CISA also recommends users take the following measures to protect themselves from social engineering attacks: Do not click web links or open attachments in unsolicited email messages. Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams. Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks. No known public exploits specifically target these vulnerabilities.CISAraw:0c7e37da388acf0e3a0f44d2f51efa8f – 2023-05-16T18:10:50.000Z
- CISA, the Federal Bureau of Investigation (FBI), and the Australian Cyber Security Centre (ACSC) have released a joint Cybersecurity Advisory (CSA) with known BianLian ransomware and data extortion group technical details. Microsoft and Sophos contributed to the advisory. To reduce the likelihood and impact of BianLian and other ransomware incidents, CISA encourages organizations to implement mitigations recommended in this advisory . Mitigations align with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST). This joint CSA is part of CISA’s ongoing #StopRansomware effort.CISAraw:5ff81ef38b90fcd63b5e0b9a561607b8 – 2023-05-16T17:20:45.000Z
- CISA released three Industrial Control Systems (ICS) advisories on May 16, 2023. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS. ICSA-23-136-01 Snap One OvrC Cloud ICSA-23-136-02 Rockwell ArmorStart ICSA-23-136-03 Rockwell Automation FactoryTalk Vantagepoint CISA encourages users and administrators to review the newly released ICS advisories for technical details and mitigations.CISAraw:9ac4f4c4f67db1f362b5f476506a95f3 – 2023-05-16T15:36:56.000Z
- 1. EXECUTIVE SUMMARY CVSS v3 7.1 ATTENTION: Exploitable remotely Vendor: Rockwell Automation Equipment: FactoryTalk Vantagepoint Vulnerabilities: Insufficient Verification of Data Authenticity 2. RISK EVALUATION Successful exploitation of this vulnerability could allow an attacker to impersonate an existing user or execute a cross site request forgery (CSRF) attack. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following versions of Rockwell Automation FactoryTalk Vantagepoint are affected: FactoryTalk Vantagepoint: All versions prior to 8.40 3.2 VULNERABILITY OVERVIEW 3.2.1 INSUFFICIENT VERIFICATION OF DATA AUTHENTICITY CWE-345 The affected product is vulnerable to a CSRF attack, which could allow an attacker to impersonate a legitimate user. CVE-2023-2444 has been assigned to this vulnerability. A CVSS v3 base score of 7.1 has been calculated; the CVSS vector string is (AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:H ). 3.3 BACKGROUND CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing COUNTRIES/AREAS DEPLOYED: Worldwide COMPANY HEADQUARTERS LOCATION: United States 3.4 RESEARCHER Rockwell Automation reported this vulnerability to CISA. 4. MITIGATIONS Rockwell Automation recommends users update to V8.40 or later. Users of the affected software are also encouraged to implement Rockwell Automation’s suggested Security Best Practices to minimize risk associated with the vulnerability and provide training about social engineering attacks, such as phishing. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics . Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies . Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies . Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. CISA also recommends users take the following measures to protect themselves from social engineering attacks: Do not click web links or open attachments in unsolicited email messages. Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams. Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks. No known public exploits specifically target this vulnerability. This vulnerability has a high attack complexity.CISAraw:e931fdf5db7aac9266335d0cea13bd29 – 2023-05-16T15:10:21.000Z
- 1. EXECUTIVE SUMMARY CVSS v3 7.0 ATTENTION: Exploitable remotely/low attack complexity Vendor: Rockwell Equipment: ArmorStart Vulnerabilities: Improper Input Validation 2. RISK EVALUATION Successful exploitation of these vulnerabilities could allow a malicious user to view and modify sensitive data or make the web page unavailable. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following versions of Rockwell ArmorStart are affected: ArmorStart ST281E: Version 2.004.06 and later ArmorStart ST284E: All versions ArmorStart ST280E: All versions 3.2 VULNERABILITY OVERVIEW 3.2.1 IMPROPER INPUT VALIDATION CWE-20 A cross site scripting vulnerability was discovered that could potentially allow a malicious user to view and modify sensitive data or make the web page unavailable. User interaction, such as a phishing attack, is required for successful exploitation of this vulnerability. CVE-2023-29031 has been assigned to this vulnerability. A CVSS v3 base score of 7.0 has been calculated; the CVSS vector string is (AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H ). 3.2.2 IMPROPER INPUT VALIDATION CWE-20 A cross site scripting vulnerability was discovered that could potentially allow a malicious user to view and modify sensitive data or make the web page unavailable. User interaction, such as a phishing attack, is required for successful exploitation of this vulnerability. CVE-2023-29030 has been assigned to this vulnerability. A CVSS v3 base score of 7.0 has been calculated; the CVSS vector string is (AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H ). 3.2.3 IMPROPER INPUT VALIDATION CWE-20 A cross site scripting vulnerability was discovered that could potentially allow a malicious user to view and modify sensitive data or make the web page unavailable. User interaction, such as a phishing attack, is required for successful exploitation of this vulnerability. CVE-2023-29023 has been assigned to this vulnerability. A CVSS v3 base score of 7.0 has been calculated; the CVSS vector string is (AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H ). 3.2.4 IMPROPER INPUT VALIDATION CWE-20 A cross site scripting vulnerability was discovered that could potentially allow a malicious user to view and modify sensitive data or make the web page unavailable. User interaction, such as a phishing attack, is required for successful exploitation of this vulnerability. CVE-2023-29024 has been assigned to this vulnerability. A CVSS v3 base score of 5.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L ). 3.2.5 IMPROPER INPUT VALIDATION CWE-20 A cross site scripting vulnerability was discovered that could potentially allow a malicious user with admin privileges and network access to view user data and modify the web interface. Additionally, a malicious user could potentially cause interruptions to the availability of the web page. CVE-2023-29025 has been assigned to this vulnerability. A CVSS v3 base score of 4.7 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L ). 3.2.6 IMPROPER INPUT VALIDATION CWE-20 A cross site scripting vulnerability was discovered that could potentially allow a malicious user with admin privileges and network access to view user data and modify the web interface. Additionally, a malicious user could potentially cause interruptions to the availability of the web page. CVE-2023-29026 has been assigned to this vulnerability. A CVSS v3 base score of 4.7 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L ). 3.2.7 IMPROPER INPUT VALIDATION CWE-20 A cross site scripting vulnerability was discovered that could potentially allow a malicious user with admin privileges and network access to view user data and modify the web interface. Additionally, a malicious user could potentially cause interruptions to the availability of the web page. CVE-2023-29027 has been assigned to this vulnerability. A CVSS v3 base score of 4.7 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L ). 3.2.8 IMPROPER INPUT VALIDATION CWE-20 A cross site scripting vulnerability was discovered that could potentially allow a malicious user with admin privileges and network access to view user data and modify the web interface. Additionally, a malicious user could potentially cause interruptions to the availability of the web page. CVE-2023-29028 has been assigned to this vulnerability. A CVSS v3 base score of 4.7 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L ). 3.2.9 IMPROPER INPUT VALIDATION CWE-20 A cross site scripting vulnerability was discovered that could potentially allow a malicious user with admin privileges and network access to view user data and modify the web interface. Additionally, a malicious user could potentially cause interruptions to the availability of the web page. CVE-2023-29029 has been assigned to this vulnerability. A CVSS v3 base score of 4.7 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L ). 3.2.10 IMPROPER INPUT VALIDATION CWE-20 A cross site scripting vulnerability was discovered that could potentially allow a malicious user with admin privileges and network access to view user data and modify the web interface. Additionally, a malicious user could potentially cause interruptions to the availability of the web page. CVE-2023-29022 has been assigned to this vulnerability. A CVSS v3 base score of 4.7 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L ). 3.3 BACKGROUND CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing COUNTRIES/AREAS DEPLOYED: Worldwide COMPANY HEADQUARTERS LOCATION: United States 3.4 RESEARCHER Rockwell Automation reported these vulnerabilities to CISA. 4. MITIGATIONS Rockwell Automation recommends users take the following measures to mitigate the risk of these vulnerabilities: Disable the webserver during normal use. The webserver is disabled by default and should only be enabled to modify configurations. After modifying configurations, the web server should be disabled. For information on how to mitigate security risks on industrial automation control systems (IACS) networks see the following publications: System Security Design Guidelines Reference Manual publication, SECURE-RM001 Configure System Security Features User Manual, SECURE-UM001 Additionally, Rockwell Automation encourages customers to implement their suggested security best practices to minimize the risk of the vulnerabilities. CISA recommends users take defensive measures to minimize the risk of exploitation these vulnerabilities. Specifically, users should: Locate control system networks and remote devices behind firewalls and isolate them from business networks. When remote access is required, use secure methods, such as virtual private networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics . Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies . Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies . Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. CISA also recommends users take the following measures to protect themselves from social engineering attacks: Do not click web links or open attachments in unsolicited email messages. Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams. Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks. No known public exploits specifically target these vulnerabilities.CISAraw:e81b50d6689b94ad55036db783642f64 – 2023-05-16T15:10:20.000Z
- 1. EXECUTIVE SUMMARY CVSS v3 8.6 ATTENTION: Exploitable remotely/low attack complexity Vendor: Snap One Equipment: OvrC Cloud, OvrC Pro Devices Vulnerabilities: Improper Input Validation, Observable Response Discrepancy, Improper Access Control, Cleartext Transmission of Sensitive Information, Insufficient Verification of Data Authenticity, Open Redirect, Use of Hard-coded Credentials, Hidden Functionality 2. RISK EVALUATION Successful exploitation of these vulnerabilities could allow an attacker to impersonate and claim devices, execute arbitrary code, and disclose information about the affected device. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following Snap One component is affected: OvrC Pro version 7.1 3.2 VULNERABILITY OVERVIEW 3.2.1 IMPROPER INPUT VALIDATION CWE-20 The Hub in the Snap One OvrC cloud platform is a device used to centralize and manage nested devices connected to it. A vulnerability exists in which an attacker could impersonate a hub and send device requests to claim already claimed devices. The OvrC cloud platform receives the requests but does not validate if the found devices are already managed by another user. CVE-2023-28649 has been assigned to this vulnerability. A CVSS v3 base score of 8.6 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H ). 3.2.2 OBSERVABLE RESPONSE DISCREPANCY CWE-204 When supplied with a random MAC address, Snap One OvrC cloud servers will return information about the device. The MAC address of devices can be enumerated in an attack and the OvrC cloud will disclose their information. CVE-2023-28412 has been assigned to this vulnerability. A CVSS v3 base score of 5.3 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N ). 3.2.3 IMPROPER ACCESS CONTROL CWE-284 Snap One OvrC cloud servers contain a route an attacker can use to bypass requirements and claim devices outright. CVE-2023-31241 has been assigned to this vulnerability. A CVSS v3 base score of 8.6 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H ). 3.2.4 CLEARTEXT TRANSMISSION OF SENSITIVE INFORMATION CWE-319 Snap One OvrC Pro versions prior to 7.3 use HTTP connections when downloading a program from their servers. Because they do not use HTTPS, OvrC Pro devices are susceptible to exploitation. CVE-2023-31193 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N ). 3.2.5 INSUFFICIENT VERIFICATION OF DATA AUTHENTICITY CWE-345 Snap One OvrC Pro devices versions 7.2 and prior do not validate firmware updates correctly. The device only calculates the MD5 hash of the firmware and does not check using a private-public key mechanism. The lack of complete PKI system firmware signature could allow attackers to upload arbitrary firmware updates, resulting in code execution. CVE-2023-28386 has been assigned to this vulnerability. A CVSS v3 base score of 8.6 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N ). 3.2.6 URL REDIRECTION TO UNTRUSTED SITE (‘OPEN REDIRECT’) CWE-601 Devices using Snap One OvrC cloud are sent to a web address when accessing a web management interface using a HTTP connection. Attackers could impersonate a device and supply malicious information about the device’s web server interface. By supplying malicious parameters, an attacker could redirect the user to arbitrary and dangerous locations on the web. CVE-2023-31245 has been assigned to this vulnerability. A CVSS v3 base score of 7.1 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L ). 3.2.7 USE OF HARD-CODED CREDENTIALS CWE-798 Snap One OvrC Pro versions prior to 7.2 have their own locally running web server accessible both from the local network and remotely. OvrC cloud contains a hidden superuser account =accessible through hard-coded credentials. CVE-2023-31240 has been assigned to this vulnerability. A CVSS v3 base score of 8.3 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L ). 3.2.8 HIDDEN FUNCTIONALITY CWE-912 In Snap One OvrC Pro versions prior to 7.2, when logged into the superuser account, a new functionality appears that could allow users to execute arbitrary commands on the hub device. CVE-2023-25183 has been assigned to this vulnerability. A CVSS v3 base score of 8.3 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L ). 3.3 BACKGROUND CRITICAL INFRASTRUCTURE SECTORS: Communications COUNTRIES/AREAS DEPLOYED: Worldwide COMPANY HEADQUARTERS LOCATION: United States 3.4 RESEARCHER Uri Katz of Claroty reported these vulnerabilities to CISA. 4. MITIGATIONS Snap One has released the following updates/fixes for the affected products: OvrC Pro v7.2 has been automatically pushed out to devices to update via OvrC cloud. OvrC Pro v7.3 has been automatically pushed out to devices to update via OvrC cloud. Disable UPnP. For more information, see Snap One’s Release Notes . CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. Specifically, users should: Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet . Locate control system networks and remote devices behind firewalls and isolate them from business networks. When remote access is required, use secure methods, such as virtual private networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics . Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies . Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies . No known public exploits specifically target these vulnerabilities.CISAraw:a85433b716a36fbecd007b084c51d2eb – 2023-05-16T15:10:19.000Z
- 1. EXECUTIVE SUMMARY CVSS v3 9.8 ATTENTION: Exploitable remotely/low attack complexity Vendor: Rockwell Automation Equipment: PanelView 800 Vulnerabilities: Out-of-bounds Write, Out-of-bounds Read 2. RISK EVALUATION Successful exploitation of these vulnerabilities could allow remote code execution. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following versions of PanelView 800, a graphics terminal, are affected: PanelView 800-2711R-T4T: Version 5.011 to 8.011 PanelView 800-2711R-T7T: Version 5.011 to 8.011 PanelView 800-2711R-T10T: Version 5.011 to 8.011 3.2 VULNERABILITY OVERVIEW 3.2.1 OUT-OF-BOUNDS WRITE CWE-787 The affected product is vulnerable to an out-of-bounds write, which could allow an attacker to accomplish a heap buffer overflow if the user has the email feature enabled in the project file WolfSSL uses. This feature is disabled by default. CVE-2020-36177 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H ). 3.2.2 OUT-OF BOUNDS READ CWE-125 The affected product is vulnerable to an out-of-bounds read, which could allow an attacker to accomplish a heap buffer overflow if the user has the email feature enabled in the project file WolfSSL uses. This feature is disabled by default. CVE-2019-16748 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H ). 3.3 BACKGROUND CRITICAL INFRASTRUCTURE SECTORS: E nergy, Water and Wastewater, Telecommunications COUNTRIES/AREAS DEPLOYED: Worldwide COMPANY HEADQUARTERS LOCATION: United States 3.4 RESEARCHER Rockwell Automation reported these vulnerabilities to CISA. 4. MITIGATIONS Users of the affected software are encouraged to apply the following risk mitigations, if possible: Upgrade to V8.011 , which has been patched to mitigate these issues. Ensure the email feature is disabled (it is disabled by default). For information on mitigating security risks on industrial automation control systems (IACS) networks, see the following: System Security Design Guidelines Reference Manual publication, SECURE-RM001 Configure System Security Features User Manual, SECURE-UM001 Rockwell Automation encourages users to implement their suggested security best practices to minimize risk of vulnerability. For additional information, refer to Rockwell Automation’s Security Bulletin . CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. Specifically, users should: Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet . Locate control system networks and remote devices behind firewalls and isolate them from business networks. When remote access is required, use secure methods, such as virtual private networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics . Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies . Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies . Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. No known public exploits specifically target these vulnerabilities.CISAraw:a3982565a8d0f9bed33d3855545be32e – 2023-05-15T12:16:03.000Z
- 1. EXECUTIVE SUMMARY CVSS v3 9.8 ATTENTION: Exploitable remotely/low attack complexity Vendor: Rockwell Automation Equipment: PanelView 800 Vulnerabilities: Out-of-bounds Write, Out-of-bounds Read 2. RISK EVALUATION Successful exploitation of these vulnerabilities could allow remote code execution. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following versions of PanelView 800, a graphics terminal, are affected: PanelView 800-2711R-T4T: Version 5.011 to 8.011 PanelView 800-2711R-T7T: Version 5.011 to 8.011 PanelView 800-2711R-T10T: Version 5.011 to 8.011 3.2 VULNERABILITY OVERVIEW 3.2.1 OUT-OF-BOUNDS WRITE CWE-787 The affected product is vulnerable to an out-of-bounds write, which could allow an attacker to accomplish a heap buffer overflow if the user has the email feature enabled in the project file WolfSSL uses. This feature is disabled by default. CVE-2020-36177 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H ). 3.2.2 OUT-OF BOUNDS READ CWE-125 The affected product is vulnerable to an out-of-bounds read, which could allow an attacker to accomplish a heap buffer overflow if the user has the email feature enabled in the project file WolfSSL uses. This feature is disabled by default. CVE-2019-16748 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H ). 3.3 BACKGROUND CRITICAL INFRASTRUCTURE SECTORS: E nergy, Water and Wastewater, Telecommunications COUNTRIES/AREAS DEPLOYED: Worldwide COMPANY HEADQUARTERS LOCATION: United States 3.4 RESEARCHER Rockwell Automation reported these vulnerabilities to CISA. 4. MITIGATIONS Users of the affected software are encouraged to apply the following risk mitigations, if possible: Upgrade to V8.011 , which has been patched to mitigate these issues. Ensure the email feature is disabled (it is disabled by default). For information on mitigating security risks on industrial automation control systems (IACS) networks, see the following: System Security Design Guidelines Reference Manual publication, SECURE-RM001 Configure System Security Features User Manual, SECURE-UM001 Rockwell Automation encourages users to implement their suggested security best practices to minimize risk of vulnerability. For additional information, refer to Rockwell Automation’s Security Bulletin . CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. Specifically, users should: Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet . Locate control system networks and remote devices behind firewalls and isolate them from business networks. When remote access is required, use secure methods, such as virtual private networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics . Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies . Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies . Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. No known public exploits specifically target these vulnerabilities.CISAraw:cdad2f04ff2032b0f2fbe4d0f0d0af80 – 2023-05-12T15:36:05.000Z
- CISA has added seven new vulnerabilities to its Known Exploited Vulnerabilities Catalog , based on evidence of active exploitation. CVE-2023-25717 Multiple Ruckus Wireless Products CSRF and RCE Vulnerability CVE-2021-3560 Red Hat Polkit Incorrect Authorization Vulnerability CVE-2014-0196 Linux Kernel Race Condition Vulnerability CVE-2010-3904 Linux Kernel Improper Input Validation Vulnerability CVE-2015-5317 Jenkins User Interface (UI) Information Disclosure Vulnerability CVE-2016-3427 Oracle Java SE and JRockit Unspecified Vulnerability CVE-2016-8735 Apache Tomcat Remote Code Execution Vulnerability These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise. Note: To view other newly added vulnerabilities in the catalog, click on the arrow in the “Date Added to Catalog” column—which will sort by descending dates. Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information. Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria .CISAraw:30f776517c99f27d9163eb1fbe5ae96e – 2023-05-12T15:36:04.000Z
- 1. EXECUTIVE SUMMARY CVSS v3 10.0 ATTENTION: Exploitable remotely/low attack complexity Vendor: Teltonika Equipment: Remote Management System and RUT model routers Vulnerabilities: Observable Response Discrepancy, Improper Authentication, Server-Side Request Forgery, Cross-site Scripting, Inclusion of Web Functionality from an Untrusted Source, External Control of System of Configuration Setting, OS Command Injection 2. RISK EVALUATION Successful exploitation of these vulnerabilities could expose sensitive device information and device credentials, enable remote code execution, expose connected devices managed on the network, and allow impersonation of legitimate devices. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following Teltonika products are affected: Remote Management System (RMS): Versions prior to 4.10.0 (affected by CVE-2023-32346, CVE-2023-32347, CVE-2023-32348, CVE-2023-2587, CVE-2023-2588) Remote Management System (RMS): Versions prior to 4.14.0 (affected by CVE-2023-2586) RUT model routers: Version 00.07.00 through 00.07.03.4 (affected by CVE-2023-32349) RUT model routers: Version 00.07.00 through 00.07.03 (affected by CVE-2023-32350) 3.2 VULNERABILITY OVERVIEW 3.2.1 OBSERVABLE RESPONSE DISCREPANCY CWE-204 Teltonika’s Remote Management System versions prior to 4.10.0 contain a function that allows users to claim their devices. This function returns information based on whether the serial number of a device has already been claimed, the MAC address of a device has already been claimed, or whether the attempt to claim a device was successful. An attacker could exploit this to create a list of the serial numbers and MAC addresses of all devices cloud-connected to the Remote Management System. CVE-2023-32346 has been assigned to this vulnerability. A CVSS v3 base score of 5.3 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N ). 3.2.2 IMPROPER AUTHENTICATION CWE-287 Teltonika’s Remote Management System versions prior to 4.10.0 use device serial numbers and MAC addresses to identify devices from the user perspective for device claiming and from the device perspective for authentication. If an attacker obtained the serial number and MAC address of a device, they could authenticate as that device and steal communication credentials of the device. This could allow an attacker to enable arbitrary command execution as root by utilizing management options within the newly registered devices. CVE-2023-32347 has been assigned to this vulnerability. A CVSS v3 base score of 10.0 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H ). 3.2.3 SERVER-SIDE REQUEST FORGERY (SSRF) CWE-918 Teltonika’s Remote Management System versions prior to 4.10.0 contain a virtual private network (VPN) hub feature for cross-device communication that uses OpenVPN. It connects new devices in a manner that allows the new device to communicate with all Teltonika devices connected to the VPN. The OpenVPN server also allows users to route through it. An attacker could route a connection to a remote server through the OpenVPN server, enabling them to scan and access data from other Teltonika devices connected to the VPN. CVE-2023-32348 has been assigned to this vulnerability. A CVSS v3 base score of 9.3 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N ). 3.2.4 IMPROPER AUTHENTICATION CWE-287 Teltonika’s Remote Management System versions 4.14.0 is vulnerable to an unauthorized attacker registering previously unregistered devices through the RMS platform. If the user has not disabled the “RMS management feature” enabled by default, then an attacker could register that device to themselves. This could enable the attacker to perform different operations on the user’s devices, including remote code execution with ‘root’ privileges (using the ‘Task Manager’ feature on RMS). CVE-2023-2586 has been assigned to this vulnerability. A CVSS v3 base score of 9.0 has been calculated; the CVSS vector string is (AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H ). 3.2.5 IMPROPER NEUTRALIZATION OF INPUT DURING WEB PAGE GENERATION (‘CROSS-SITE SCRIPTING’) CWE-79 Teltonika’s Remote Management System versions prior to 4.10.0 contain a cross-site scripting (XSS) vulnerability in the main page of the web interface. An attacker with the MAC address and serial number of a connected device could send a maliciously crafted JSON file with an HTML object to trigger the vulnerability. This could allow the attacker to execute scripts in the account context and obtain remote code execution on managed devices. CVE-2023-2587 has been assigned to this vulnerability. A CVSS v3 base score of 8.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H ). 3.2.6 INCLUSION OF WEB FUNCTIONALITY FROM AN UNTRUSTED SOURCE CWE-830 Teltonika’s Remote Management System versions prior to 4.10.0 have a feature allowing users to access managed devices’ local secure shell (SSH)/web management services over the cloud proxy. A user can request a web proxy and obtain a URL in the Remote Management System cloud subdomain. This URL could be shared with others without Remote Management System authentication . An attacker could exploit this vulnerability to create a malicious webpage that uses a trusted and certified domain. An attacker could initiate a reverse shell when a victim connects to the malicious webpage, achieving remote code execution on the victim device. CVE-2023-2588 has been assigned to this vulnerability. A CVSS v3 base score of 8.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H ). 3.2.7 EXTERNAL CONTROL OF SYSTEM OR CONFIGURATION SETTING CWE-15 Versions 00.07.00 through 00.07.03.4 of Teltonika’s RUT router firmware contain a packet dump utility that contains proper validation for filter parameters. However, variables for validation checks are stored in an external configuration file. An authenticated attacker could use an exposed UCI configuration utility to change these variables and enable malicious parameters in the dump utility, which could result in arbitrary code execution. CVE-2023-32349 has been assigned to this vulnerability. A CVSS v3 base score of 8.0 has been calculated; the CVSS vector string is (AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H ). 3.2.8 IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS USED IN AN OS COMMAND (‘OS COMMAND INJECTION’) CWE-78 Versions 00.07.00 through 00.07.03 of Teltonika’s RUT router firmware contain an operating system (OS) command injection vulnerability in a Lua service. An attacker could exploit a parameter in the vulnerable function that calls a user-provided package name by instead providing a package with a malicious name that contains an OS command injection payload. CVE-2023-32350 has been assigned to this vulnerability. A CVSS v3 base score of 8.8 has been calculated; the CVSS vector string is (AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H ). 3.3 BACKGROUND CRITICAL INFRASTRUCTURE SECTORS: Water and Wastewater, Energy, Critical Manufacturing COUNTRIES/AREAS DEPLOYED: Worldwide COMPANY HEADQUARTERS LOCATION: Lithuania 3.4 RESEARCHER Roni Gavrilov of OTORIO and Noam Moshe of Claroty Research reported these vulnerabilities to Teltonika and CISA. 4. MITIGATIONS Teltonika recommends users update their devices to the latest versions. RMS services have already been updated to versions, which fix these vulnerabilities. Users can download the latest version of their respective RUT routers by navigating to the appropriate device on Teltonika’s website . CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. Specifically, users should: Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet . Locate control system networks and remote devices behind firewalls and isolate them from business networks. When remote access is required, use secure methods, such as virtual private networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics . Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies . Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies . Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. CISA also recommends users take the following measures to protect themselves from social engineering attacks: Do not click web links or open attachments in unsolicited email messages. Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams. Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks. No known public exploits specifically target these vulnerabilities.CISAraw:486d86f21573b1b55674f4959d9336d0 – 2023-05-12T15:20:08.000Z
- 1. EXECUTIVE SUMMARY CVSS v3 10.0 ATTENTION: Exploitable remotely/low attack complexity Vendor: Teltonika Equipment: Remote Management System and RUT model routers Vulnerabilities: Observable Response Discrepancy, Improper Authentication, Server-Side Request Forgery, Cross-site Scripting, Inclusion of Web Functionality from an Untrusted Source, External Control of System of Configuration Setting, OS Command Injection 2. RISK EVALUATION Successful exploitation of these vulnerabilities could expose sensitive device information and device credentials, enable remote code execution, expose connected devices managed on the network, and allow impersonation of legitimate devices. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following Teltonika products are affected: Remote Management System (RMS): Versions prior to 4.10.0 (affected by CVE-2023-32346, CVE-2023-32347, CVE-2023-32348, CVE-2023-2587, CVE-2023-2588) Remote Management System (RMS): Versions prior to 4.14.0 (affected by CVE-2023-2586) RUT model routers: Version 00.07.00 through 00.07.03.4 (affected by CVE-2023-32349) RUT model routers: Version 00.07.00 through 00.07.03 (affected by CVE-2023-32350) 3.2 VULNERABILITY OVERVIEW 3.2.1 OBSERVABLE RESPONSE DISCREPANCY CWE-204 Teltonika’s Remote Management System versions prior to 4.10.0 contain a function that allows users to claim their devices. This function returns information based on whether the serial number of a device has already been claimed, the MAC address of a device has already been claimed, or whether the attempt to claim a device was successful. An attacker could exploit this to create a list of the serial numbers and MAC addresses of all devices cloud-connected to the Remote Management System. CVE-2023-32346 has been assigned to this vulnerability. A CVSS v3 base score of 5.3 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N ). 3.2.2 IMPROPER AUTHENTICATION CWE-287 Teltonika’s Remote Management System versions prior to 4.10.0 use device serial numbers and MAC addresses to identify devices from the user perspective for device claiming and from the device perspective for authentication. If an attacker obtained the serial number and MAC address of a device, they could authenticate as that device and steal communication credentials of the device. This could allow an attacker to enable arbitrary command execution as root by utilizing management options within the newly registered devices. CVE-2023-32347 has been assigned to this vulnerability. A CVSS v3 base score of 10.0 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H ). 3.2.3 SERVER-SIDE REQUEST FORGERY (SSRF) CWE-918 Teltonika’s Remote Management System versions prior to 4.10.0 contain a virtual private network (VPN) hub feature for cross-device communication that uses OpenVPN. It connects new devices in a manner that allows the new device to communicate with all Teltonika devices connected to the VPN. The OpenVPN server also allows users to route through it. An attacker could route a connection to a remote server through the OpenVPN server, enabling them to scan and access data from other Teltonika devices connected to the VPN. CVE-2023-32348 has been assigned to this vulnerability. A CVSS v3 base score of 9.3 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N ). 3.2.4 IMPROPER AUTHENTICATION CWE-287 Teltonika’s Remote Management System versions 4.14.0 is vulnerable to an unauthorized attacker registering previously unregistered devices through the RMS platform. If the user has not disabled the “RMS management feature” enabled by default, then an attacker could register that device to themselves. This could enable the attacker to perform different operations on the user’s devices, including remote code execution with ‘root’ privileges (using the ‘Task Manager’ feature on RMS). CVE-2023-2586 has been assigned to this vulnerability. A CVSS v3 base score of 9.0 has been calculated; the CVSS vector string is (AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H ). 3.2.5 IMPROPER NEUTRALIZATION OF INPUT DURING WEB PAGE GENERATION (‘CROSS-SITE SCRIPTING’) CWE-79 Teltonika’s Remote Management System versions prior to 4.10.0 contain a cross-site scripting (XSS) vulnerability in the main page of the web interface. An attacker with the MAC address and serial number of a connected device could send a maliciously crafted JSON file with an HTML object to trigger the vulnerability. This could allow the attacker to execute scripts in the account context and obtain remote code execution on managed devices. CVE-2023-2587 has been assigned to this vulnerability. A CVSS v3 base score of 8.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H ). 3.2.6 INCLUSION OF WEB FUNCTIONALITY FROM AN UNTRUSTED SOURCE CWE-830 Teltonika’s Remote Management System versions prior to 4.10.0 have a feature allowing users to access managed devices’ local secure shell (SSH)/web management services over the cloud proxy. A user can request a web proxy and obtain a URL in the Remote Management System cloud subdomain. This URL could be shared with others without Remote Management System authentication . An attacker could exploit this vulnerability to create a malicious webpage that uses a trusted and certified domain. An attacker could initiate a reverse shell when a victim connects to the malicious webpage, achieving remote code execution on the victim device. CVE-2023-2588 has been assigned to this vulnerability. A CVSS v3 base score of 8.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H ). 3.2.7 EXTERNAL CONTROL OF SYSTEM OR CONFIGURATION SETTING CWE-15 Versions 00.07.00 through 00.07.03.4 of Teltonika’s RUT router firmware contain a packet dump utility that contains proper validation for filter parameters. However, variables for validation checks are stored in an external configuration file. An authenticated attacker could use an exposed UCI configuration utility to change these variables and enable malicious parameters in the dump utility, which could result in arbitrary code execution. CVE-2023-32349 has been assigned to this vulnerability. A CVSS v3 base score of 8.0 has been calculated; the CVSS vector string is (AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H ). 3.2.8 IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS USED IN AN OS COMMAND (‘OS COMMAND INJECTION’) CWE-78 Versions 00.07.00 through 00.07.03 of Teltonika’s RUT router firmware contain an operating system (OS) command injection vulnerability in a Lua service. An attacker could exploit a parameter in the vulnerable function that calls a user-provided package name by instead providing a package with a malicious name that contains an OS command injection payload. CVE-2023-32350 has been assigned to this vulnerability. A CVSS v3 base score of 8.8 has been calculated; the CVSS vector string is (AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H ). 3.3 BACKGROUND CRITICAL INFRASTRUCTURE SECTORS: Water and Wastewater, Energy, Critical Manufacturing COUNTRIES/AREAS DEPLOYED: Worldwide COMPANY HEADQUARTERS LOCATION: Lithuania 3.4 RESEARCHER Roni Gavrilov of Otorio and Claroty Team82 reported these vulnerabilities to Teltonika and CISA. 4. MITIGATIONS Teltonika recommends users update their devices to the latest versions. RMS services have already been updated to versions, which fix these vulnerabilities. Users can download the latest version of their respective RUT routers by navigating to the appropriate device on Teltonika’s website . CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. Specifically, users should: Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet . Locate control system networks and remote devices behind firewalls and isolate them from business networks. When remote access is required, use secure methods, such as virtual private networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics . Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies . Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies . Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. CISA also recommends users take the following measures to protect themselves from social engineering attacks: Do not click web links or open attachments in unsolicited email messages. Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams. Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks. No known public exploits specifically target these vulnerabilities.CISAraw:f815c734b4304ac76d664a08c37ad36d – 2023-05-11T22:42:44.000Z
- As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens’ ProductCERT Security Advisories (CERT Services | Services | Siemens Global). 1. EXECUTIVE SUMMARY CVSS v3 9.9 ATTENTION: Exploitable remotely/low attack complexity Vendor: Siemens Equipment: SCALANCE LPE9403 Vulnerabilities: Command Injection, Creation of Temporary File with Insecure Permissions, Path Traversal, Heap-based Buffer Overflow 2. RISK EVALUATION Successful exploitation these vulnerabilities could allow an attacker to gain access to the device as root or create a denial-of-service condition. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following products from Siemens are affected: SCALANCE LPE9403 (6GK5998-3GS00-2AC2): Versions prior to 2.1 3.2 VULNERABILITY OVERVIEW 3.2.1 IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS USED IN A COMMAND (‘COMMAND INJECTION’) CWE-77 The web-based management of affected devices does not properly validate user input, making it susceptible to command injection. This could allow an authenticated remote attacker to access the underlying operating system as root. CVE-2023-27407 has been assigned to this vulnerability. A CVSS v3 base score of 9.9 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H ). 3.2.2 CREATION OF TEMPORARY FILE WITH INSECURE PERMISSIONS CWE-378 The `i2c` mutex file is created with the permissions bits of `-rw-rw-rw-.` This file is used as a mutex for multiple applications interacting with i2c. This could allow an authenticated attacker with access to the secure shell (SSH) interface on the affected device to interfere with the integrity of the mutex and the data it protects. CVE-2023-27408 has been assigned to this vulnerability. A CVSS v3 base score of 3.3 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N ). 3.2.3 IMPROPER LIMITATION OF A PATHNAME TO A RESTRICTED DIRECTORY (‘PATH TRAVERSAL’) CWE-22 A path traversal vulnerability was found in the `deviceinfo` binary via the `mac` parameter. This could allow an authenticated attacker with access to the SSH interface on the affected device to read the contents of any file named `address.` CVE-2023-27409 has been assigned to this vulnerability. A CVSS v3 base score of 2.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N ). 3.2.4 HEAP-BASED BUFFER OVERFLOW CWE-122 A heap-based buffer overflow vulnerability was found in the `edgebox_web_app` binary. The binary will crash if supplied with a backup password longer than 255 characters. This could allow an authenticated privileged attacker to cause a denial-of-service condition. CVE-2023-27410 has been assigned to this vulnerability. A CVSS v3 base score of 2.7 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L ). 3.3 BACKGROUND CRITICAL INFRASTRUCTURE SECTORS: Multiple COUNTRIES/AREAS DEPLOYED: Worldwide COMPANY HEADQUARTERS LOCATION: Germany 3.4 RESEARCHER Siemens reported these vulnerabilities to CISA. 4. MITIGATIONS Siemens has identified the following specific workaround/mitigation users can apply to reduce risk: SCALANCE LPE9403 (6GK5998-3GS00-2AC2): Update to V2.1 or later version . As a general security measure, Siemens strongly recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens’ operational guidelines for Industrial Security , and following the recommendations in the product manuals. Additional information on industrial security by Siemens can be found on the Siemens Industrial Security webpage . For further inquiries on security vulnerabilities in Siemens products, users should contact the Siemens ProductCERT . For more information, see the associated Siemens security advisory SSA-325383 in HTML and CSAF . CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. Specifically, users should: Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet . Locate control system networks and remote devices behind firewalls and isolate them from business networks. When remote access is required, use secure methods, such as virtual private networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics . Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies . Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies . Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. CISA also recommends users take the following measures to protect themselves from social engineering attacks: Do not click web links or open attachments in unsolicited email messages. Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams. Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks. No known public exploits specifically target these vulnerabilities.CISAraw:bf98576ecd9c927de5fac785336f4e19 – 2023-05-11T21:23:40.000Z
- As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens’ ProductCERT Security Advisories (CERT Services | Services | Siemens Global). 1. EXECUTIVE SUMMARY CVSS v3 7.2 ATTENTION: Exploitable remotely/low attack complexity Vendor: Siemens Equipment: SIMATIC Cloud Connect 7 Vulnerabilities: Improper Neutralization of Special Elements used in a Command (‘Command Injection’), Use of Hard-coded Password, Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’), Missing Standardized Error Handling Mechanism, Exposure of Sensitive Information to an Unauthorized Actor, Files or Directories Accessible to External Parties 2. RISK EVALUATION Successful exploitation of these vulnerabilities could allow an attacker to execute arbitrary code. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following products from Siemens are affected: SIMATIC Cloud Connect 7 CC712 (6GK1411-1AC00): All versions V2.0 to V2.1 SIMATIC Cloud Connect 7 CC712 (6GK1411-1AC00): All versions prior to V2.1 SIMATIC Cloud Connect 7 CC716 (6GK1411-5AC00): All versions V2.0 to V2.1 SIMATIC Cloud Connect 7 CC716 (6GK1411-5AC00): All versions prior to V2.1 3.2 VULNERABILITY OVERVIEW 3.2.1 IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS USED IN A COMMAND (‘COMMAND INJECTION’) CWE-77 The web-based management of affected devices does not properly validate user input, making it susceptible to command injection. This could allow an authenticated privileged remote attacker to execute arbitrary code with root privileges. CVE-2023-28832 has been assigned to this vulnerability. A CVSS v3 base score of 7.2 has been assigned. The CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H ). 3.2.2 USE OF HARD-CODED PASSWORD CWE-259 The affected device uses a hard-coded password to protect the diagnostic files. This could allow an authenticated attacker to access protected data. CVE-2023-29103 has been assigned to this vulnerability. A CVSS v3 base score of 4.3 has been assigned. The CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N ). 3.2.3 IMPROPER LIMITATION OF A PATHNAME TO A RESTRICTED DIRECTORY (‘PATH TRAVERSAL’) CWE-22 The filename in the upload feature of the web-based management of the affected device is susceptible to a path traversal vulnerability. This could allow an authenticated privileged remote attacker to overwrite any file the Linux user `ccuser` has write access to, or to download any file the Linux user `ccuser` has read-only access to. CVE-2023-29104 has been assigned to this vulnerability. A CVSS v3 base score of 6.0 has been assigned. The CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:H ). 3.2.4 MISSING STANDARDIZED ERROR HANDLING MECHANISM CWE-544 The affected device is vulnerable to a denial-of-service condition while parsing a random (non-JSON) MQTT payload. This could allow an attacker who can manipulate the communication between the MQTT broker and the affected device to cause a denial-of-service condition. CVE-2023-29105 has been assigned to this vulnerability. A CVSS v3 base score of 5.9 has been assigned. The CVSS vector string is (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H ). 3.2.5 EXPOSURE OF SENSITIVE INFORMATION TO AN UNAUTHORIZED ACTOR CWE-200 The export endpoint is accessible via REST application programming interface (API) without authentication. This could allow an unauthenticated remote attacker to download the files available via the endpoint. CVE-2023-29106 has been assigned to this vulnerability. A CVSS v3 base score of 5.3 has been assigned. The CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N ). 3.2.6 FILES OR DIRECTORIES ACCESSIBLE TO EXTERNAL PARTIES CWE-552 The export endpoint discloses some undocumented files. This could allow an unauthenticated remote attacker to gain access to additional information resources. CVE-2023-29107 has been assigned to this vulnerability. A CVSS v3 base score of 5.3 has been assigned. The CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N ). 3.2.7 IMPROPER LIMITATION OF A PATHNAME TO A RESTRICTED DIRECTORY (‘PATH TRAVERSAL’) CWE-22 The filename in the upload feature of the web-based management of the affected device is susceptible to a path traversal vulnerability. This could allow an authenticated privileged remote attacker to write any file with the extension `.db`. CVE-2023-29128 has been assigned to this vulnerability. A CVSS v3 base score of 3.8 has been assigned. The CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:L ). 3.3 BACKGROUND CRITICAL INFRASTRUCTURE SECTORS: Multiple COUNTRIES/AREAS DEPLOYED: Worldwide COMPANY HEADQUARTERS LOCATION: Germany 3.4 RESEARCHER Siemens reported these vulnerabilities to CISA. 4. MITIGATIONS Siemens has identified the following specific workarounds and mitigations users can apply to reduce risk: SIMATIC Cloud Connect 7 CC712 (6GK1411-1AC00): Update to V2.1 or later SIMATIC Cloud Connect 7 CC712 (6GK1411-1AC00): Update to V2.1 or later SIMATIC Cloud Connect 7 CC716 (6GK1411-5AC00): Update to V2.1 or later SIMATIC Cloud Connect 7 CC716 (6GK1411-5AC00): Update to V2.1 or later As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens’ operational guidelines for industrial security and following recommendations in the product manuals. Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage . For further inquiries on security vulnerabilities in Siemens products, users should contact the Siemens ProductCERT . For more information, see the associated Siemens security advisory SSA-555292 in HTML and CSAF . CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. Specifically, users should: Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet . Locate control system networks and remote devices behind firewalls and isolate them from business networks. When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics . Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies . Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies . Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. No known public exploits specifically target these vulnerabilities.CISAraw:9c374e76e526fb8ab1304d284adacf40 – 2023-05-11T21:23:39.000Z
- As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens’ ProductCERT Security Advisories (CERT Services | Services | Siemens Global). 1. EXECUTIVE SUMMARY CVSS v3 7.8 ATTENTION: Low attack complexity Vendor: Siemens Equipment: Solid Edge Vulnerabilities: NULL Pointer Dereference, Out-of-bounds Read, Improper Restriction of Operations within the Bounds of a Memory Buffer 2. RISK EVALUATION Successful exploitation of these vulnerabilities could allow an attacker to execute arbitrary code or crash the application. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following Siemens products are affected: Solid Edge SE2023: All versions prior to V223.0 Update 3 Solid Edge SE2023: All versions prior to V223.0 Update 2 3.2 VULNERABILITY OVERVIEW 3.2.1 NULL POINTER DEREFERENCE CWE-476 STEPTools v18SP1 ifcmesh library (v18.1) is affected due to a null pointer dereference, which could allow an attacker to deny application usage when reading a specially constructed file, resulting in an application crash. CVE-2023-0973 has been assigned to this vulnerability. A CVSS v3 base score of 2.2 has been assigned; the CVSS vector string is (CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:L ). 3.2.2 OUT-OF-BOUNDS READ CWE-125 Affected applications contain an out-of-bounds read past the end of an allocated buffer while parsing a specially crafted OBJ file. This vulnerability could allow an attacker to disclose sensitive information. CVE-2023-30985 has been assigned to this vulnerability. A CVSS v3 base score of 3.3 has been assigned; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N ). 3.2.3 IMPROPER RESTRICTION OF OPERATIONS WITHIN THE BOUNDS OF A MEMORY BUFFER CWE-119 Affected applications contain a memory corruption vulnerability while parsing specially crafted STP files. This could allow an attacker to execute code in the context of the current process. CVE-2023-30986 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been assigned; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H ). 3.3 BACKGROUND CRITICAL INFRASTRUCTURE SECTORS: Multiple COUNTRIES/AREAS DEPLOYED: Worldwide COMPANY HEADQUARTERS LOCATION: Germany 3.4 RESEARCHER Trend Micro Zero Day Initiative reported these vulnerabilities to Siemens. 4. MITIGATIONS Siemens identified the following specific workarounds and mitigations users can apply to reduce risk: Solid Edge SE2023: Update to V223.0 Update 3 or later version. Solid Edge SE2023: Update to V223.0 Update 2 or later version. Avoid opening untrusted files from unknown sources in Solid Edge. For further inquiries on security vulnerabilities in Siemens products, users should contact Siemens . As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens’ operational guidelines for industrial security and following recommendations in the product manuals. Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage . For more information, see the associated Siemens security advisory SSA-932528 in HTML and CSAF . CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. Specifically, users should: Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet . Locate control system networks and remote devices behind firewalls and isolate them from business networks. When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics . Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies . Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies . Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. CISA also recommends users take the following measures to protect themselves from social engineering attacks: Do not click web links or open attachments in unsolicited email messages. Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams. Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks. These vulnerabilities are not exploitable remotely.CISAraw:a9e390d761ad949154ee0c3fb825a06e – 2023-05-11T21:23:39.000Z
- CISA and FBI have released a joint Cybersecurity Advisory (CSA), Malicious Actors Exploit CVE-2023-27350 in PaperCut MF and NG . This joint advisory provides details related to an exploitation of PaperCut MF/NG vulnerability (CVE-2023-27350). FBI observed malicious actors exploit CVE-2023-27350 beginning in mid-April 2023 and continuing through the present. In early May 2023, FBI observed a group self-identifying as the Bl00dy Ransomware Gang attempting to exploit vulnerable PaperCut servers against the Education Facilities Subsector. The advisory further provides detection methods for exploitation and details known indicators of compromise (IOCs) related to the group’s activity. CISA encourages network defenders to review and apply the recommendations in the Detection Methods and Mitigations sections of this CSA. See StopRansomware.gov for additional guidance on ransomware protection, detection, and response.CISAraw:b6d031220e49be494a38730413f6d3f8 – 2023-05-11T21:23:38.000Z
- 1. EXECUTIVE SUMMARY CVSS v3 9.8 ATTENTION: Exploitable remotely/low attack complexity Vendor: Rockwell Automation Equipment: PanelView 800 Vulnerabilities: Out-of-bounds Write, Out-of-bounds Read 2. RISK EVALUATION Successful exploitation of these vulnerabilities could allow remote code execution. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following versions of PanelView 800, a graphics terminal, are affected: PanelView 800-2711R-T4T: Version 5.011 to 8.011 PanelView 800-2711R-T7T: Version 5.011 to 8.011 PanelView 800-2711R-T10T: Version 5.011 to 8.011 3.2 VULNERABILITY OVERVIEW 3.2.1 OUT-OF-BOUNDS WRITE CWE-787 The affected product is vulnerable to an out-of-bounds write, which could allow an attacker to accomplish a heap buffer overflow if the user has the email feature enabled in the project file WolfSSL uses. This feature is disabled by default. CVE-2020-36177 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H ). 3.2.2 OUT-OF BOUNDS READ CWE-125 The affected product is vulnerable to an out-of-bounds read, which could allow an attacker to accomplish a heap buffer overflow if the user has the email feature enabled in the project file WolfSSL uses. This feature is disabled by default. CVE-2019-16748 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H ). 3.3 BACKGROUND CRITICAL INFRASTRUCTURE SECTORS: E nergy, Water and Wastewater, Telecommunications COUNTRIES/AREAS DEPLOYED: Worldwide COMPANY HEADQUARTERS LOCATION: United States 3.4 RESEARCHER Rockwell Automation reported these vulnerabilities to CISA. 4. MITIGATIONS Users of the affected software are encouraged to apply the following risk mitigations, if possible: Upgrade to V8.011 , which has been patched to mitigate these issues. Ensure the email feature is disabled (it is disabled by default). For information on mitigating security risks on industrial automation control systems (IACS) networks, see the following: System Security Design Guidelines Reference Manual publication, SECURE-RM001 Configure System Security Features User Manual, SECURE-UM001 Rockwell Automation encourages users to implement their suggested security best practices to minimize risk of vulnerability. CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. Specifically, users should: Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet . Locate control system networks and remote devices behind firewalls and isolate them from business networks. When remote access is required, use secure methods, such as virtual private networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics . Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies . Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies . Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. No known public exploits specifically target these vulnerabilities.CISAraw:a1a5c58657bb55b8a669a97561c30808 – 2023-05-11T16:07:04.000Z
- As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens’ ProductCERT Security Advisories (CERT Services | Services | Siemens Global). 1. EXECUTIVE SUMMARY CVSS v3 9.8 ATTENTION: Exploitable remotely/low attack complexity Vendor: Siemens Equipment: Third-party components libexpat and libcurl in SINEC NMS Vulnerabilities: Expected Behavior Violation, Improper Validation of Syntactic Correctness of Input, Stack-based Buffer Overflow, Use After Free, Double Free, Cleartext Transmission of Sensitive Information 2. RISK EVALUATION Successful exploitation these vulnerabilities could allow an attacker to impact SINEC NMS confidentiality, integrity, and availability. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following products are affected: Third-Party components used in SINEC NMS: All versions prior to V1.0.3.1 3.2 VULNERABILITY OVERVIEW 3.2.1 EXPECTED BEHAVIOR VIOLATION CWE-440 When doing HTTP(S) transfers, libcurl might erroneously use the read callback (`CURLOPT_READFUNCTION`) to ask for data to send—even when the `CURLOPT_POSTFIELDS` option has been set—if the same handle previously was used to issue a `PUT` request which used that callback. This flaw may surprise the application and cause it to either send off the wrong data or use memory after free or similar in the subsequent `POST` request. The problem exists in the logic for a reused handle when it is changed from a PUT to a POST. CVE-2022-32221 has been assigned to this vulnerability. A CVSS v3 base score of 8.2 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N ). 3.2.2 IMPROPER VALIDATION OF SYNTACTIC CORRECTNESS OF INPUT CWE-1286 When curl is used to retrieve and parse cookies from a HTTP(S) server, it accepts cookies using control codes that, when later sent back to a HTTP server, might cause the server to return 400 responses, effectively allowing a “sister site” to deny service to all “siblings.” CVE-2022-35252 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H ). 3.2.3 STACK-BASED BUFFER OVERFLOW CWE-121 Curl could be directed to parse a `.netrc` file for credentials. If that file ends in a line with 4095 consecutive non-white space letters and no newline, curl would first read past the end of the stack-based buffer and, if the read works, write a zero byte beyond its boundary. This could cause a segfault or similar, but circumstances might also cause different outcomes. If a malicious user can provide a custom netrc file to an application or otherwise affect its contents, then this flaw could be used to cause denial-of-service condition. CVE-2022-35260 has been assigned to this vulnerability. A CVSS v3 base score of 8.6 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H ). 3.2.4 USE AFTER FREE CWE-416 Libexpat before 2.4.9 has a use-after-free vulnerability in the doContent function in xmlparse.c. CVE-2022-40674 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H ). 3.2.5 USE AFTER FREE CWE-416 Curl can be asked to tunnel almost all protocols it supports through an HTTP proxy. HTTP proxies can (and often do) deny such tunnel operations using an appropriate HTTP error response code. When denied to tunnel the specific protocols SMB or TELNET, curl could use a heap-allocated struct after freed in its transfer shutdown code path. CVE-2022-43552 has been assigned to this vulnerability. A CVSS v3 base score of 5.9 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H ). 3.2.6 USE AFTER FREE CWE-416 In libexpat through 2.4.9, there is a use after free vulnerability caused by overeager destruction of a shared DTD in XML_ExternalEntityParserCreate in out-of-memory situations. CVE-2022-43680 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H ). 3.2.7 DOUBLE FREE CWE-415 Curl before 7.86.0 has a double free vulnerability. If curl is told to use an HTTP proxy for a transfer with a non-HTTP(S) URL, it sets up the connection to the remote server by issuing a CONNECT request to the proxy and then tunnels the rest of the protocol through. An HTTP proxy might refuse this request (HTTP proxies often only allow outgoing connections to specific port numbers, such as 443 for HTTPS) and instead return a non-200 status code to the client. Due to flaws in the error/cleanup handling, this could trigger a double free in curl if one of the following schemes were used in the URL for the transfer: dict, gopher, gophers, ldap, ldaps, rtmp, rtmps, or telnet. The earliest affected version is 7.77.0. CVE-2022-42915 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H ). 3.2.8 CLEARTEXT TRANSMISSION OF SENSITIVE INFORMATION CWE-319 In curl before 7.86.0, the HSTS check could be bypassed by tricking it into staying with HTTP. Using its HSTS support, curl can be instructed to use HTTPS directly (instead of using an insecure cleartext HTTP step) even when HTTP is provided in the URL. This mechanism could be bypassed if the host name in the given URL uses IDN characters that get replaced with ASCII counterparts as part of the IDN conversion, e.g., using the character UTF-8 U+3002 (IDEOGRAPHIC FULL STOP) instead of the common ASCII full stop of U+002E (.). The earliest affected version is 7.77.0 2021-05-26. CVE-2022-42916 has been assigned to this vulnerability. A CVSS v3 base score of 9.1 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N ). 3.2.9 CLEARTEXT TRANSMISSION OF SENSITIVE INFORMATION CWE-319 A vulnerability exists in curl CVE-2022-43551 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N ). 3.3 BACKGROUND CRITICAL INFRASTRUCTURE SECTORS: Multiple Sectors COUNTRIES/AREAS DEPLOYED: Worldwide COMPANY HEADQUARTERS LOCATION: Germany 3.4 RESEARCHER Siemens reported these vulnerabilities to CISA. 4. MITIGATIONS Siemens has identified the following specific workaround/mitigation users can apply to reduce risk: SINEC NMS: Update to V1.0.3.1 or later version As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens’ operational guidelines for industrial security and following recommendations in the product manuals. Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage . For more information, see the associated Siemens security advisory SSA-892048 in HTML and CSAF . CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics . Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies . Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies . Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. No known public exploits specifically target these vulnerabilities.CISAraw:c5fdd8981f520663fadace56beb67435 – 2023-05-11T16:07:03.000Z
- 1. EXECUTIVE SUMMARY CVSS v3 7.8 ATTENTION: Low attack complexity Vendor: Rockwell Automation Equipment: Arena Simulation Software Vulnerabilities: Incorrect Restriction of Operations within the Bounds of a Memory Buffer 2. RISK EVALUATION Successful exploitation of these vulnerabilities could allow a malicious user to commit unauthorized arbitrary code to the software using a memory buffer overflow. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following Rockwell Automation product is affected: Arena Simulation Software: v16.20.01 3.2 VULNERABILITY OVERVIEW 3.2.1 INCORRECT RESTRICTION OF OPERATIONS WITHIN THE BOUNDS OF A MEMORY BUFFER CWE-119 Rockwell Automation Arena Simulation software v16.00 is vulnerable due to a memory buffer overflow, which could allow a malicious user to commit unauthorized arbitrary code. CVE-2023-29460 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H ). 3.2.2 INCORRECT RESTRICTION OF OPERATIONS WITHIN THE BOUNDS OF A MEMORY BUFFER CWE-119 Rockwell Automation Arena Simulation software v16.00 is vulnerable due to a memory buffer overflow, which could allow a malicious user to commit unauthorized arbitrary code. CVE-2023-29461 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H ). 3.2.3 INCORRECT RESTRICTION OF OPERATIONS WITHIN THE BOUNDS OF A MEMORY BUFFER CWE-119 Rockwell Automation Arena Simulation software v16.00 is vulnerable due to a memory buffer overflow, which could allow a malicious user to remotely execute arbitrary code. CVE-2023-29462 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H ). 3.3 BACKGROUND CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing COUNTRIES/AREAS DEPLOYED: Worldwide COMPANY HEADQUARTERS LOCATION: United States 3.4 RESEARCHER Simon Janz of Trend Micro’s Zero Day Initiative reported these vulnerabilities to Rockwell Automation. 4. MITIGATIONS Rockwell Automation recommends upgrading the affected product software to 16.20.01 . Rockwell Automation encourages users to implement their suggested security best practices to minimize exploitation risk of these vulnerabilities. For additional information, refer to Rockwell Automation’s Security Bulletin . CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. Specifically, users should: Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet . Locate control system networks and remote devices behind firewalls and isolate them from business networks. When remote access is required, use secure methods, such as virtual private networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics . Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies . Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies . Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. No known public exploits specifically target these vulnerabilities. These vulnerabilities are not exploitable remotely.CISAraw:98af008b24bfe9b6ba6f2d4c8a6caeee – 2023-05-11T16:07:02.000Z
- CISA released fifteen Industrial Control Systems (ICS) advisories on May 11, 2023. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS. ICSA-23-131-01 Siemens Solid Edge ICSA-23-131-02 Siemens SCALANCE W1750D ICSA-23-131-03 Siemens Siveillance ICSA-23-131-04 Siemens SIMATIC Cloud Connect 7 ICSA-23-131-05 Siemens SINEC NMS Third-Party ICSA-23-131-06 Siemens SCALANCE LPE9403 ICSA-23-131-07 Sierra Wireless AirVantage ICSA-23-131-08 Teltonika Remote Management System and RUT Model Routers ICSA-23-131-09 Rockwell Automation Kinetix 5500 EtherNetIP Servo Drive ICSA-23-131-10 Rockwell Automation Arena Simulation Software ICSA-23-131-11 BirdDog Cameras & Encoders ICSA-23-131-12 SDG PnPSCADA ICSA-23-131-13 PTC Vuforia Studio ICSA-23-131-14 Rockwell PanelView 800 ICSA-23-131-15 Rockwell ThinManager CISA encourages users and administrators to review the newly released ICS advisories for technical details and mitigations.CISAraw:ccc5ec53b4ea927a52a39b93f04a4901 – 2023-05-11T16:07:01.000Z
- 1. EXECUTIVE SUMMARY CVSS v3 9.8 ATTENTION: Exploitable remotely/low attack complexity Vendor: Rockwell Automation Equipment: PanelView 800 Vulnerabilities: Out-of-bounds Write, Out-of-bounds Read 2. RISK EVALUATION Successful exploitation of these vulnerabilities could allow remote code execution. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following versions of PanelView 800, a graphics terminal, are affected: PanelView 800-2711R-T4T: Version 5.011 to 8.011 PanelView 800-2711R-T7T: Version 5.011 to 8.011 PanelView 800-2711R-T10T: Version 5.011 to 8.011 3.2 VULNERABILITY OVERVIEW 3.2.1 OUT-OF-BOUNDS WRITE CWE-787 The affected product is vulnerable to an out-of-bounds write, which could allow an attacker to accomplish a heap buffer overflow if the user has the email feature enabled in the project file WolfSSL uses. This feature is disabled by default. CVE-2020-36177 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H ). 3.2.2 OUT-OF BOUNDS READ CWE-125 The affected product is vulnerable to an out-of-bounds read, which could allow an attacker to accomplish a heap buffer overflow if the user has the email feature enabled in the project file WolfSSL uses. This feature is disabled by default. CVE-2019-16748 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H ). 3.3 BACKGROUND CRITICAL INFRASTRUCTURE SECTORS: E nergy, Water and Wastewater, Telecommunications COUNTRIES/AREAS DEPLOYED: Worldwide COMPANY HEADQUARTERS LOCATION: United States 3.4 RESEARCHER Rockwell Automation reported these vulnerabilities to CISA. 4. MITIGATIONS Users of the affected software are encouraged to apply the following risk mitigations, if possible: Upgrade to V8.011 , which has been patched to mitigate these issues. Ensure the email feature is disabled (it is disabled by default). For information on mitigating security risks on industrial automation control systems (IACS) networks, see the following: System Security Design Guidelines Reference Manual publication, SECURE-RM001 Configure System Security Features User Manual, SECURE-UM001 Rockwell Automation encourages users to implement their suggested security best practices to minimize risk of vulnerability. CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. Specifically, users should: Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet . Locate control system networks and remote devices behind firewalls and isolate them from business networks. When remote access is required, use secure methods, such as virtual private networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics . Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies . Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies . Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. No known public exploits specifically target these vulnerabilities.CISAraw:46dacb0eae1163b47c648ae2f5965639 – 2023-05-11T15:23:54.000Z
- As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens’ ProductCERT Security Advisories (CERT Services | Services | Siemens Global). 1. EXECUTIVE SUMMARY CVSS v3 9.8 ATTENTION: Exploitable remotely/low attack complexity Vendor: Siemens Equipment: Third-party components libexpat and libcurl in SINEC NMS Vulnerabilities: Expected Behavior Violation, Improper Validation of Syntactic Correctness of Input, Stack-based Buffer Overflow, Use After Free, Double Free, Cleartext Transmission of Sensitive Information 2. RISK EVALUATION Successful exploitation these vulnerabilities could allow an attacker to impact SINEC NMS confidentiality, integrity, and availability. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following products are affected: Third-Party components used in SINEC NMS: All versions prior to V1.0.3.1 3.2 VULNERABILITY OVERVIEW 3.2.1 EXPECTED BEHAVIOR VIOLATION CWE-440 When doing HTTP(S) transfers, libcurl might erroneously use the read callback (`CURLOPT_READFUNCTION`) to ask for data to send—even when the `CURLOPT_POSTFIELDS` option has been set—if the same handle previously was used to issue a `PUT` request which used that callback. This flaw may surprise the application and cause it to either send off the wrong data or use memory after free or similar in the subsequent `POST` request. The problem exists in the logic for a reused handle when it is changed from a PUT to a POST. CVE-2022-32221 has been assigned to this vulnerability. A CVSS v3 base score of 8.2 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N ). 3.2.2 IMPROPER VALIDATION OF SYNTACTIC CORRECTNESS OF INPUT CWE-1286 When curl is used to retrieve and parse cookies from a HTTP(S) server, it accepts cookies using control codes that, when later sent back to a HTTP server, might cause the server to return 400 responses, effectively allowing a “sister site” to deny service to all “siblings.” CVE-2022-35252 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H ). 3.2.3 STACK-BASED BUFFER OVERFLOW CWE-121 Curl could be directed to parse a `.netrc` file for credentials. If that file ends in a line with 4095 consecutive non-white space letters and no newline, curl would first read past the end of the stack-based buffer and, if the read works, write a zero byte beyond its boundary. This could cause a segfault or similar, but circumstances might also cause different outcomes. If a malicious user can provide a custom netrc file to an application or otherwise affect its contents, then this flaw could be used to cause denial-of-service condition. CVE-2022-35260 has been assigned to this vulnerability. A CVSS v3 base score of 8.6 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H ). 3.2.4 USE AFTER FREE CWE-416 Libexpat before 2.4.9 has a use-after-free vulnerability in the doContent function in xmlparse.c. CVE-2022-40674 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H ). 3.2.5 USE AFTER FREE CWE-416 Curl can be asked to tunnel almost all protocols it supports through an HTTP proxy. HTTP proxies can (and often do) deny such tunnel operations using an appropriate HTTP error response code. When denied to tunnel the specific protocols SMB or TELNET, curl could use a heap-allocated struct after freed in its transfer shutdown code path. CVE-2022-43552 has been assigned to this vulnerability. A CVSS v3 base score of 5.9 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H ). 3.2.6 USE AFTER FREE CWE-416 In libexpat through 2.4.9, there is a use after free vulnerability caused by overeager destruction of a shared DTD in XML_ExternalEntityParserCreate in out-of-memory situations. CVE-2022-43680 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H ). 3.2.7 DOUBLE FREE CWE-415 Curl before 7.86.0 has a double free vulnerability. If curl is told to use an HTTP proxy for a transfer with a non-HTTP(S) URL, it sets up the connection to the remote server by issuing a CONNECT request to the proxy and then tunnels the rest of the protocol through. An HTTP proxy might refuse this request (HTTP proxies often only allow outgoing connections to specific port numbers, such as 443 for HTTPS) and instead return a non-200 status code to the client. Due to flaws in the error/cleanup handling, this could trigger a double free in curl if one of the following schemes were used in the URL for the transfer: dict, gopher, gophers, ldap, ldaps, rtmp, rtmps, or telnet. The earliest affected version is 7.77.0. CVE-2022-42915 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H ). 3.2.8 CLEARTEXT TRANSMISSION OF SENSITIVE INFORMATION CWE-319 In curl before 7.86.0, the HSTS check could be bypassed by tricking it into staying with HTTP. Using its HSTS support, curl can be instructed to use HTTPS directly (instead of using an insecure cleartext HTTP step) even when HTTP is provided in the URL. This mechanism could be bypassed if the host name in the given URL uses IDN characters that get replaced with ASCII counterparts as part of the IDN conversion, e.g., using the character UTF-8 U+3002 (IDEOGRAPHIC FULL STOP) instead of the common ASCII full stop of U+002E (.). The earliest affected version is 7.77.0 2021-05-26. CVE-2022-42916 has been assigned to this vulnerability. A CVSS v3 base score of 9.1 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N ). 3.2.9 CLEARTEXT TRANSMISSION OF SENSITIVE INFORMATION CWE-319 A vulnerability exists in curl <7.87.0 HSTS check that could be bypassed by tricking it into using HTTP. Using its HSTS support, curl can be instructed to use HTTPS instead of using an insecure clear-text HTTP step even when HTTP is provided in the URL. However, the HSTS mechanism could be bypassed if the host name in the given URL first uses IDN characters that get replaced to ASCII counterparts as part of the IDN conversion, such as using the character UTF-8 U+3002 (IDEOGRAPHIC FULL STOP) instead of the common ASCII full stop (U+002E). Then, in a subsequent request, it does not detect the HSTS state and makes a clear text transfer. Because it would store the information IDN encoded but look for it IDN decoded. CVE-2022-43551 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N ). 3.3 BACKGROUND CRITICAL INFRASTRUCTURE SECTORS: Multiple Sectors COUNTRIES/AREAS DEPLOYED: Worldwide COMPANY HEADQUARTERS LOCATION: Germany 3.4 RESEARCHER Siemens reported these vulnerabilities to CISA. 4. MITIGATIONS Siemens has identified the following specific workaround/mitigation users can apply to reduce risk: SINEC NMS: Update to V1.0.3.1 or later version As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens' operational guidelines for industrial security and following recommendations in the product manuals. Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage . For more information, see the associated Siemens security advisory SSA-892048 in HTML and CSAF . CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics . Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies . Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies . Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. No known public exploits specifically target these vulnerabilities.CISAraw:a64e439c769f86a43c3e677c5e10ece2 - 2023-05-11T15:23:53.000Z
- As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens’ ProductCERT Security Advisories (CERT Services | Services | Siemens Global). 1. EXECUTIVE SUMMARY CVSS v3 9.9 ATTENTION: Exploitable remotely/low attack complexity Vendor: Siemens Equipment: Siveillance Video Vulnerabilities: Deserialization of Untrusted Data 2. RISK EVALUATION Successful exploitation of these vulnerabilities could allow an authenticated remote attacker to execute code on the affected system. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS Siemens reports these vulnerabilities affect the following IP video management software: Siveillance Video 2020 R2: all versions prior to V20.2 HotfixRev14 Siveillance Video 2020 R3: all versions prior to V20.3 HotfixRev12 Siveillance Video 2021 R1: all versions prior to V21.1 HotfixRev12 Siveillance Video 2021 R2: all versions prior to V21.2 HotfixRev8 Siveillance Video 2022 R1: all versions prior to V22.1 HotfixRev7 Siveillance Video 2022 R2: all versions prior to V22.2 HotfixRev5 Siveillance Video 2022 R3: all versions prior to V22.3 HotfixRev2 Siveillance Video 2023 R1: all versions prior to V23.1 HotfixRev1 3.2 VULNERABILITY OVERVIEW 3.2.1 DESERIALIZATION OF UNTRUSTED DATA CWE-502 The Event Server component of affected Siemens Siveillance Video applications deserializes data without sufficient validations. This could allow an authenticated remote attacker to execute code on the affected system. CVE-2023-30898 has been assigned to this vulnerability. A CVSS v3 base score of 9.9 has been calculated. The CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H ). 3.2.2 DESERIALIZATION OF UNTRUSTED DATA CWE-502 The Management Server component of affected Siemens Siveillance Video applications deserializes data without sufficient validations. This could allow an authenticated remote attacker to execute code on the affected system. CVE-2023-30899 has been assigned to this vulnerability. A CVSS v3 base score of 9.9 has been calculated. The CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H ). 3.3 BACKGROUND CRITICAL INFRASTRUCTURE SECTORS: Communications, Commercial Facilities COUNTRIES/AREAS DEPLOYED: Worldwide COMPANY HEADQUARTERS LOCATION: Germany 3.4 RESEARCHER Milestone PSIRT reported these vulnerabilities to Siemens. 4. MITIGATIONS Siemens has released updates for several affected products and recommends updating to the latest versions. The provided cumulative hotfix releases include the fixes for both Event Server (ES) and Management Server (MS). Ensure to apply the fixes on all relevant deployed servers: Siveillance Video 2020 R2: Update to V20.2 HotfixRev14 or later version Siveillance Video 2020 R3: Update to V20.3 HotfixRev12 or later version Siveillance Video 2021 R1: Update to V21.1 HotfixRev12 or later version Siveillance Video 2021 R2: Update to V21.2 HotfixRev8 or later version Siveillance Video 2022 R1: Update to V22.1 HotfixRev7 or later version Siveillance Video 2022 R2: Update to V22.2 HotfixRev5 or later version Siveillance Video 2022 R3: Update to V22.3 HotfixRev2 or later version Siveillance Video 2023 R1: Update to V23.1 HotfixRev 1 or later version As a general security measure Siemens strongly recommends protecting network access to affected products with appropriate mechanisms. It is advised to follow recommended security practices to run the devices in a protected IT environment. For additional information regarding this vulnerability, see the related Milestone security advisory . For further inquiries on security vulnerabilities in Siemens products, users should contact the Siemens ProductCERT . For more information, see the associated Siemens security advisory SSA-789345 in HTML and CSAF . CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. Specifically, users should: Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet . Locate control system networks and remote devices behind firewalls and isolate them from business networks. When remote access is required, use secure methods, such as virtual private networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics . Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies . Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies . Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. No known public exploits specifically target these vulnerabilities. These vulnerabilities are exploitable remotely. These vulnerabilities have low attack complexity.CISAraw:386245ab70d677af03735ecc6050245a – 2023-05-11T15:23:51.000Z
- 1. EXECUTIVE SUMMARY CVSS v3 8.0 ATTENTION: Exploitable remotely/low attack complexity Vendor: PTC Equipment: Vuforia Studio Vulnerabilities: Insufficiently Protected Credentials, Improper Authorization, Unrestricted Upload of File with Dangerous Type, Path Traversal, Cross-site Request Forgery 2. RISK EVALUATION Successful exploitation of these vulnerabilities could allow an attacker to view credentials, perform a cross-site request forgery attack, resend requests, or upload or delete arbitrary files. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS PTC reports these vulnerabilities affect the following Vuforia Studio products: Vuforia Studio: all versions prior to 9.9 3.2 VULNERABILITY OVERVIEW 3.2.1 INSUFFICIENTLY PROTECTED CREDENTIALS CWE-522 The local Vuforia web application does not support HTTPS, and federated credentials are passed via basic authentication. CVE-2023-29168 has been assigned to this vulnerability. A CVSS v3 base score of 3.7 has been calculated; the CVSS vector string is (AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N ). 3.2.2 IMPROPER AUTHORIZATION CWE-285 An attacker with local access to the machine could record the traffic, which could allow them to resend requests without the server authenticating that the user or session are valid. CVE-2023-24476 has been assigned to this vulnerability. A CVSS v3 base score of 1.8 has been calculated; the CVSS vector string is (AV:L/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N ). 3.2.3 IMPROPER AUTHORIZATION CWE-285 By changing the filename parameter in the request, an attacker could delete any file with the permissions of the Vuforia server account. CVE-2023-29152 has been assigned to this vulnerability. A CVSS v3 base score of 6.2 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:H/UI:R/S:C/C:N/I:N/A:H ). 3.2.4 UNRESTRICTED UPLOAD OF FILE WITH DANGEROUS TYPE CWE-434 A user could use the “Upload Resource” functionality to upload files to any location on the disk. CVE-2023-27881 has been assigned to this vulnerability. A CVSS v3 base score of 8.0 has been calculated; the CVSS vector string is (AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H ). 3.2.5 PATH TRAVERSAL CWE-22 Before importing a project into Vuforia, a user could modify the “resourceDirectory” attribute in the appConfig.json file to be a different path. CVE-2023-29502 has been assigned to this vulnerability. A CVSS v3 base score of 6.2 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:N/A:N ). 3.2.6 CROSS-SITE REQUEST FORGERY CWE-352 PTC Vuforia Studio does not require a token; this could allow an attacker with local access to perform a cross-site request forgery attack or a replay attack. CVE-2023-31200 has been assigned to this vulnerability. A CVSS v3 base score of 5.7 has been calculated; the CVSS vector string is (AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:N ). 3.3 BACKGROUND CRITICAL INFRASTRUCTURE SECTORS: Multiple COUNTRIES/AREAS DEPLOYED: Worldwide COMPANY HEADQUARTERS LOCATION: United States 3.4 RESEARCHER Lockheed Martin—Red Team reported these vulnerabilities to PTC. 4. MITIGATIONS PTC recommends users upgrade to Vuforia Studio release 9.9 or higher. CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. Specifically, users should: Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet . Locate control system networks and remote devices behind firewalls and isolate them from business networks. When remote access is required, use secure methods, such as virtual private networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics . Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies . Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies . Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. CISA also recommends users take the following measures to protect themselves from social engineering attacks: Do not click web links or open attachments in unsolicited email messages. Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams. Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks. No known public exploits specifically target these vulnerabilities. These vulnerabilities are exploitable remotely. These vulnerabilities have a low attack complexity.CISAraw:866a5379ef3b03527fd837944c68b75d – 2023-05-11T15:23:50.000Z
- 1. EXECUTIVE SUMMARY CVSS v3 7.8 ATTENTION: Low attack complexity Vendor: Rockwell Automation Equipment: Arena Simulation Software Vulnerabilities: Incorrect Restriction of Operations within the Bounds of a Memory Buffer 2. RISK EVALUATION Successful exploitation of these vulnerabilities could allow a malicious user to commit unauthorized arbitrary code to the software using a memory buffer overflow. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following Rockwell Automation product is affected: Arena Simulation Software: v16.20.01 3.2 VULNERABILITY OVERVIEW 3.2.1 INCORRECT RESTRICTION OF OPERATIONS WITHIN THE BOUNDS OF A MEMORY BUFFER CWE-119 Rockwell Automation Arena Simulation software v16.00 is vulnerable due to a memory buffer overflow, which could allow a malicious user to commit unauthorized arbitrary code. CVE-2023-29460 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H ). 3.2.2 INCORRECT RESTRICTION OF OPERATIONS WITHIN THE BOUNDS OF A MEMORY BUFFER CWE-119 Rockwell Automation Arena Simulation software v16.00 is vulnerable due to a memory buffer overflow, which could allow a malicious user to commit unauthorized arbitrary code. CVE-2023-29461 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H ). 3.2.3 INCORRECT RESTRICTION OF OPERATIONS WITHIN THE BOUNDS OF A MEMORY BUFFER CWE-119 Rockwell Automation Arena Simulation software v16.00 is vulnerable due to a memory buffer overflow, which could allow a malicious user to remotely execute arbitrary code. CVE-2023-29462 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H ). 3.3 BACKGROUND CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing COUNTRIES/AREAS DEPLOYED: Worldwide COMPANY HEADQUARTERS LOCATION: United States 3.4 RESEARCHER Simon Janz of Trend Micro’s Zero Day Initiative reported these vulnerabilities to Rockwell Automation. 4. MITIGATIONS Rockwell Automation recommends upgrading the affected product software to 16.20.01 . Rockwell Automation encourages users to implement their suggested security best practices to minimize exploitation risk of these vulnerabilities. For additional information, refer to Rockwell Automation’s Security Bulletin . CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. Specifically, users should: Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet . Locate control system networks and remote devices behind firewalls and isolate them from business networks. When remote access is required, use secure methods, such as virtual private networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics . Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies . Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies . Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. No known public exploits specifically target these vulnerabilities. These vulnerabilities are not exploitable remotely.CISAraw:5bd3087497df81f035a5b33f2f7fa4a5 – 2023-05-11T15:23:48.000Z
- 1. EXECUTIVE SUMMARY CVSS v3 8.1 ATTENTION: Exploitable remotely/low attack complexity Vendor: Sierra Wireless Equipment: AirVantage Vulnerabilities: Improper Authentication, Exposure of Sensitive Information to an Unauthorized Actor 2. RISK EVALUATION Successful exploitation of these vulnerabilities could allow an attacker to configure devices and to receive sensitive device information. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following versions of Sierra Wireless AirVantage, a cloud management platform, are affected: AirVantage Platform 3.2 VULNERABILITY OVERVIEW 3.2.1 IMPROPER AUTHENTICATION CWE-287 The AirVantage platform is vulnerable to an unauthorized attacker registering previously unregistered devices on the AirVantage platform if the user had not disabled the AirVantage Management Service on the devices. This could enable an attacker to configure, manage, and execute AT commands on an unsuspecting user’s devices. CVE-2023-31279 has been assigned to this vulnerability. A CVSS v3 base score of 8.1 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H ). 3.2.2 EXPOSURE OF SENSITIVE INFORMATION TO AN UNAUTHORIZED ACTOR CWE-200 The AirVantage online Warranty Checker tool had an exposure of sensitive information vulnerability that could allow an attacker to perform bulk enumeration of IMEI and Serial Numbers and could use this information to perform exploits. CVE-2023-31280 has been assigned to this vulnerability. A CVSS v3 base score of 5.3 has been assigned; the CVSS vector string is (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N ). 3.3 BACKGROUND CRITICAL INFRASTRUCTURE SECTORS: Multiple COUNTRIES/AREAS DEPLOYED: Worldwide COMPANY HEADQUARTERS LOCATION: Canada 3.4 RESEARCHER Roni Gavrilov of Otorio reported these issues to Sierra Wireless. 4. MITIGATIONS Sierra Wireless has updated the AirVantage Warranty Checker so it does not return the IMEI and Serial Number in addition to the warranty status when the Serial Number or IMEI is used to look up warranty status, preventing the disclosure of additional information not necessary to confirm the warranty status. Sierra Wireless encourages users to register their devices on the AirVantage platform to enable remote management capabilities for those devices, preventing the possibility of unauthorized device activation or to disable the AirVantage Management Service on devices if management via the AirVantage platform will not be used, eliminating any risk of unauthorized device access. Sierra Wireless encourages anyone with a security concern related to Sierra Wireless products to directly contact Sierra Wireless. For more information, see Sierra Wireless’s security bulletins here . CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. Specifically, users should: Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet . Locate control system networks and remote devices behind firewalls and isolate them from business networks. When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics . Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies . Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies . Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. No known public exploits specifically target these vulnerabilities.CISAraw:328bcfb8629be31aea7d8a50c4b8d2d8 – 2023-05-11T15:23:47.000Z
- CISA released fifteen Industrial Control Systems (ICS) advisories on May 11, 2023. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS. ICSA-23-131-01 Siemens Solid Edge ICSA-23-131-02 Siemens SCALANCE W1750D ICSA-23-131-03 Siemens Siveillance ICSA-23-131-04 Siemens SIMATIC Cloud Connect 7 ICSA-23-131-05 Siemens SINEC NMS Third-Party ICSA-23-131-06 Siemens SCALANCE LPE9403 ICSA-23-131-07 Sierra Wireless AirVantage ICSA-23-131-08 Teltonika Remote Management System and RUT Model Routers ICSA-23-131-09 Rockwell Automation Kinetix 5500 EtherNetIP Servo Drive ICSA-23-131-10 Rockwell Automation Arena Simulation Software ICSA-23-131-11 BirdDog Cameras & Encoders ICSA-23-131-12 SDG PnPSCADA ICSA-23-131-13 PTC Vuforia Studio ICSA-23-131-14 Rockwell PanelView 800 ICSA-23-131-15 Rockwell ThinManager CISA encourages users and administrators to review the newly released ICS advisories for technical details and mitigations.CISAraw:6ba926e22c1cc52801812f2c48d7d4bd – 2023-05-11T15:23:46.000Z
- As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens’ ProductCERT Security Advisories (CERT Services | Services | Siemens Global). 1. EXECUTIVE SUMMARY CVSS v3 8.4 ATTENTION: Exploitable from adjacent network/low attack complexity Vendor: Siemens Equipment: SCALANCE W1750D Vulnerabilities: Improper Input Validation 2. RISK EVALUATION Successful exploitation of this vulnerability could allow an attacker to disclose sensitive information or steal the unsuspecting user’s session. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following products from Siemens are affected: SCALANCE W1750D (JP) (6GK5750-2HX01-1AD0): All versions SCALANCE W1750D (ROW) (6GK5750-2HX01-1AA0): All versions SCALANCE W1750D (USA) (6GK5750-2HX01-1AB0): All versions 3.2 VULNERABILITY OVERVIEW 3.2.1 IMPROPER INPUT VALIDATION CWE-20 The IEEE 802.11 specifications through 802.11ax allow physically proximate attackers to intercept (possibly cleartext) target-destined frames by spoofing a target’s MAC address, sending Power Save frames to the access point, and then sending other frames to the access point (e.g., authentication frames or re-association frames) to remove the target’s original security context. This interception occurs because the specifications do not require an access point to purge its’ transmit queue before removing a client’s pairwise encryption key. CVE-2022-47522 has been assigned to this vulnerability. A CVSS v3 base score of 8.4 has been assigned. the CVSS vector string is (CVSS:3.1/AV:A/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H ). 3.3 BACKGROUND CRITICAL INFRASTRUCTURE SECTORS: Multiple COUNTRIES/AREAS DEPLOYED: Worldwide COMPANY HEADQUARTERS LOCATION: Germany 3.4 RESEARCHER Siemens reported this vulnerability to CISA. 4. MITIGATIONS Siemens has identified the following specific workarounds and mitigations users can apply to reduce risk: As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to their Operational Guidelines for Industrial Security and following recommendations in the product manuals. Additional information on industrial security by Siemens can be found on the Siemens Industrial Security website. For further inquiries on security vulnerabilities in Siemens products, visit Siemens ProductCERT . For more information, see the associated Siemens security advisory SSA-516174 in HTML and CSAF . CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should: Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet . Locate control system networks and remote devices behind firewalls and isolate them from business networks. When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics . Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies . Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies . Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. No known public exploits specifically target this vulnerability. This vulnerability is not exploitable remotely.CISAraw:1d922de7cbee27ace382b2d30f4adac3 – 2023-05-11T15:23:45.000Z
- 1. EXECUTIVE SUMMARY CVSS v3 9.8 ATTENTION: Exploitable remotely/low attack complexity Vendor: SDG Technologies Equipment: PnPSCADA Vulnerabilities: SQL Injection 2. RISK EVALUATION Successful exploitation of this vulnerability could allow an attacker to interact with the database and retrieve critical data. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following versions of SDG PnPSCADA products are affected: PnPSCADA (cross platforms): v2.* 3.2 VULNERABILITY OVERVIEW 3.2.1 IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS USED IN AN SQL COMMAND (‘SQL INJECTION’) CWE-89 The PnPSCADA system, a product of SDG Technologies CC, is afflicted by a critical unauthenticated error-based PostgreSQL Injection vulnerability. Present within the hitlogcsv.jsp endpoint, this security flaw permits unauthenticated attackers to engage with the underlying database seamlessly and passively. Consequently, malicious actors could gain access to vital information, such as Industrial Control System (ICS) and OT data, alongside other sensitive records like SMS and SMS Logs. The unauthorized database access exposes compromised systems to potential manipulation or breach of essential infrastructure data, highlighting the severity of this vulnerability. CVE-2023-1934 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H ). 3.3 BACKGROUND CRITICAL INFRASTRUCTURE SECTORS: Multiple Sectors COUNTRIES/AREAS DEPLOYED: Worldwide COMPANY HEADQUARTERS LOCATION: South Africa 3.4 RESEARCHER Momen Eldawakhly of Samurai Digital Security Ltd reported this vulnerability to CISA. 4. MITIGATIONS SDG PnpSCADA is aware of the issue and is currently developing a fix. For more information, contact PnpSCADA by email . The following workarounds are recommended to help reduce the risk: Use prepared statements to help prevent SQL injections. Avoid making assets publicly accessible. Restrict public access: As a primary mitigation, it is crucial for all PnPSCADA users to avoid exposing their SCADA systems to the internet. By implementing proper network segmentation and isolating the SCADA system from public networks, users can significantly reduce the risk of unauthorized access and exploitation. Implement strong access controls: Ensure that proper authentication and authorization mechanisms are in place to limit access to sensitive components of the SCADA system. This includes implementing role-based access control and regular audits of user privileges. Monitor and log activity: Continuously monitor and log all activities within the SCADA environment. This helps with detecting any potential unauthorized access or attempts to exploit the vulnerability, enabling timely response and mitigation. CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should: Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet . Locate control system networks and remote devices behind firewalls and isolate them from business networks. When remote access is required, use secure methods, such as virtual private networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize a VPN is only as secure as its connected devices. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics . Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies . Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies . Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. CISA also recommends users take the following measures to protect themselves from social engineering attacks: Do not click web links or open attachments in unsolicited email messages. Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams. Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks. No known public exploits specifically target this vulnerability. This vulnerability is not exploitable remotely.CISAraw:8ce0e1384c6862f177d073bbaa8129dd – 2023-05-11T15:22:03.000Z
- 1. EXECUTIVE SUMMARY CVSS v3 8.4 ATTENTION: Exploitable remotely/low attack complexity Vendor: BirdDog Equipment: STUDIO R3, 4K QUAD, MINI, A300 EYES Vulnerabilities: Cross-Site Request Forgery, Use of Hard-Coded Credentials 2. RISK EVALUATION Successful exploitation of these vulnerabilities could allow an attacker to remotely execute code or obtain unauthorized access to the product. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following BirdDog camera and encoder versions are affected: 4K QUAD: Versions 4.5.181 and 4.5.196 MINI: Version 2.6.2 A300 EYES: Version 3.4 STUDIO R3: Version 3.6.4 3.2 VULNERABILITY OVERVIEW 3.2.1 CROSS-SITE REQUEST FORGERY (CSRF) CWE-352 The affected products have a CSRF vulnerability that could allow an attacker to execute code and upload malicious files. CVE-2023-2505 has been assigned to this vulnerability. A CVSS v3 base score of 7.7 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N ). 3.2.2 USE OF HARD-CODED CREDENTIALS CWE-798 Files present on firmware images could allow an attacker to gain unauthorized access as a root user using hard-coded credentials. CVE-2023-2504 has been assigned to this vulnerability. A CVSS v3 base score of 8.4 has been assigned; the CVSS vector string is (AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H ). 3.3 BACKGROUND CRITICAL INFRASTRUCTURE SECTORS: Commercial Facilities COUNTRIES/AREAS DEPLOYED: Worldwide COMPANY HEADQUARTERS LOCATION: Australia 3.4 RESEARCHER Alan Cao reported these vulnerabilities to CISA. 4. MITIGATIONS BirdDog has released a firmware patch for this issue and users are encouraged to update their devices by going to BirdDog’s download page here . CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. Specifically, users should: Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet . Locate control system networks and remote devices behind firewalls and isolate them from business networks. When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics . Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies . Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies . Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. No known public exploits specifically target these vulnerabilities.CISAraw:3fb6726a5f2f51c52f71d736d7a28898 – 2023-05-11T15:22:02.000Z
- 1. EXECUTIVE SUMMARY CVSS v3 9.4 ATTENTION: Exploitable remotely/low attack complexity Vendor: Rockwell Automation Equipment: Kinetix 5500 EtherNet/IP Servo Drive Vulnerabilities: Improper Access Control 2. RISK EVALUATION Successful exploitation of this vulnerability could create a denial-of-service condition or allow attackers unauthorized access to the device. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following versions of Kinetix 5500 EtherNet/IP Servo Drive, an industrial control router, are affected: Kinetix 5500 devices manufactured between May 2022 and January 2023: Version 7.13 3.2 VULNERABILITY OVERVIEW 3.2.1 IMPROPER ACCESS CONTROL CWE-284 Rockwell Automation Kinetix 5500 devices manufactured between May 2022 and January 2023 running Version 7.13 have telnet and file transfer protocol (FTP) ports open by default. This could allow an attacker access to the device. CVE-2023-1834 has been assigned to this vulnerability. A CVSS v3 base score of 9.4 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H ). 3.3 BACKGROUND CRITICAL INFRASTRUCTURE SECTORS: Energy, Water and Wastewater, Chemical, Critical Manufacturing COUNTRIES/AREAS DEPLOYED: Worldwide COMPANY HEADQUARTERS LOCATION: United States 3.4 RESEARCHER Rockwell Automation reported this vulnerability to CISA. 4. MITIGATIONS Rockwell Automation recommends users upgrade the firmware of their affected devices to version 7.14 or later. Rockwell Automation recommends users follow their security best practices . CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should: Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet . Locate control system networks and remote devices behind firewalls and isolate them from business networks. When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics . Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies . Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies . Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. No known public exploits specifically target this vulnerability.CISAraw:3ca023eb6670665ffbd062923dbbeefd – 2023-05-11T15:22:01.000Z
- 1. EXECUTIVE SUMMARY CVSS v3 10.0 ATTENTION: Exploitable remotely/low attack complexity Vendor: Teltonika Equipment: Remote Management System and RUT model routers Vulnerabilities: Observable Response Discrepancy, Improper Authentication, Server-Side Request Forgery, Cross-site Scripting, Inclusion of Web Functionality from an Untrusted Source, External Control of System of Configuration Setting, OS Command Injection 2. RISK EVALUATION Successful exploitation of these vulnerabilities could expose sensitive device information and device credentials, enable remote code execution, expose connected devices managed on the network, and allow impersonation of legitimate devices. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following Teltonika products are affected: Remote Management System (RMS): Versions prior to 4.10.0 (affected by CVE-2023-32346, CVE-2023-32347, CVE-2023-32348, CVE-2023-2587, CVE-2023-2588) Remote Management System (RMS): Versions prior to 4.14.0 (affected by CVE-2023-2586) RUT model routers: Version 00.07.00 through 00.07.03.4 (affected by CVE-2023-32349) RUT model routers: Version 00.07.00 through 00.07.03 (affected by CVE-2023-32350) 3.2 VULNERABILITY OVERVIEW 3.2.1 OBSERVABLE RESPONSE DISCREPANCY CWE-204 Teltonika’s Remote Management System versions prior to 4.10.0 contain a function that allows users to claim their devices. This function returns information based on whether the serial number of a device has already been claimed, the MAC address of a device has already been claimed, or whether the attempt to claim a device was successful. An attacker could exploit this to create a list of the serial numbers and MAC addresses of all devices cloud-connected to the Remote Management System. CVE-2023-32346 has been assigned to this vulnerability. A CVSS v3 base score of 5.3 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N ). 3.2.2 IMPROPER AUTHENTICATION CWE-287 Teltonika’s Remote Management System versions prior to 4.10.0 use device serial numbers and MAC addresses to identify devices from the user perspective for device claiming and from the device perspective for authentication. If an attacker obtained the serial number and MAC address of a device, they could authenticate as that device and steal communication credentials of the device. This could allow an attacker to enable arbitrary command execution as root by utilizing management options within the newly registered devices. CVE-2023-32347 has been assigned to this vulnerability. A CVSS v3 base score of 10.0 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H ). 3.2.3 SERVER-SIDE REQUEST FORGERY (SSRF) CWE-918 Teltonika’s Remote Management System versions prior to 4.10.0 contain a virtual private network (VPN) hub feature for cross-device communication that uses OpenVPN. It connects new devices in a manner that allows the new device to communicate with all Teltonika devices connected to the VPN. The OpenVPN server also allows users to route through it. An attacker could route a connection to a remote server through the OpenVPN server, enabling them to scan and access data from other Teltonika devices connected to the VPN. CVE-2023-32348 has been assigned to this vulnerability. A CVSS v3 base score of 9.3 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N ). 3.2.4 IMPROPER AUTHENTICATION CWE-287 Teltonika’s Remote Management System versions 4.14.0 is vulnerable to an unauthorized attacker registering previously unregistered devices through the RMS platform. If the user has not disabled the “RMS management feature” enabled by default, then an attacker could register that device to themselves. This could enable the attacker to perform different operations on the user’s devices, including remote code execution with ‘root’ privileges (using the ‘Task Manager’ feature on RMS). CVE-2023-2586 has been assigned to this vulnerability. A CVSS v3 base score of 9.0 has been calculated; the CVSS vector string is (AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H ). 3.2.5 IMPROPER NEUTRALIZATION OF INPUT DURING WEB PAGE GENERATION (‘CROSS-SITE SCRIPTING’) CWE-79 Teltonika’s Remote Management System versions prior to 4.10.0 contain a cross-site scripting (XSS) vulnerability in the main page of the web interface. An attacker with the MAC address and serial number of a connected device could send a maliciously crafted JSON file with an HTML object to trigger the vulnerability. This could allow the attacker to execute scripts in the account context and obtain remote code execution on managed devices. CVE-2023-2587 has been assigned to this vulnerability. A CVSS v3 base score of 8.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H ). 3.2.6 INCLUSION OF WEB FUNCTIONALITY FROM AN UNTRUSTED SOURCE CWE-830 Teltonika’s Remote Management System versions prior to 4.10.0 have a feature allowing users to access managed devices’ local secure shell (SSH)/web management services over the cloud proxy. A user can request a web proxy and obtain a URL in the Remote Management System cloud subdomain. This URL could be shared with others without Remote Management System authentication . An attacker could exploit this vulnerability to create a malicious webpage that uses a trusted and certified domain. An attacker could initiate a reverse shell when a victim connects to the malicious webpage, achieving remote code execution on the victim device. CVE-2023-2588 has been assigned to this vulnerability. A CVSS v3 base score of 8.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H ). 3.2.7 EXTERNAL CONTROL OF SYSTEM OR CONFIGURATION SETTING CWE-15 Versions 00.07.00 through 00.07.03.4 of Teltonika’s RUT router firmware contain a packet dump utility that contains proper validation for filter parameters. However, variables for validation checks are stored in an external configuration file. An authenticated attacker could use an exposed UCI configuration utility to change these variables and enable malicious parameters in the dump utility, which could result in arbitrary code execution. CVE-2023-32349 has been assigned to this vulnerability. A CVSS v3 base score of 8.0 has been calculated; the CVSS vector string is (AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H ). 3.2.8 IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS USED IN AN OS COMMAND (‘OS COMMAND INJECTION’) CWE-78 Versions 00.07.00 through 00.07.03 of Teltonika’s RUT router firmware contain an operating system (OS) command injection vulnerability in a Lua service. An attacker could exploit a parameter in the vulnerable function that calls a user-provided package name by instead providing a package with a malicious name that contains an OS command injection payload. CVE-2023-32350 has been assigned to this vulnerability. A CVSS v3 base score of 8.8 has been calculated; the CVSS vector string is (AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H ). 3.3 BACKGROUND CRITICAL INFRASTRUCTURE SECTORS: Water and Wastewater, Energy, Critical Manufacturing COUNTRIES/AREAS DEPLOYED: Worldwide COMPANY HEADQUARTERS LOCATION: Lithuania 3.4 RESEARCHER Roni Gavrilov of Otorio and Claroty Team82 reported these vulnerabilities to Teltonika and CISA. 4. MITIGATIONS Teltonika recommends users update their devices to the latest versions. RMS services have already been updated to versions, which fix these vulnerabilities. Users can download the latest version of their respective RUT routers by navigating to the appropriate device on Teltonika’s website . CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. Specifically, users should: Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet . Locate control system networks and remote devices behind firewalls and isolate them from business networks. When remote access is required, use secure methods, such as virtual private networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics . Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies . Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies . Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. CISA also recommends users take the following measures to protect themselves from social engineering attacks: Do not click web links or open attachments in unsolicited email messages. Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams. Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks. No known public exploits specifically target these vulnerabilities.CISAraw:1fdf69f3fdb0dfe61e3cea275399b8b7 – 2023-05-11T15:22:00.000Z
- 1. EXECUTIVE SUMMARY CVSS v3 9.8 ATTENTION: Exploitable remotely/low attack complexity Vendor: Siemens Equipment: Third-party components libexpat and libcurl in SINEC NMS Vulnerabilities: Expected Behavior Violation, Improper Validation of Syntactic Correctness of Input, Stack-based Buffer Overflow, Use After Free, Double Free, Cleartext Transmission of Sensitive Information 2. RISK EVALUATION Successful exploitation these vulnerabilities could allow an attacker to impact SINEC NMS confidentiality, integrity, and availability. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following products are affected: Third-Party components used in SINEC NMS: All versions prior to V1.0.3.1 3.2 VULNERABILITY OVERVIEW 3.2.1 EXPECTED BEHAVIOR VIOLATION CWE-440 When doing HTTP(S) transfers, libcurl might erroneously use the read callback (`CURLOPT_READFUNCTION`) to ask for data to send—even when the `CURLOPT_POSTFIELDS` option has been set—if the same handle previously was used to issue a `PUT` request which used that callback. This flaw may surprise the application and cause it to either send off the wrong data or use memory after free or similar in the subsequent `POST` request. The problem exists in the logic for a reused handle when it is changed from a PUT to a POST. CVE-2022-32221 has been assigned to this vulnerability. A CVSS v3 base score of 8.2 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N ). 3.2.2 IMPROPER VALIDATION OF SYNTACTIC CORRECTNESS OF INPUT CWE-1286 When curl is used to retrieve and parse cookies from a HTTP(S) server, it accepts cookies using control codes that, when later sent back to a HTTP server, might cause the server to return 400 responses, effectively allowing a “sister site” to deny service to all “siblings.” CVE-2022-35252 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H ). 3.2.3 STACK-BASED BUFFER OVERFLOW CWE-121 Curl could be directed to parse a `.netrc` file for credentials. If that file ends in a line with 4095 consecutive non-white space letters and no newline, curl would first read past the end of the stack-based buffer and, if the read works, write a zero byte beyond its boundary. This could cause a segfault or similar, but circumstances might also cause different outcomes. If a malicious user can provide a custom netrc file to an application or otherwise affect its contents, then this flaw could be used to cause denial-of-service condition. CVE-2022-35260 has been assigned to this vulnerability. A CVSS v3 base score of 8.6 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H ). 3.2.4 USE AFTER FREE CWE-416 Libexpat before 2.4.9 has a use-after-free vulnerability in the doContent function in xmlparse.c. CVE-2022-40674 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H ). 3.2.5 USE AFTER FREE CWE-416 Curl can be asked to tunnel almost all protocols it supports through an HTTP proxy. HTTP proxies can (and often do) deny such tunnel operations using an appropriate HTTP error response code. When denied to tunnel the specific protocols SMB or TELNET, curl could use a heap-allocated struct after freed in its transfer shutdown code path. CVE-2022-43552 has been assigned to this vulnerability. A CVSS v3 base score of 5.9 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H ). 3.2.6 USE AFTER FREE CWE-416 In libexpat through 2.4.9, there is a use after free vulnerability caused by overeager destruction of a shared DTD in XML_ExternalEntityParserCreate in out-of-memory situations. CVE-2022-43680 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H ). 3.2.7 DOUBLE FREE CWE-415 Curl before 7.86.0 has a double free vulnerability. If curl is told to use an HTTP proxy for a transfer with a non-HTTP(S) URL, it sets up the connection to the remote server by issuing a CONNECT request to the proxy and then tunnels the rest of the protocol through. An HTTP proxy might refuse this request (HTTP proxies often only allow outgoing connections to specific port numbers, such as 443 for HTTPS) and instead return a non-200 status code to the client. Due to flaws in the error/cleanup handling, this could trigger a double free in curl if one of the following schemes were used in the URL for the transfer: dict, gopher, gophers, ldap, ldaps, rtmp, rtmps, or telnet. The earliest affected version is 7.77.0. CVE-2022-42915 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H ). 3.2.8 CLEARTEXT TRANSMISSION OF SENSITIVE INFORMATION CWE-319 In curl before 7.86.0, the HSTS check could be bypassed by tricking it into staying with HTTP. Using its HSTS support, curl can be instructed to use HTTPS directly (instead of using an insecure cleartext HTTP step) even when HTTP is provided in the URL. This mechanism could be bypassed if the host name in the given URL uses IDN characters that get replaced with ASCII counterparts as part of the IDN conversion, e.g., using the character UTF-8 U+3002 (IDEOGRAPHIC FULL STOP) instead of the common ASCII full stop of U+002E (.). The earliest affected version is 7.77.0 2021-05-26. CVE-2022-42916 has been assigned to this vulnerability. A CVSS v3 base score of 9.1 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N ). 3.2.9 CLEARTEXT TRANSMISSION OF SENSITIVE INFORMATION CWE-319 A vulnerability exists in curl <7.87.0 HSTS check that could be bypassed by tricking it into using HTTP. Using its HSTS support, curl can be instructed to use HTTPS instead of using an insecure clear-text HTTP step even when HTTP is provided in the URL. However, the HSTS mechanism could be bypassed if the host name in the given URL first uses IDN characters that get replaced to ASCII counterparts as part of the IDN conversion, such as using the character UTF-8 U+3002 (IDEOGRAPHIC FULL STOP) instead of the common ASCII full stop (U+002E). Then, in a subsequent request, it does not detect the HSTS state and makes a clear text transfer. Because it would store the information IDN encoded but look for it IDN decoded. CVE-2022-43551 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N ). 3.3 BACKGROUND CRITICAL INFRASTRUCTURE SECTORS: Multiple Sectors COUNTRIES/AREAS DEPLOYED: Worldwide COMPANY HEADQUARTERS LOCATION: Germany 3.4 RESEARCHER Siemens reported these vulnerabilities to CISA. 4. MITIGATIONS Siemens has identified the following specific workaround/mitigation users can apply to reduce risk: SINEC NMS: Update to V1.0.3.1 or later version As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens' operational guidelines for industrial security and following recommendations in the product manuals. Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage . For more information, see the associated Siemens security advisory SSA-892048 in HTML and CSAF . CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics . Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies . Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies . Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. No known public exploits specifically target these vulnerabilities.CISAraw:42686d90a5ecfddb1e66dfff977672b9 - 2023-05-11T15:21:59.000Z
- 1. EXECUTIVE SUMMARY CVSS v3 7.2 ATTENTION: Exploitable remotely/low attack complexity Vendor: Siemens Equipment: SIMATIC Cloud Connect 7 Vulnerabilities: Improper Neutralization of Special Elements used in a Command (‘Command Injection’), Use of Hard-coded Password, Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’), Missing Standardized Error Handling Mechanism, Exposure of Sensitive Information to an Unauthorized Actor, Files or Directories Accessible to External Parties 2. RISK EVALUATION Successful exploitation of these vulnerabilities could allow an attacker to execute arbitrary code. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following products from Siemens are affected: SIMATIC Cloud Connect 7 CC712 (6GK1411-1AC00): All versions V2.0 to V2.1 SIMATIC Cloud Connect 7 CC712 (6GK1411-1AC00): All versions prior to V2.1 SIMATIC Cloud Connect 7 CC716 (6GK1411-5AC00): All versions V2.0 to V2.1 SIMATIC Cloud Connect 7 CC716 (6GK1411-5AC00): All versions prior to V2.1 3.2 VULNERABILITY OVERVIEW 3.2.1 IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS USED IN A COMMAND (‘COMMAND INJECTION’) CWE-77 The web-based management of affected devices does not properly validate user input, making it susceptible to command injection. This could allow an authenticated privileged remote attacker to execute arbitrary code with root privileges. CVE-2023-28832 has been assigned to this vulnerability. A CVSS v3 base score of 7.2 has been assigned. The CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H ). 3.2.2 USE OF HARD-CODED PASSWORD CWE-259 The affected device uses a hard-coded password to protect the diagnostic files. This could allow an authenticated attacker to access protected data. CVE-2023-29103 has been assigned to this vulnerability. A CVSS v3 base score of 4.3 has been assigned. The CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N ). 3.2.3 IMPROPER LIMITATION OF A PATHNAME TO A RESTRICTED DIRECTORY (‘PATH TRAVERSAL’) CWE-22 The filename in the upload feature of the web-based management of the affected device is susceptible to a path traversal vulnerability. This could allow an authenticated privileged remote attacker to overwrite any file the Linux user `ccuser` has write access to, or to download any file the Linux user `ccuser` has read-only access to. CVE-2023-29104 has been assigned to this vulnerability. A CVSS v3 base score of 6.0 has been assigned. The CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:H ). 3.2.4 MISSING STANDARDIZED ERROR HANDLING MECHANISM CWE-544 The affected device is vulnerable to a denial-of-service condition while parsing a random (non-JSON) MQTT payload. This could allow an attacker who can manipulate the communication between the MQTT broker and the affected device to cause a denial-of-service condition. CVE-2023-29105 has been assigned to this vulnerability. A CVSS v3 base score of 5.9 has been assigned. The CVSS vector string is (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H ). 3.2.5 EXPOSURE OF SENSITIVE INFORMATION TO AN UNAUTHORIZED ACTOR CWE-200 The export endpoint is accessible via REST application programming interface (API) without authentication. This could allow an unauthenticated remote attacker to download the files available via the endpoint. CVE-2023-29106 has been assigned to this vulnerability. A CVSS v3 base score of 5.3 has been assigned. The CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N ). 3.2.6 FILES OR DIRECTORIES ACCESSIBLE TO EXTERNAL PARTIES CWE-552 The export endpoint discloses some undocumented files. This could allow an unauthenticated remote attacker to gain access to additional information resources. CVE-2023-29107 has been assigned to this vulnerability. A CVSS v3 base score of 5.3 has been assigned. The CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N ). 3.2.7 IMPROPER LIMITATION OF A PATHNAME TO A RESTRICTED DIRECTORY (‘PATH TRAVERSAL’) CWE-22 The filename in the upload feature of the web-based management of the affected device is susceptible to a path traversal vulnerability. This could allow an authenticated privileged remote attacker to write any file with the extension `.db`. CVE-2023-29128 has been assigned to this vulnerability. A CVSS v3 base score of 3.8 has been assigned. The CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:L ). 3.3 BACKGROUND CRITICAL INFRASTRUCTURE SECTORS: Multiple COUNTRIES/AREAS DEPLOYED: Worldwide COMPANY HEADQUARTERS LOCATION: Germany 3.4 RESEARCHER Siemens reported these vulnerabilities to CISA. 4. MITIGATIONS Siemens has identified the following specific workarounds and mitigations users can apply to reduce risk: SIMATIC Cloud Connect 7 CC712 (6GK1411-1AC00): Update to V2.1 or later SIMATIC Cloud Connect 7 CC712 (6GK1411-1AC00): Update to V2.1 or later SIMATIC Cloud Connect 7 CC716 (6GK1411-5AC00): Update to V2.1 or later SIMATIC Cloud Connect 7 CC716 (6GK1411-5AC00): Update to V2.1 or later As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens’ operational guidelines for industrial security and following recommendations in the product manuals. Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage . For further inquiries on security vulnerabilities in Siemens products, users should contact the Siemens ProductCERT . For more information, see the associated Siemens security advisory SSA-555292 in HTML and CSAF . CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. Specifically, users should: Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet . Locate control system networks and remote devices behind firewalls and isolate them from business networks. When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics . Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies . Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies . Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. No known public exploits specifically target these vulnerabilities.CISAraw:12b7c36e2f6d75008c3b860ae48b8765 – 2023-05-11T14:31:07.000Z
- 1. EXECUTIVE SUMMARY CVSS v3 7.8 ATTENTION: Low attack complexity Vendor: Siemens Equipment: Solid Edge Vulnerabilities: NULL Pointer Dereference, Out-of-bounds Read, Improper Restriction of Operations within the Bounds of a Memory Buffer 2. RISK EVALUATION Successful exploitation of these vulnerabilities could allow an attacker to execute arbitrary code or crash the application. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following Siemens products are affected: Solid Edge SE2023: All versions prior to V223.0 Update 3 Solid Edge SE2023: All versions prior to V223.0 Update 2 3.2 VULNERABILITY OVERVIEW 3.2.1 NULL POINTER DEREFERENCE CWE-476 STEPTools v18SP1 ifcmesh library (v18.1) is affected due to a null pointer dereference, which could allow an attacker to deny application usage when reading a specially constructed file, resulting in an application crash. CVE-2023-0973 has been assigned to this vulnerability. A CVSS v3 base score of 2.2 has been assigned; the CVSS vector string is (CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:L ). 3.2.2 OUT-OF-BOUNDS READ CWE-125 Affected applications contain an out-of-bounds read past the end of an allocated buffer while parsing a specially crafted OBJ file. This vulnerability could allow an attacker to disclose sensitive information. CVE-2023-30985 has been assigned to this vulnerability. A CVSS v3 base score of 3.3 has been assigned; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N ). 3.2.3 IMPROPER RESTRICTION OF OPERATIONS WITHIN THE BOUNDS OF A MEMORY BUFFER CWE-119 Affected applications contain a memory corruption vulnerability while parsing specially crafted STP files. This could allow an attacker to execute code in the context of the current process. CVE-2023-30986 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been assigned; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H ). 3.3 BACKGROUND CRITICAL INFRASTRUCTURE SECTORS: Multiple COUNTRIES/AREAS DEPLOYED: Worldwide COMPANY HEADQUARTERS LOCATION: Germany 3.4 RESEARCHER Trend Micro Zero Day Initiative reported these vulnerabilities to Siemens. 4. MITIGATIONS Siemens identified the following specific workarounds and mitigations users can apply to reduce risk: Solid Edge SE2023: Update to V223.0 Update 3 or later version. Solid Edge SE2023: Update to V223.0 Update 2 or later version. Avoid opening untrusted files from unknown sources in Solid Edge. For further inquiries on security vulnerabilities in Siemens products, users should contact Siemens . As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens’ operational guidelines for industrial security and following recommendations in the product manuals. Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage . For more information, see the associated Siemens security advisory SSA-932528 in HTML and CSAF . CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. Specifically, users should: Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet . Locate control system networks and remote devices behind firewalls and isolate them from business networks. When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics . Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies . Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies . Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. CISA also recommends users take the following measures to protect themselves from social engineering attacks: Do not click web links or open attachments in unsolicited email messages. Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams. Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks. These vulnerabilities are not exploitable remotely.CISAraw:eda1703216cdc0969bdf3fd027f01aae – 2023-05-11T14:31:06.000Z
- 1. EXECUTIVE SUMMARY CVSS v3 9.9 ATTENTION: Exploitable remotely/low attack complexity Vendor: Siemens Equipment: Siveillance Video Vulnerabilities: Deserialization of Untrusted Data 2. RISK EVALUATION Successful exploitation of these vulnerabilities could allow an authenticated remote attacker to execute code on the affected system. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS Siemens reports these vulnerabilities affect the following IP video management software: Siveillance Video 2020 R2: all versions prior to V20.2 HotfixRev14 Siveillance Video 2020 R3: all versions prior to V20.3 HotfixRev12 Siveillance Video 2021 R1: all versions prior to V21.1 HotfixRev12 Siveillance Video 2021 R2: all versions prior to V21.2 HotfixRev8 Siveillance Video 2022 R1: all versions prior to V22.1 HotfixRev7 Siveillance Video 2022 R2: all versions prior to V22.2 HotfixRev5 Siveillance Video 2022 R3: all versions prior to V22.3 HotfixRev2 Siveillance Video 2023 R1: all versions prior to V23.1 HotfixRev1 3.2 VULNERABILITY OVERVIEW 3.2.1 DESERIALIZATION OF UNTRUSTED DATA CWE-502 The Event Server component of affected Siemens Siveillance Video applications deserializes data without sufficient validations. This could allow an authenticated remote attacker to execute code on the affected system. CVE-2023-30898 has been assigned to this vulnerability. A CVSS v3 base score of 9.9 has been calculated. The CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H ). 3.2.2 DESERIALIZATION OF UNTRUSTED DATA CWE-502 The Management Server component of affected Siemens Siveillance Video applications deserializes data without sufficient validations. This could allow an authenticated remote attacker to execute code on the affected system. CVE-2023-30899 has been assigned to this vulnerability. A CVSS v3 base score of 9.9 has been calculated. The CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H ). 3.3 BACKGROUND CRITICAL INFRASTRUCTURE SECTORS: Communications, Commercial Facilities COUNTRIES/AREAS DEPLOYED: Worldwide COMPANY HEADQUARTERS LOCATION: Germany 3.4 RESEARCHER Milestone PSIRT reported these vulnerabilities to Siemens. 4. MITIGATIONS Siemens has released updates for several affected products and recommends updating to the latest versions. The provided cumulative hotfix releases include the fixes for both Event Server (ES) and Management Server (MS). Ensure to apply the fixes on all relevant deployed servers: Siveillance Video 2020 R2: Update to V20.2 HotfixRev14 or later version Siveillance Video 2020 R3: Update to V20.3 HotfixRev12 or later version Siveillance Video 2021 R1: Update to V21.1 HotfixRev12 or later version Siveillance Video 2021 R2: Update to V21.2 HotfixRev8 or later version Siveillance Video 2022 R1: Update to V22.1 HotfixRev7 or later version Siveillance Video 2022 R2: Update to V22.2 HotfixRev5 or later version Siveillance Video 2022 R3: Update to V22.3 HotfixRev2 or later version Siveillance Video 2023 R1: Update to V23.1 HotfixRev 1 or later version As a general security measure Siemens strongly recommends protecting network access to affected products with appropriate mechanisms. It is advised to follow recommended security practices to run the devices in a protected IT environment. For additional information regarding this vulnerability, see the related Milestone security advisory . For further inquiries on security vulnerabilities in Siemens products, users should contact the Siemens ProductCERT . For more information, see the associated Siemens security advisory SSA-789345 in HTML and CSAF . CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. Specifically, users should: Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet . Locate control system networks and remote devices behind firewalls and isolate them from business networks. When remote access is required, use secure methods, such as virtual private networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics . Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies . Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies . Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. No known public exploits specifically target these vulnerabilities. These vulnerabilities are exploitable remotely. These vulnerabilities have low attack complexity.CISAraw:bc3a1a8eeb6e0bc96bd872c57e4417d7 – 2023-05-11T14:31:06.000Z
- 1. EXECUTIVE SUMMARY CVSS v3 9.9 ATTENTION: Exploitable remotely/low attack complexity Vendor: Siemens Equipment: SCALANCE LPE9403 Vulnerabilities: Command Injection, Creation of Temporary File with Insecure Permissions, Path Traversal, Heap-based Buffer Overflow 2. RISK EVALUATION Successful exploitation these vulnerabilities could allow an attacker to gain access to the device as root or create a denial-of-service condition. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following products from Siemens are affected: SCALANCE LPE9403 (6GK5998-3GS00-2AC2): Versions prior to 2.1 3.2 VULNERABILITY OVERVIEW 3.2.1 IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS USED IN A COMMAND (‘COMMAND INJECTION’) CWE-77 The web-based management of affected devices does not properly validate user input, making it susceptible to command injection. This could allow an authenticated remote attacker to access the underlying operating system as root. CVE-2023-27407 has been assigned to this vulnerability. A CVSS v3 base score of 9.9 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H ). 3.2.2 CREATION OF TEMPORARY FILE WITH INSECURE PERMISSIONS CWE-378 The `i2c` mutex file is created with the permissions bits of `-rw-rw-rw-.` This file is used as a mutex for multiple applications interacting with i2c. This could allow an authenticated attacker with access to the secure shell (SSH) interface on the affected device to interfere with the integrity of the mutex and the data it protects. CVE-2023-27408 has been assigned to this vulnerability. A CVSS v3 base score of 3.3 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N ). 3.2.3 IMPROPER LIMITATION OF A PATHNAME TO A RESTRICTED DIRECTORY (‘PATH TRAVERSAL’) CWE-22 A path traversal vulnerability was found in the `deviceinfo` binary via the `mac` parameter. This could allow an authenticated attacker with access to the SSH interface on the affected device to read the contents of any file named `address.` CVE-2023-27409 has been assigned to this vulnerability. A CVSS v3 base score of 2.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N ). 3.2.4 HEAP-BASED BUFFER OVERFLOW CWE-122 A heap-based buffer overflow vulnerability was found in the `edgebox_web_app` binary. The binary will crash if supplied with a backup password longer than 255 characters. This could allow an authenticated privileged attacker to cause a denial-of-service condition. CVE-2023-27410 has been assigned to this vulnerability. A CVSS v3 base score of 2.7 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L ). 3.3 BACKGROUND CRITICAL INFRASTRUCTURE SECTORS: Multiple COUNTRIES/AREAS DEPLOYED: Worldwide COMPANY HEADQUARTERS LOCATION: Germany 3.4 RESEARCHER Siemens reported these vulnerabilities to CISA. 4. MITIGATIONS Siemens has identified the following specific workaround/mitigation users can apply to reduce risk: SCALANCE LPE9403 (6GK5998-3GS00-2AC2): Update to V2.1 or later version . As a general security measure, Siemens strongly recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens’ operational guidelines for Industrial Security , and following the recommendations in the product manuals. Additional information on industrial security by Siemens can be found on the Siemens Industrial Security webpage . For further inquiries on security vulnerabilities in Siemens products, users should contact the Siemens ProductCERT . For more information, see the associated Siemens security advisory SSA-325383 in HTML and CSAF . CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. Specifically, users should: Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet . Locate control system networks and remote devices behind firewalls and isolate them from business networks. When remote access is required, use secure methods, such as virtual private networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics . Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies . Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies . Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. CISA also recommends users take the following measures to protect themselves from social engineering attacks: Do not click web links or open attachments in unsolicited email messages. Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams. Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks. No known public exploits specifically target these vulnerabilities.CISAraw:6a6dcd80cf567805da9f971024ff3304 – 2023-05-11T14:31:05.000Z
- 1. EXECUTIVE SUMMARY CVSS v3 9.8 ATTENTION: Exploitable remotely/low attack complexity Vendor: Siemens Equipment: Third-party components libexpat and libcurl in SINEC NMS Vulnerabilities: Expected Behavior Violation, Improper Validation of Syntactic Correctness of Input, Stack-based Buffer Overflow, Use After Free, Double Free, Cleartext Transmission of Sensitive Information 2. RISK EVALUATION Successful exploitation these vulnerabilities could allow an attacker to impact SINEC NMS confidentiality, integrity, and availability. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following products are affected: Third-Party components used in SINEC NMS: All versions prior to V1.0.3.1 3.2 VULNERABILITY OVERVIEW 3.2.1 EXPECTED BEHAVIOR VIOLATION CWE-440 When doing HTTP(S) transfers, libcurl might erroneously use the read callback (`CURLOPT_READFUNCTION`) to ask for data to send—even when the `CURLOPT_POSTFIELDS` option has been set—if the same handle previously was used to issue a `PUT` request which used that callback. This flaw may surprise the application and cause it to either send off the wrong data or use memory after free or similar in the subsequent `POST` request. The problem exists in the logic for a reused handle when it is changed from a PUT to a POST. CVE-2022-32221 has been assigned to this vulnerability. A CVSS v3 base score of 8.2 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N ). 3.2.2 IMPROPER VALIDATION OF SYNTACTIC CORRECTNESS OF INPUT CWE-1286 When curl is used to retrieve and parse cookies from a HTTP(S) server, it accepts cookies using control codes that, when later sent back to a HTTP server, might cause the server to return 400 responses, effectively allowing a “sister site” to deny service to all “siblings.” CVE-2022-35252 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H ). 3.2.3 STACK-BASED BUFFER OVERFLOW CWE-121 Curl could be directed to parse a `.netrc` file for credentials. If that file ends in a line with 4095 consecutive non-white space letters and no newline, curl would first read past the end of the stack-based buffer and, if the read works, write a zero byte beyond its boundary. This could cause a segfault or similar, but circumstances might also cause different outcomes. If a malicious user can provide a custom netrc file to an application or otherwise affect its contents, then this flaw could be used to cause denial-of-service condition. CVE-2022-35260 has been assigned to this vulnerability. A CVSS v3 base score of 8.6 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H ). 3.2.4 USE AFTER FREE CWE-416 Libexpat before 2.4.9 has a use-after-free vulnerability in the doContent function in xmlparse.c. CVE-2022-40674 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H ). 3.2.5 USE AFTER FREE CWE-416 Curl can be asked to tunnel almost all protocols it supports through an HTTP proxy. HTTP proxies can (and often do) deny such tunnel operations using an appropriate HTTP error response code. When denied to tunnel the specific protocols SMB or TELNET, curl could use a heap-allocated struct after freed in its transfer shutdown code path. CVE-2022-43552 has been assigned to this vulnerability. A CVSS v3 base score of 5.9 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H ). 3.2.6 USE AFTER FREE CWE-416 In libexpat through 2.4.9, there is a use after free vulnerability caused by overeager destruction of a shared DTD in XML_ExternalEntityParserCreate in out-of-memory situations. CVE-2022-43680 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H ). 3.2.7 DOUBLE FREE CWE-415 Curl before 7.86.0 has a double free vulnerability. If curl is told to use an HTTP proxy for a transfer with a non-HTTP(S) URL, it sets up the connection to the remote server by issuing a CONNECT request to the proxy and then tunnels the rest of the protocol through. An HTTP proxy might refuse this request (HTTP proxies often only allow outgoing connections to specific port numbers, such as 443 for HTTPS) and instead return a non-200 status code to the client. Due to flaws in the error/cleanup handling, this could trigger a double free in curl if one of the following schemes were used in the URL for the transfer: dict, gopher, gophers, ldap, ldaps, rtmp, rtmps, or telnet. The earliest affected version is 7.77.0. CVE-2022-42915 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H ). 3.2.8 CLEARTEXT TRANSMISSION OF SENSITIVE INFORMATION CWE-319 In curl before 7.86.0, the HSTS check could be bypassed by tricking it into staying with HTTP. Using its HSTS support, curl can be instructed to use HTTPS directly (instead of using an insecure cleartext HTTP step) even when HTTP is provided in the URL. This mechanism could be bypassed if the host name in the given URL uses IDN characters that get replaced with ASCII counterparts as part of the IDN conversion, e.g., using the character UTF-8 U+3002 (IDEOGRAPHIC FULL STOP) instead of the common ASCII full stop of U+002E (.). The earliest affected version is 7.77.0 2021-05-26. CVE-2022-42916 has been assigned to this vulnerability. A CVSS v3 base score of 9.1 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N ). 3.2.9 CLEARTEXT TRANSMISSION OF SENSITIVE INFORMATION CWE-319 A vulnerability exists in curl CVE-2022-43551 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N ). 3.3 BACKGROUND CRITICAL INFRASTRUCTURE SECTORS: Multiple Sectors COUNTRIES/AREAS DEPLOYED: Worldwide COMPANY HEADQUARTERS LOCATION: Germany 3.4 RESEARCHER Siemens reported these vulnerabilities to CISA. 4. MITIGATIONS Siemens has identified the following specific workaround/mitigation users can apply to reduce risk: SINEC NMS: Update to V1.0.3.1 or later version As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens’ operational guidelines for industrial security and following recommendations in the product manuals. Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage . For more information, see the associated Siemens security advisory SSA-892048 in HTML and CSAF . CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics . Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies . Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies . Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. No known public exploits specifically target these vulnerabilities.CISAraw:01bf1cd6885aa8fca0f4e3a9500f1c14 – 2023-05-11T14:31:04.000Z
- 1. EXECUTIVE SUMMARY CVSS v3 8.4 ATTENTION: Exploitable from adjacent network/low attack complexity Vendor: Siemens Equipment: SCALANCE W1750D Vulnerabilities: Improper Input Validation 2. RISK EVALUATION Successful exploitation of this vulnerability could allow an attacker to disclose sensitive information or steal the unsuspecting user’s session. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following products from Siemens are affected: SCALANCE W1750D (JP) (6GK5750-2HX01-1AD0): All versions SCALANCE W1750D (ROW) (6GK5750-2HX01-1AA0): All versions SCALANCE W1750D (USA) (6GK5750-2HX01-1AB0): All versions 3.2 VULNERABILITY OVERVIEW 3.2.1 IMPROPER INPUT VALIDATION CWE-20 The IEEE 802.11 specifications through 802.11ax allow physically proximate attackers to intercept (possibly cleartext) target-destined frames by spoofing a target’s MAC address, sending Power Save frames to the access point, and then sending other frames to the access point (e.g., authentication frames or re-association frames) to remove the target’s original security context. This interception occurs because the specifications do not require an access point to purge its’ transmit queue before removing a client’s pairwise encryption key. CVE-2022-47522 has been assigned to this vulnerability. A CVSS v3 base score of 8.4 has been assigned. the CVSS vector string is (CVSS:3.1/AV:A/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H ). 3.3 BACKGROUND CRITICAL INFRASTRUCTURE SECTORS: Multiple COUNTRIES/AREAS DEPLOYED: Worldwide COMPANY HEADQUARTERS LOCATION: Germany 3.4 RESEARCHER Siemens reported this vulnerability to CISA. 4. MITIGATIONS Siemens has identified the following specific workarounds and mitigations users can apply to reduce risk: As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to their Operational Guidelines for Industrial Security and following recommendations in the product manuals. Additional information on industrial security by Siemens can be found on the Siemens Industrial Security website. For further inquiries on security vulnerabilities in Siemens products, visit Siemens ProductCERT . For more information, see the associated Siemens security advisory SSA-516174 in HTML and CSAF . CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should: Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet . Locate control system networks and remote devices behind firewalls and isolate them from business networks. When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics . Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies . Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies . Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. No known public exploits specifically target this vulnerability. This vulnerability is not exploitable remotely.CISAraw:ddc673fc53fd4fdbcd688db319cbbefc – 2023-05-11T14:31:03.000Z
- APT28 accesses poorly maintained Cisco routers and deploys malware on unpatched devices using CVE-2017-6742. Overview and Context The UK National Cyber Security Centre (NCSC ), the US National Security Agency (NSA ), US Cybersecurity and Infrastructure Security Agency (CISA ) and US Federal Bureau of Investigation (FBI ) are releasing this joint advisory to provide details of tactics, techniques and procedures (TTPs) associated with APT28’s exploitation of Cisco routers in 2021. We assess that APT28 is almost certainly the Russian General Staff Main Intelligence Directorate (GRU) 85th special Service Centre (GTsSS) Military Intelligence Unit 26165 . APT28 (also known as Fancy Bear, STRONTIUM, Pawn Storm, the Sednit Gang and Sofacy) is a highly skilled threat actor. Download the UK PDF version of this report: APT28 exploits known vulnerability to carry out reconnaissance and deploy malware on Cisco routers (PDF, 366.88 KB ) Download the US PDF version of this report: APT28 Exploits Known Vulnerability to Carry Out Reconnaissance and Deploy Malware on Cisco Routers (PDF, 366.25 KB ) Previous Activity The NCSC has previously attributed the following activity to APT28: Cyber attacks against the German parliament in 2015 , including data theft and disrupting email accounts of German Members of Parliament (MPs) and the Vice Chancellor Attempted attack against the Organization for the Prohibition of Chemical Weapons (OPCW) in April 2018, to disrupt independent analysis of chemicals weaponized by the GRU in the UK For more information on APT28 activity, see the advisory Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure and Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments . As of 2021, APT28 has been observed using commercially available code repositories, and post-exploit frameworks such as Empire. This included the use of PowerShell Empire, in addition to Python versions of Empire. Reconnaissance Use of SNMP Protocol to Access Routers In 2021, APT28 used infrastructure to masquerade Simple Network Management protocol (SNMP) access into Cisco routers worldwide. This included a small number based in Europe, US government institutions and approximately 250 Ukrainian victims. SNMP is designed to allow network administrators to monitor and configure network devices remotely, but it can also be misused to obtain sensitive network information and, if vulnerable, exploit devices to penetrate a network. A number of software tools can scan the entire network using SNMP, meaning that poor configuration such as using default or easy-to- guess community strings, can make a network susceptible to attacks. Weak SNMP community strings, including the default “public,” allowed APT28 to gain access to router information. APT28 sent additional SNMP commands to enumerate router interfaces. [T1078.001 ] The compromized routers were configured to accept SNMP v2 requests. SNMP v2 doesn’t support encryption and so all data, including community strings, is sent unencrypted. Exploitation of CVE-2017-6742 APT28 exploited the vulnerability CVE-2017-6742 (Cisco Bug ID: CSCve54313) [T1190 ]. This vulnerability was first announced by Cisco on 29 June 2017, and patched software was made available. Cisco’s published advisory provided workarounds, such as limiting access to SNMP from trusted hosts only, or by disabling a number of SNMP Management Information bases (MIBs). Malware Deployment For some of the targeted devices, APT28 actors used an SNMP exploit to deploy malware, as detailed in the NCSC’s Jaguar Tooth Malware Analysis Report . This malware obtained further device information, which is exfiltrated over trivial file transfer protocol (TFTP), and enabled unauthenticated access via a backdoor. The actor obtained this device information by executing a number of Command Line Interface (CLI) commands via the malware. It includes discovery of other devices on the network by querying the Address Resolution Protocol (ARP) table to obtain MAC addresses. [T1590 ] Indicators of Compromise (IoCs) Please refer to the accompanying Malware Analysis Report for indicators of compromise which may help to detect this activity. MITRE ATT&CK;® This advisory has been compiled with respect to the MITRE ATT&CK;® framework, a globally accessible knowledge base of adversary tactics and techniques based on real-world observations. For detailed TTPs, see the Malware Analysis Report . Tactic ID Technique Procedure Initial Access T1190 Exploit Public-facing Application. APT28 exploited default/well-known community strings in SNMP as outlined in CVE-2017-6742 (Cisco Bug ID: CSCve54313). Initial Access T1078.001 Valid Accounts: Default Accounts. Actors accessed victim routers by using default community strings such as “public.” Reconnaissance T1590 Gather Victim Network Information Access was gained to perform reconnaissance on victim devices. Further detail of how this was achieved in available in the MITRE ATT&CK; section of the Jaguar Tooth MAR. Conclusion APT28 has been known to access vulnerable routers by using default and weak SNMP community strings, and by exploiting CVE-2017-6742 (Cisco Bug ID: CSCve54313) as published by Cisco. TTPs in this advisory may still be used against vulnerable Cisco devices. Organizations are advised to follow the mitigation advice in this advisory to defend against this activity. Reporting UK organizations should report any suspected compromises to the NCSC. US organisations should contact CISA’s 24/7 Operations Centre at report@cisa.gov or (888) 282-0870. Mitigation Mitigation Patch devices as advised by Cisco . The NCSC also has general guidance on managing updates and keeping software up to date . Do not use SNMP if you are not required to configure or manage devices remotely to prevent unauthorized users from accessing your router. If you are required to manage routers remotely, establish allow and deny lists for SNMP messages to prevent unauthorized users from accessing your router. Do not allow unencrypted (i.e., plaintext) management protocols, such as SNMP v2 and Telnet. Where encrypted protocols aren’t possible, you should carry out any management activities from outside the organization through an encrypted virtual private network (VPN), where both ends are mutually authenticated. Enforce a strong password policy . Don’t reuse the same password for multiple devices. Each device should have a unique password. Where possible, avoid legacy password-based authentication and implement two-factor authentication based on public-private key. Disable legacy unencrypted protocols such as Telnet and SNMP v1 or v2c. Where possible, use modern encrypted protocols such as SSH and SNMP v3. Harden the encryption protocols based on current best security practice. The NCSC strongly advises owners and operators to retire and replace legacy devices that can’t be configured to use SNMP v3. Use logging tools to record commands executed on your network devices, such as TACACS+ and Syslog. Use these logs to immediately highlight suspicious events and keep a record of events to support an investigation if the device’s integrity is ever in question. See NCSC guidance on monitoring and logging . If you suspect your router has been compromised: Follow Cisco’s advice for verifying the Cisco IOS image. Revoke all keys associated with that router. When replacing the router configuration be sure to create new keys rather than pasting from the old configuration. Replace both the ROMMON and Cisco IOS image with an image that has been sourced directly from the Cisco website, in case third party and internal repositories have been compromised. NSA’s Network Infrastructure guide provides some best practices for SNMP. See also the Cisco IOS hardening guide and Cisco’s Jaguar Tooth blog . This product is provided subject to this Notification and this Privacy & Use policy. – 2023-05-11T14:24:59.000Z
- CISA released one Industrial Control Systems (ICS) advisory on May 2, 2023. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS. CISA encourages users and administrators to review the newly released ICS advisories for technical details and mitigations: ICSA-23-122-01 Mitsubishi Electric Factory Automation ProductsCISAraw:01b424d2381a89810fa6a7a65847592a – 2023-05-10T21:33:08.000Z
- CISA has added one new vulnerability to its Known Exploited Vulnerabilities Catalog , based on evidence of active exploitation. CVE-2023-29336 Microsoft Win32k contains an unspecified vulnerability that allows for privilege escalation up to SYSTEM privileges. These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise. Note: To view other newly added vulnerabilities in the catalog, click on the arrow in the “Date Added to Catalog” column—which will sort by descending dates. Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information. Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria . This product is provided subject to this Notification and this Privacy & Use policy.CISAraw:db5b67169a154cb3759849e877e8bc6f – 2023-05-10T21:33:07.000Z
- 1. EXECUTIVE SUMMARY CVSS v3 9.8 ATTENTION: Exploitable remotely/low attack complexity Vendor: Hitachi Energy Equipment: Modular Switchgear Monitoring (MSM) Vulnerabilities: Improper Restriction of Excessive Authentication Attempts, Authentication Bypass by Capture-replay, Code Injection, Improper Restriction of Operations within the Bounds of a Memory Buffer, NULL Pointer Dereference, Insufficient Entropy 2. RISK EVALUATION Successful exploitation of these vulnerabilities could allow an attacker to obtain user access credentials of the MSM web interface or cause a denial-of-service condition. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following Hitachi Energy products are affected: MSM: 2.2.5 and earlier 3.2 VULNERABILITY OVERVIEW 3.2.1 IMPROPER RESTRICTION OF EXCESSIVE AUTHENTICATION ATTEMPTS CWE-307 The code that performs password matching when using ‘basic’ HTTP authentication does not use a constant-time memcmp and has no rate-limiting. An unauthenticated network attacker could brute-force the HTTP basic password byte-by-byte, by recording the webserver’s response time until the unauthorized (401) response. CVE-2021-43298 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H ). 3.2.2 AUTHENTICATION BYPASS BY CAPTURE-REPLAY CWE-294 The HTTP digest authentication in the GoAhead web server before 5.1.2 does not completely protect against replay attacks. An unauthenticated remote attacker could bypass authentication via capture-replay if TLS is not used to protect the underlying communication channel. CVE-2020-15688 has been assigned to this vulnerability. A CVSS v3 base score of 8.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H ). 3.2.3 IMPROPER CONTROL OF GENERATION OF CODE (‘CODE INJECTION’) CWE-94 An issue was discovered in Embedthis GoAhead 2.5.0. Certain pages (ex: goform/login and config/log_off_page.htm) create links containing a hostname obtained from an arbitrary HTTP host header sent by an attacker. This could potentially be used in a phishing attack. CVE-2019-16645 has been assigned to this vulnerability. A CVSS v3 base score of 8.6 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N ). 3.2.4 IMPROPER RESTRICTION OF OPERATIONS WITHIN THE BOUNDS OF A MEMORY BUFFER CWE-119 In http.c in Embedthis GoAhead before 4.1.1 and 5.x before 5.0.1, a header parsing vulnerability causes a memory assertion, out-of-bounds memory reference, and a potential denial-of-service condition, as demonstrated by a single colon on a line. CVE-2019-12822 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H ). 3.2.5 NULL POINTER DEREFERENCE CWE-476 An issue was discovered in Embedthis GoAhead before 4.0.1 and Appweb before 7.0.2. The server mishandles HTTP request fields associated with time, which results in a NULL pointer dereference, as demonstrated by If-Modified-Since or If-Unmodified-Since with a month greater than 11. CVE-2018-15504 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H ). 3.2.6 NULL POINTER DEREFERENCE CWE-476 An issue was discovered in Embedthis GoAhead before 4.0.1 and Appweb before 7.0.2. An HTTP POST request with a specially crafted “host” header field may cause a NULL pointer dereference resulting in a denial-of-service condition, as demonstrated by the lack of a trailing ‘]’ character in an IPv6 address. CVE-2018-15505 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H ). 3.2.7 INSUFFICIENT ENTROPY CWE-331 Websda.c in GoAhead WebServer 2.1.8 has insufficient nonce entropy due to the nonce calculation relying on the hardcoded onceuponatimeinparadise value, which does not follow the secret-data guideline for HTTP digest access authentication in RFC 7616 section 3.3 (or RFC 2617 section 3.2.1). Note: 2.1.8 is a version from 2003; however, the affected websda.c code appears in derivative works that may be used in 2021. Recent GoAhead software is unaffected. CVE-2021-41615 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H ). 3.2.8 INSUFFICIENT ENTROPY CWE-331 An allocation of resources without limits or throttling vulnerability exists in curl The use of such a decompression chain could result in a “malloc bomb”, making curl spend enormous amounts of allocated heap memory, or try to, and return out of memory errors. CVE-2023-23916 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H ). 3.3 BACKGROUND CRITICAL INFRASTRUCTURE SECTORS: Energy COUNTRIES/AREAS DEPLOYED: Worldwide COMPANY HEADQUARTERS LOCATION: Switzerland 3.4 RESEARCHER Hitachi Energy reported these vulnerabilities to CISA. 4. MITIGATIONS MSM is not intrinsically designed nor intended to be directly connected to the internet. Users should disconnect the device from any internet-facing network. Hitachi Energy suggests adopting user access management and antivirus protection software equipped with the latest signature rules on hosts with the Manufacturing Message Specification (MMS) Client application installed. Users can implement the operating system user access management functionality, if supported, to limit the probability of unauthorized access followed by rogue commands at the operating system level via MMS client application. Also, Hitachi Energy recommends following the hardening guidelines published by “The Center for Internet Security (CIS) ” to protect the host operating system of machines connecting with MSM. These guidelines help prevent the lateral movement of the attack vector into MSM via these connected devices. Some examples for Windows based computers include: CIS Microsoft Windows Desktop Benchmarks (cisecurity.org) CIS Microsoft Windows Server Benchmarks (cisecurity.org) According to Hitachi Energy, users should follow recommended security practices and firewall configurations to help protect a network from outside attacks, including: Physically protecting systems from direct access by unauthorized personnel. Ensuring monitoring systems have no direct connections to the internet. Separating monitoring system networks from other networks using a firewall system with a minimal number of ports exposed Hitachi advises that monitoring systems should not be used for internet surfing, instant messaging, or receiving emails. Portable computers and removable storage media should be carefully scanned for malware prior to connection to monitoring systems. For more information, see Hitachi Energy advisory 8DBD000154 . CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics . Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies . Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies . Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. No known public exploits specifically target these vulnerabilities.CISAraw:c847148f7b9dfb51d634ef1f2b05b508 – 2023-05-10T21:33:06.000Z
- Mozilla has released security advisories to address vulnerabilities in Thunderbird, Firefox and Firefox ESR. A cyber threat actor could exploit some of these vulnerabilities to take control of an affected system. CISA encourages users and administrators to review the following advisories and apply the necessary updates: Security Vulnerabilities fixed in Firefox 113 Mozilla Foundation Security Advisory 2023-16 Security Vulnerabilities fixed in Firefox ESR 102.11 Mozilla Foundation Security Advisory 2023-17 Security Vulnerabilities fixed in Thunderbird 102.11 Mozilla Foundation Security Advisory 2023-18 For updates addressing lower severity vulnerabilities, see the Mozilla Foundation Security Advisories page.CISAraw:4131212aa782ca905dc2d82a62cc31af – 2023-05-10T19:45:51.000Z
- US-CERThttps://us-cert.cisa.gov/node/17919CISA releases 1 Industrial Control Systems Advisory/ncas/current-activity/2022/08/25/cisa-releases-1-industrial-control-systems-advisory – 2023-05-10T19:39:38.000Z
- US-CERT – Industrial Control Systems Advisory – 2023-05-10T19:38:21.000Z
- US-CERThttps://us-cert.cisa.gov/node/17919CISA releases 1 Industrial Control Systems Advisory/ncas/current-activity/2022/08/25/cisa-releases-1-industrial-control-systems-advisory – 2023-05-10T19:37:46.000Z
- Microsoft has released updates to address multiple vulnerabilities in Microsoft software. An attacker can exploit some of these vulnerabilities to take control of an affected system. CISA encourages users and administrators to review Microsoft’s May 2023 Security Update Guide and Deployment Information and apply the necessary updates.CISA/node/18143 – 2023-05-09T20:55:53.000Z
- CISA has added one new vulnerability to its Known Exploited Vulnerabilities Catalog , based on evidence of active exploitation. CVE-2023-29336 Microsoft Win32k contains an unspecified vulnerability that allows for privilege escalation up to SYSTEM privileges. These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise. Note: To view other newly added vulnerabilities in the catalog, click on the arrow in the “Date Added to Catalog” column—which will sort by descending dates. Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information. Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria . This product is provided subject to this Notification and this Privacy & Use policy.CISA/node/18134 – 2023-05-09T18:59:27.000Z
- 1. EXECUTIVE SUMMARY
CVSS v3 9.8
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Hitachi Energy
Equipment: Modular Switchgear Monitoring (MSM)
Vulnerabilities: Improper Restriction of Excessive Authentication Attempts, Authentication Bypass by Capture-replay, Code Injection, Improper Restriction of Operations within the Bounds of a Memory Buffer, NULL Pointer Dereference, Insufficient Entropy
2. RISK EVALUATION
Successful exploitation of these vulnerabilities could allow an attacker to obtain user access credentials of the MSM web interface or cause a denial-of-service condition.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following Hitachi Energy products are affected:
MSM: 2.2.5 and earlier
3.2 VULNERABILITY OVERVIEW
3.2.1 IMPROPER RESTRICTION OF EXCESSIVE AUTHENTICATION ATTEMPTS CWE-307
The code that performs password matching when using ‘basic’ HTTP authentication does not use a constant-time memcmp and has no rate-limiting. An unauthenticated network attacker could brute-force the HTTP basic password byte-by-byte, by recording the webserver’s response time until the unauthorized (401) response.
CVE-2021-43298 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H ).
3.2.2 AUTHENTICATION BYPASS BY CAPTURE-REPLAY CWE-294
The HTTP digest authentication in the GoAhead web server before 5.1.2 does not completely protect against replay attacks. An unauthenticated remote attacker could bypass authentication via capture-replay if TLS is not used to protect the underlying communication channel.
CVE-2020-15688 has been assigned to this vulnerability. A CVSS v3 base score of 8.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H ).
3.2.3 IMPROPER CONTROL OF GENERATION OF CODE (‘CODE INJECTION’) CWE-94
An issue was discovered in Embedthis GoAhead 2.5.0. Certain pages (ex: goform/login and config/log_off_page.htm) create links containing a hostname obtained from an arbitrary HTTP host header sent by an attacker. This could potentially be used in a phishing attack.
CVE-2019-16645 has been assigned to this vulnerability. A CVSS v3 base score of 8.6 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N ).
3.2.4 IMPROPER RESTRICTION OF OPERATIONS WITHIN THE BOUNDS OF A MEMORY BUFFER CWE-119
In http.c in Embedthis GoAhead before 4.1.1 and 5.x before 5.0.1, a header parsing vulnerability causes a memory assertion, out-of-bounds memory reference, and a potential denial-of-service condition, as demonstrated by a single colon on a line.
CVE-2019-12822 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H ).
3.2.5 NULL POINTER DEREFERENCE CWE-476
An issue was discovered in Embedthis GoAhead before 4.0.1 and Appweb before 7.0.2. The server mishandles HTTP request fields associated with time, which results in a NULL pointer dereference, as demonstrated by If-Modified-Since or If-Unmodified-Since with a month greater than 11.
CVE-2018-15504 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H ).
3.2.6 NULL POINTER DEREFERENCE CWE-476
An issue was discovered in Embedthis GoAhead before 4.0.1 and Appweb before 7.0.2. An HTTP POST request with a specially crafted “host” header field may cause a NULL pointer dereference resulting in a denial-of-service condition, as demonstrated by the lack of a trailing ‘]’ character in an IPv6 address.
CVE-2018-15505 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H ).
3.2.7 INSUFFICIENT ENTROPY CWE-331
Websda.c in GoAhead WebServer 2.1.8 has insufficient nonce entropy due to the nonce calculation relying on the hardcoded onceuponatimeinparadise value, which does not follow the secret-data guideline for HTTP digest access authentication in RFC 7616 section 3.3 (or RFC 2617 section 3.2.1).
Note: 2.1.8 is a version from 2003; however, the affected websda.c code appears in derivative works that may be used in 2021. Recent GoAhead software is unaffected.
CVE-2021-41615 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H ).
3.2.8 INSUFFICIENT ENTROPY CWE-331
An allocation of resources without limits or throttling vulnerability exists in curl
- Mozilla has released security advisories to address vulnerabilities in Firefox and Firefox ESR. A cyber threat actor could exploit some of these vulnerabilities to take control of an affected system. CISA encourages users and administrators to review the following advisories and apply the necessary updates: Security Vulnerabilities fixed in Firefox 113 Mozilla Foundation Security Advisory 2023-16 Security Vulnerabilities fixed in Firefox ESR 102.11 Mozilla Foundation Security Advisory 2023-17 For updates addressing lower severity vulnerabilities, see the Mozilla Foundation Security Advisories page.CISA/node/18139 – 2023-05-09T16:29:08.000Z
- CISA released two Industrial Control Systems (ICS) advisories on May 9, 2023. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS. ICSA-23-129-02 Hitachi Energy MS M ICSA-21-334-02 Mitsubishi MELSEC and MELIPC Series (Update F) CISA encourages users and administrators to review the newly released ICS advisories for technical details and mitigations.CISA/node/18136 – 2023-05-09T16:29:07.000Z
- Today, CISA and partners released a joint advisory for a sophisticated cyber espionage tool used by Russian cyber actors. Hunting Russian Intelligence “Snake” Malware provides technical descriptions of the malware’s host architecture and network communications, and mitigations to help detect and defend against this threat. CISA urges organizations to review the advisory for more information and apply the recommended mitigations and detection guidance. For more information on FSB and Russian state-sponsored cyber activity, please see the joint advisory Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure and CISA’s Russia Cyber Threat Overview and Advisories webpage.CISA/node/18138 – 2023-05-09T15:27:42.000Z
- Microsoft has released Guidance for investigating attacks using CVE-2022-21894: The BlackLotus campaign . According to Microsoft, “this guide provides steps that organizations can take to assess whether users have been targeted or compromised by threat actors exploiting [CVE-2022-21894] via a Unified Extensible Firmware Interface (UEFI) bootkit called BlackLotus.” An attacker could exploit this vulnerability to take control of an affected system. CISA urges users and organizations to review the Microsoft Blog Post for more information, and apply necessary detection, recovery, and prevention strategies.CISA/node/17887 – 2023-04-11T19:21:39.000Z
- Microsoft has released Guidance for investigating attacks using CVE-2022-21894: The BlackLotus campaign . According to Microsoft, “this guide provides steps that organizations can take to assess whether users have been targeted or compromised by threat actors exploiting [CVE-2022-21894] via a Unified Extensible Firmware Interface (UEFI) bootkit called BlackLotus.” An attacker could exploit this vulnerability to take control of an affected system. CISA urges users and organizations to review the Microsoft Blog Post for more information, and apply necessary detection, recovery, and prevention strategies.CISA/node/17887 – 2023-04-11T19:21:39.000Z
- CISA Red Team Shares Key Findings to Improve Monitoring and Hardening of Networks
- Hitachi Energy Gateway Station
- CISA Releases Decider Tool to Help with MITRE ATT&CK Mapping
- CISA Releases Three Industrial Control Systems Advisories
- Mitsubishi Electric MELSEC iQ-F Series (Update B)
- CISA Red Team Shares Key Findings to Improve Monitoring and Hardening of Networks
- CISA Releases Decider Tool to Help with MITRE ATT&CK Mapping
- CISA Releases Three Industrial Control Systems Advisories
- Hitachi Energy Gateway Station
- Hitachi Energy Gateway Station
- Mitsubishi Electric MELSEC iQ-F Series (Update B)
- CISA Red Team Shares Key Findings to Improve Monitoring and Hardening of Networks
- CISA Red Team Shares Key Findings to Improve Monitoring and Hardening of Networks
- raw:8276acea0ff31371168bc7d614c9e879
- raw:8276acea0ff31371168bc7d614c9e879
- raw:8276acea0ff31371168bc7d614c9e879
- raw:8276acea0ff31371168bc7d614c9e879
- CISA Adds One Known Exploited Vulnerability to Catalog
- CISA Releases Two Industrial Control Systems Advisories
- VMware Releases Security Updates for Carbon Black App Control
- Cisco Releases Security Advisories for Multiple Products
- CISA Releases Three Industrial Control Systems Advisories
- PTC ThingWorx Edge
- US-CERT and ICS-CERT Transition to CISA
- CISA Urges Increased Vigilance One Year After Russia’s Invasion of Ukraine
- BD Alaris Infusion Central
- Siemens Simcenter Femap before V2023.1
- Siemens Mendix
- CISA Releases Fifteen Industrial Control Systems Advisories
- Siemens Brownfield Connectivity Client
- Mozilla Releases Security Updates for Thunderbird 102.8
- Mitsubishi Electric MELSOFT iQ AppPortal
- Siemens Solid Edge
- Fortinet Releases Security Updates for Multiple Products
- CISA Releases Two Industrial Control Systems Advisories
- CISA Adds Three Known Exploited Vulnerabilities to Catalog
- raw:b1c2ecb445b28560ef184f7de10e73c3
- raw:b1c2ecb445b28560ef184f7de10e73c3
- raw:b1c2ecb445b28560ef184f7de10e73c3
- raw:b1c2ecb445b28560ef184f7de10e73c3
- raw:be3080444a0e5e17129c3d09068e56cf
- raw:be3080444a0e5e17129c3d09068e56cf
- raw:be3080444a0e5e17129c3d09068e56cf
- raw:be3080444a0e5e17129c3d09068e56cf
- raw:ac1f435282b72040c307b4dbe3e72aba
- raw:ac1f435282b72040c307b4dbe3e72aba
- raw:ac1f435282b72040c307b4dbe3e72aba
- raw:2e865b3d8252c10ab78421981b15836a
- raw:0d2be452481ac20d8ac2c4f9e56a7534
- raw:2e865b3d8252c10ab78421981b15836a
- raw:0d2be452481ac20d8ac2c4f9e56a7534
- raw:0d2be452481ac20d8ac2c4f9e56a7534
- raw:2e865b3d8252c10ab78421981b15836a
- raw:d48de5fefa3603327ebed19b4329fead
- raw:d48de5fefa3603327ebed19b4329fead
- raw:d48de5fefa3603327ebed19b4329fead
- raw:71ac424d60fc4f455dbe796bd8df1b29
- raw:71ac424d60fc4f455dbe796bd8df1b29
- raw:71ac424d60fc4f455dbe796bd8df1b29
- raw:71ac424d60fc4f455dbe796bd8df1b29
- raw:40fd33f7b3180e2e6de5eb51e15e9a93
- raw:3612b699a31e0892871fc9738a693634
- raw:40fd33f7b3180e2e6de5eb51e15e9a93
- raw:3612b699a31e0892871fc9738a693634
- raw:40fd33f7b3180e2e6de5eb51e15e9a93
- raw:3612b699a31e0892871fc9738a693634
- raw:40fd33f7b3180e2e6de5eb51e15e9a93
- raw:3612b699a31e0892871fc9738a693634
- raw:c3c80ada024c3fd1af473844d84a6c84
- raw:c3c80ada024c3fd1af473844d84a6c84
- raw:c3c80ada024c3fd1af473844d84a6c84
- Cisco Releases Security Advisories for Multiple Products
- VMware Releases Security Updates for Carbon Black App Control
- CISA Releases Three Industrial Control Systems Advisories
- Vulnerability Summary for the Week of February 13, 2023
- CISA Adds Three Known Exploited Vulnerabilities to Catalog
- CISA Releases Two Industrial Control Systems Advisories
- Mozilla Releases Security Updates for Thunderbird 102.8
- CISA Releases Fifteen Industrial Control Systems Advisories
- CISA Adds One Known Exploited Vulnerability to Catalog
- Cisco Releases Security Advisories for Multiple Products
- Adobe Releases Security Updates for Multiple Products
- Mozilla Releases Security Updates for Firefox 110 and Firefox ESR
- Citrix Releases Security Updates for Workspace Apps, Virtual Apps and Desktops
- CISA Adds Four Known Exploited Vulnerabilities to Catalog
- Microsoft Releases February 2023 Security Updates
- Vulnerability Summary for the Week of February 6, 2023
- Apple Releases Security Updates for Multiple Products
- CISA Releases One Industrial Control Systems Advisory
- AA23-040A: #StopRansomware: Ransomware Attacks on Critical Infrastructure Fund DPRK Malicious Cyber Activities
- AA23-040A: #StopRansomware: Ransomware Attacks on Critical Infrastructure Fund DPRK Malicious Cyber Activities
- AA23-040A: #StopRansomware: Ransomware Attacks on Critical Infrastructure Fund DPRK Malicious Cyber Activities
- CISA Adds Three Known Exploited Vulnerabilities to Catalog
- AA23-040A: #StopRansomware: Ransomware Attacks on Critical Infrastructure Fund DPRK Malicious Cyber Activities
- AA23-040A: #StopRansomware: Ransomware Attacks on Critical Infrastructure Fund DPRK Malicious Cyber Activities
- AA23-040A: #StopRansomware: Ransomware Attacks on Critical Infrastructure Fund DPRK Malicious Cyber Activities
- US-CERThttps://us-cert.cisa.gov/node/18341#StopRansomware: Ransomware Attacks on Critical Infrastructure Fund DPRK Malicious Cyber Activities/ncas/alerts/aa23-040a – 2023-02-09T18:23:15.000Z
- #StopRansomware: Ransomware Attacks on Critical Infrastructure Fund DPRK Malicious Cyber Activities
- US-CERThttps://us-cert.cisa.gov/node/18348#StopRansomware – Ransomware Attacks on Critical Infrastructure Fund DPRK Espionage Activities/ncas/current-activity/2023/02/09/stopransomware-ransomware-attacks-critical-infrastructure-fund – 2023-02-09T18:23:14.000Z
- #StopRansomware – Ransomware Attacks on Critical Infrastructure Fund DPRK Espionage Activities
- CISA Releases Six Industrial Control Systems Advisories
- OpenSSL Releases Security Advisory
- AA23-039A: ESXiArgs Ransomware Virtual Machine Recovery Guidance
- AA23-039A: ESXiArgs Ransomware Virtual Machine Recovery Guidance
- AA23-039A: ESXiArgs Ransomware Virtual Machine Recovery Guidance
- AA23-039A: ESXiArgs Ransomware Virtual Machine Recovery Guidance
- ESXiArgs Ransomware Virtual Machine Recovery Guidance
- CISA and FBI Release ESXiArgs Ransomware Recovery Guidance
- AA23-039A: ESXiArgs Ransomware Virtual Machine Recovery Guidance
- Vulnerability Summary for the Week of January 30, 2023
- CISA Releases ESXiArgs Ransomware Recovery Script
- CISA Releases One Industrial Control Systems Advisory
- CISA Adds Two Known Exploited Vulnerabilities to Catalog
- CISA Releases Six Industrial Control Systems Advisories
- Cisco Releases Security Advisories for Multiple Products
- Drupal Releases Security Update to Address a Vulnerability in Apigee Edge
- VMware Releases Security Update for VMware vRealize Operations
- Vulnerability Summary for the Week of January 23, 2023
- CISA Releases One Industrial Control Systems Advisory
- ISC Releases Security Advisories for Multiple Versions of BIND 9
- AA23-025A: Protecting Against Malicious Use of Remote Monitoring and Management Software
- JCDC Announces 2023 Planning Agenda
- AA23-025A: Protecting Against Malicious Use of Remote Monitoring and Management Software
- CISA Has Added One Known Exploited Vulnerability to Catalog
- CISA Releases Eight Industrial Control Systems Advisories
- AA23-025A: Protecting Against Malicious Use of Remote Monitoring and Management Software
- Protecting Against Malicious Use of Remote Monitoring and Management Software
- CISA, NSA, and MS-ISAC Release Advisory on the Malicious Use of RMM Software
- AA23-025A: Protecting Against Malicious Use of Remote Monitoring and Management Software
- VMware Releases Security Updates for VMware vRealize Log Insight
- Vulnerability Summary for the Week of January 16, 2023
- Apple Releases Security Updates for Multiple Products
- CISA Releases Two Industrial Control Systems Advisories
- CISA Releases Protecting Our Future: Partnering to Safeguard K–12 organizations from Cybersecurity Threats
- CISA Adds One Known Exploited Vulnerability to Catalog
- Drupal Releases Security Advisories to Address Multiple Vulnerabilities
- Cisco Releases Security Advisory for Unified CM and Unified CM SME
- CISA Releases One Industrial Control Systems Advisory
- Mozilla Releases Security Updates for Firefox
- Vulnerability Summary for the Week of January 9, 2023
- CISA Adds One Known Exploited Vulnerability to Catalog
- CISA Updates Best Practices for Mapping to MITRE ATT&CK®
- CISA Releases Four Industrial Control Systems Advisories
- Juniper Networks Releases Security Updates for Multiple Products
- CISA Releases Twelve Industrial Control Systems Advisories
- Drupal Releases Security Update to Address Vulnerability in Private Taxonomy Terms
- NCSC-UK Releases Guidance on Using MSP for Administering Cloud Services
- Vulnerability Summary for the Week of January 2, 2023
- Microsoft Releases January 2023 Security Updates
- Adobe Releases Security Updates for Multiple Products
- CISA Adds Two Known Exploited Vulnerabilities to Catalog
- CISA Releases Two Industrial Control Systems Advisories
- AA22-335A: #StopRansomware: Cuba Ransomware
- AA22-335A: #StopRansomware: Cuba Ransomware
- CISA Releases Three Industrial Systems Control Advisories
- Fortinet Releases Security Updates for FortiADC
- Vulnerability Summary for the Week of December 26, 2022
- CISA Adds Two Known Exploited Vulnerabilities to Catalog
- Vulnerability Summary for the Week of December 19, 2022
- CISA Releases Four Industrial Control Systems Advisories
- CISA Releases Six Industrial Control Systems Advisories
- Vulnerability Summary for the Week of December 12, 2022
- Samba Releases Security Updates
- FBI, FDA OCI, and USDA Release Joint Cybersecurity Advisory Regarding Business Email Compromise Schemes Used to Steal Food
- CISA Releases Forty-One Industrial Control Systems Advisories
- CISA Consolidates Twitter Accounts
- Drupal Releases Security Updates to Address Vulnerabilities in H5P and File (Field) Paths
- CISA Adds One Known Exploited Vulnerability to Catalog
- VMware Releases Security Updates for Multiple products
- Apple Releases Security Updates for Multiple Products
- AA22-249A: #StopRansomware: Vice Society
- AA22-264A: Iranian State Actors Conduct Cyber Operations Against the Government of Albania
- AA22-257A: Iranian Islamic Revolutionary Guard Corps-Affiliated Cyber Actors Exploiting Vulnerabilities for Data Extortion and Disk Encryption for Ransom Operations
- AA22-321A: #StopRansomware: Hive Ransomware
- AA22-277A: Impacket and Exfiltration Tool Used to Steal Sensitive Information from Defense Industrial Base Organization
- AA22-265A: Control System Defense: Know the Opponent
- AA22-279A: Top CVEs Actively Exploited By People’s Republic of China State-Sponsored Cyber Actors
- AA22-294A: #StopRansomware: Daixin Team
- AA22-320A: Iranian Government-Sponsored APT Actors Compromise Federal Network, Deploy Crypto Miner, Credential Harvester
- AA22-335A: #StopRansomware: Cuba Ransomware
- Microsoft Releases December 2022 Security Updates
- Mozilla Releases Security Updates for Thunderbird and Firefox
- AA22-335A: #StopRansomware: Cuba Ransomware
- NSA, CISA, and ODNI Release Guidance on Potential Threats to 5G Network Slicing
- CISA Adds Five Known Exploited Vulnerabilities to Catalog
- CISA Updates Advisory on #StopRansomware: Cuba Ransomware
- AA22-335A: #StopRansomware: Cuba Ransomware
- Citrix Releases Security Updates for Citrix ADC, Citrix Gateway
- CISA Releases Three Industrial Control Systems Advisories
- Fortinet Releases Security Updates for FortiOS
- Vulnerability Summary for the Week of December 5, 2022
- Cisco Releases Security Advisory for IP Phone 7800 and 8800 Series
- CISA Releases Phishing Infographic
- CISA Releases Three Industrial Control Advisories
- AA22-335A: #StopRansomware: Cuba Ransomware
- Vulnerability Summary for the Week of November 28, 2022
- CISA Adds One Known Exploited Vulnerability to Catalog
- US-CERThttps://us-cert.cisa.gov/node/18185#StopRansomware: Cuba Ransomware/ncas/current-activity/2022/12/01/stopransomware-cuba-ransomware – 2022-12-01T18:27:15.000Z
- #StopRansomware: Cuba Ransomware
- US-CERThttps://us-cert.cisa.gov/node/18183#StopRansomware: Cuba Ransomware/ncas/alerts/aa22-335a – 2022-12-01T18:27:14.000Z
- US-CERThttps://us-cert.cisa.gov/node/18183#StopRansomware: Cuba Ransomware/ncas/alerts/aa22-335a – 2022-12-01T18:27:14.000Z
- #StopRansomware: Cuba Ransomware
- AA22-335A: #StopRansomware: Cuba Ransomware
- CISA Releases Three Industrial Control Systems Advisories
- AA22-335A: #StopRansomware: Cuba Ransomware
- CISA Releases Seven Industrial Control Systems Advisories
- Vulnerability Summary for the Week of November 21, 2022
- CISA Adds Two Known Exploited Vulnerabilities to Catalog
- AA22-321A: #StopRansomware: Hive Ransomware
- AA22-320A: Iranian Government-Sponsored APT Actors Compromise Federal Network, Deploy Crypto Miner, Credential Harvester
- CISA Releases Eight Industrial Control Systems Advisories
- Vulnerability Summary for the Week of November 14, 2022
- CISA, NSA, and ODNI Release Guidance for Customers on Securing the Software Supply Chain
- US-CERThttps://us-cert.cisa.gov/node/18165#StopRansomware: Hive/ncas/current-activity/2022/11/17/stopransomware-hive – 2022-11-17T19:18:35.000Z
- US-CERThttps://us-cert.cisa.gov/node/18160#StopRansomware: Hive Ransomware/ncas/alerts/aa22-321a – 2022-11-17T19:18:35.000Z
- CISA Releases Two Industrial Control Systems Advisories
- AA22-320A: Iranian Government-Sponsored APT Actors Compromise Federal Network, Deploy Crypto Miner, Credential Harvester
- AA22-320A: Iranian Government-Sponsored APT Actors Compromise Federal Network, Deploy Crypto Miner, Credential Harvester
- Cisco Releases Security Updates for Identity Services Engine
- AA22-320A: Iranian Government-Sponsored APT Actors Compromise Federal Network, Deploy Crypto Miner, Credential Harvester
- Mozilla Releases Security Updates for Multiple Products
- Samba Releases Security Updates
- AA22-320A: Iranian Government-Sponsored APT Actors Compromise Federal Network, Deploy Crypto Miner, Credential Harvester
- Iranian Government-Sponsored APT Actors Compromise Federal Network, Deploy Crypto Miner, Credential Harvester
- 10387061-1.v1 XMRig Cryptocurrency Mining Software
- CISA and FBI Release Advisory on Iranian Government-Sponsored APT Actors Compromising Federal Network
- CISA Releases One Industrial Control Systems Advisory
- Vulnerability Summary for the Week of November 7, 2022
- CISA Has Added One Known Exploited Vulnerability to Catalog
- AA22-228A: Threat Actors Exploiting Multiple CVEs Against Zimbra Collaboration Suite
- CISA Updates Advisory on Threat Actors Exploiting Multiple CVEs Against Zimbra Collaboration Suite
- CISA Releases Twenty Industrial Control Systems Advisories
- 10410305-1.v1 JSP Webshell
- Cisco Releases Security Updates for Multiple Products
- CISA Releases SSVC Methodology to Prioritize Vulnerabilities
- Citrix Releases Security Updates for ADC and Gateway
- VMware Releases Security Updates
- Microsoft Releases November 2022 Security Updates
- CISA Adds Seven Known Exploited Vulnerabilities to Catalog
- Vulnerability Summary for the Week of October 31, 2022
- Cisco Releases Security Updates for Multiple Products
- Apple Releases Security Update for Xcode
- CISA Releases Three Industrial Control Systems Advisories
- OpenSSL Releases Security Update
- CISA Upgrades to TLP 2.0
- CISA Releases One Industrial Control Systems Advisory
- Vulnerability Summary for the Week of October 24, 2022
- CISA Releases Guidance on Phishing-Resistant and Numbers Matching Multifactor Authentication
- CISA Has Added One Known Exploited Vulnerability to Catalog
- VMware Releases Security Updates
- Joint CISA FBI MS-ISAC Guide on Responding to DDoS Attacks and DDoS Guidance for Federal Agencies
- CISA Releases Four Industrial Control Systems Advisories
- Apple Releases Security Updates for Multiple Products
- Samba Releases Security Updates
- CISA Upgrades to Version 2.0 of Traffic Light Protocol in One Week – Join Us!
- CISA Has Added One Known Exploited Vulnerability to Catalog
- CISA Releases Eight Industrial Control Systems Advisories
- Vulnerability Summary for the Week of October 17, 2022
- CISA Adds Six Known Exploited Vulnerabilities to Catalog
- US-CERThttps://us-cert.cisa.gov/node/18087#StopRansomware: Daixin Team/ncas/alerts/aa22-294a – 2022-10-21T19:24:50.000Z
- US-CERThttps://us-cert.cisa.gov/node/18086#StopRansomware: Daixin Team/ncas/current-activity/2022/10/21/stopransomware-daixin-team – 2022-10-21T19:24:49.000Z
- Cisco Releases Security Update for Cisco Identity Services Engine
- CISA Adds Two Known Exploited Vulnerabilities to Catalog
- CISA Releases Three Industrial Control Systems Advisories
- Mozilla Releases Security Updates for Firefox
- CISA Requests for Comment on Microsoft 365 Security Configuration Baselines
- Oracle Releases October 2022 Critical Patch Update
- AA22-228A: Threat Actors Exploiting Multiple CVEs Against Zimbra Collaboration Suite
- CISA Updates Advisory on Threat Actors Exploiting Multiple CVEs Against Zimbra Collaboration Suite
- AA22-228A: Threat Actors Exploiting Multiple CVEs Against Zimbra Collaboration Suite
- 10398871-1.v2 Zimbra October Update
- Vulnerability Summary for the Week of October 10, 2022
- CISA Releases Two Industrial Control Systems Advisories
- CISA Releases RedEye: Red Team Campaign Visualization and Reporting Tool
- CISA Releases Twenty-Five Industrial Control Systems Advisories
- Adobe Releases Security Updates for Multiple Products
- Vulnerability Summary for the Week of October 3, 2022
- Microsoft Releases October 2022 Security Updates
- CISA Has Added One Known Exploited Vulnerability to Catalog
- CISA Releases Three Industrial Control Systems Advisories
- FBI and CISA Publish a PSA on Information Manipulation Tactics for 2022 Midterm Elections
- Top CVEs Actively Exploited By People’s Republic of China State-Sponsored Cyber Actors
- Top CVEs Actively Exploited by People’s Republic of China State-Sponsored Cyber Actors
- Cisco Releases Security Updates for Multiple Products
- CISA Releases Two Industrial Control Systems Advisories
- AA22-277A: Impacket and Exfiltration Tool Used to Steal Sensitive Information from Defense Industrial Base Organization
- Vulnerability Summary for the Week of September 26, 2022
- FBI and CISA Publish a PSA on Malicious Cyber Activity Against Election Infrastructure
- AA22-277A: Impacket and Exfiltration Tool Used to Steal Sensitive Information from Defense Industrial Base Organization
- AA22-277A: Impacket and Exfiltration Tool Used to Steal Sensitive Information from Defense Industrial Base Organization
- AA22-277A: Impacket and Exfiltration Tool Used to Steal Sensitive Information from Defense Industrial Base Organization
- CISA Releases Five Industrial Control Systems Advisories
- Impacket and Exfiltration Tool Used to Steal Sensitive Information from Defense Industrial Base Organization
- MAR-10365227-3.v1 China Chopper Webshells
- Impacket and Exfiltration Tool Used to Steal Sensitive Information from Defense Industrial Base Organization
- MAR-10365227-2.v1 HyperBro
- MAR-10365227-1.v1 CovalentStealer
- CISA Issues Binding Operational Directive 23-01: Improving Asset Visibility and Vulnerability Detection on Federal Networks
- Mozilla Releases Security Update for Thunderbird
- Drupal Releases Security Update
- Cisco Releases Security Updates for Multiple Products
- Hurricane-Related Scams
- Microsoft Releases Guidance on Zero-Day Vulnerabilities in Microsoft Exchange Server
- CISA Adds Three Known Exploited Vulnerabilities to Catalog
- VMWare Releases Guidance for VirtualPITA, VirtualPIE, and VirtualGATE Malware Targeting vSphere
- CISA Publishes User Guide to Prepare for Nov. 1 Move to TLP 2.0
- CISA Releases Six Industrial Control Systems Advisories
- CISA Updates Advisory on Threat Actors Exploiting Multiple CVEs Against Zimbra Collaboration Suite
- AA22-228A: Threat Actors Exploiting Multiple CVEs Against Zimbra Collaboration Suite
- AA22-228A: Threat Actors Exploiting Multiple CVEs Against Zimbra Collaboration Suite
- Vulnerability Summary for the Week of September 19, 2022
- AA22-228A: Threat Actors Exploiting Multiple CVEs Against Zimbra Collaboration Suite
- AA22-228A: Threat Actors Exploiting Multiple CVEs Against Zimbra Collaboration Suite
- MAR-10400779-1.v1 – Zimbra 1
- MAR-10401765-1.v1 – Zimbra 3
- MAR-10400779-2.v1 – Zimbra 2
- AA22-228A: Threat Actors Exploiting Multiple CVEs Against Zimbra Collaboration Suite
- CISA Releases Three Industrial Control Systems Advisories
- CISA Has Added One Known Exploited Vulnerability to Catalog
- Control System Defense: Know the Opponent
- CISA Releases Three Industrial Control Systems Advisories
- CISA and NSA Publish Joint Cybersecurity Advisory on Control System Defense
- ISC Releases Security Advisories for Multiple Versions of BIND 9
- AA22-265A: Control System Defense: Know the Opponent
- Microsoft Releases Out-of-Band Security Update for Microsoft Endpoint Configuration Manager
- Mozilla Releases Security Updates for Firefox, Firefox ESR, and Thunderbird
- AA22-264A: Iranian State Actors Conduct Cyber Operations Against the Government of Albania
- AA22-264A: Iranian State Actors Conduct Cyber Operations Against the Government of Albania
- A22-264A: Iranian State Actors Conduct Cyber Operations Against the Government of Albania
- Iranian State Actors Conduct Cyber Operations Against the Government of Albania
- Iranian State Actors Conduct Cyber Operations Against the Government of Albania
- A22-264A: Iranian State Actors Conduct Cyber Operations Against the Government of Albania
- Vulnerability Summary for the Week of September 12, 2022
- CISA Releases Eight industrial Control Systems Advisories
- CISA Adds Six Known Exploited Vulnerabilities to Catalog
- CISA and NSA Publish Open Radio Access Network Security Considerations
- CISA Releases Eleven Industrial Control Systems Advisories
- AA22-257A: Iranian Islamic Revolutionary Guard Corps-Affiliated Cyber Actors Exploiting Vulnerabilities for Data Extortion and Disk Encryption for Ransom Operations
- AA22-257A: Iranian Islamic Revolutionary Guard Corps-Affiliated Cyber Actors Exploiting Vulnerabilities for Data Extortion and Disk Encryption for Ransom Operations
- AA22-257A: Iranian Islamic Revolutionary Guard Corps-Affiliated Cyber Actors Exploiting Vulnerabilities for Data Extortion and Disk Encryption for Ransom Operations
- CISA Adds Two Known Exploited Vulnerabilities to Catalog
- Iranian Islamic Revolutionary Guard Corps Affiliated Cyber Actors Exploiting Vulnerabilities for Data Extortion and Disk Encryption for Ransom Operations
- Iranian Islamic Revolutionary Guard Corps-Affiliated Cyber Actors Exploiting Vulnerabilities for Data Extortion and Disk Encryption for Ransom Operations
- Adobe Releases Security Updates for Multiple Products
- Microsoft Releases September 2022 Security Updates
- CISA Releases Five Industrial Control Systems Advisories
- Apple Releases Security Updates for Multiple Products
- Vulnerability Summary for the Week of September 5, 2022
- Cisco Releases Security Updates for Multiple Products
- CISA Adds Twelve Known Exploited Vulnerabilities to Catalog
- CISA Releases Four Industrial Control Systems Advisories
- Vulnerability Summary for the Week of August 29, 2022
- US-CERThttps://us-cert.cisa.gov/node/17941#StopRansomware: Vice Society/ncas/alerts/aa22-249a – 2022-09-06T17:26:19.000Z
- US-CERThttps://us-cert.cisa.gov/node/17947#StopRansomware: Vice Society/ncas/current-activity/2022/09/06/stopransomware-vice-society – 2022-09-06T17:26:19.000Z
- CISA Releases Five Industrial Control Systems Advisories
- Mozilla Releases Security Update for Thunderbird
- CISA, NSA, and ODNI Release Part One of Guidance on Securing the Software Supply Chain
- Apple Releases Security Updates for Multiple Products
- CISA releases two Industrial Control Systems Advisories
- Vulnerability Summary for the Week of August 22, 2022
- CISA Releases 12 Industrial Control Systems Advisories
- AA22-228A: Threat Actors Exploiting Multiple CVEs Against Zimbra Collaboration Suite
- AA22-137A: Weak Security Controls and Practices Routinely Exploited for Initial Access
- AA22-228A: Threat Actors Exploiting Multiple CVEs Against Zimbra Collaboration Suite
- CISA releases 1 Industrial Control Systems Advisory
- AA22-074A: Russian State-Sponsored Cyber Actors Gain Network Access by Exploiting Default Multifactor Authentication Protocols and “PrintNightmare” Vulnerability
- CISA Adds Ten Known Exploited Vulnerabilities to Catalog
- CISA releases 1 Industrial Control Systems Advisory
- Cisco Releases Security Updates for Multiple Products
- Preparing Critical Infrastructure for Post-Quantum Cryptography
- Mozilla Releases Security Updates for Firefox, Firefox ESR, and Thunderbird
- VMware Releases Security Update
- AA22-228A: Threat Actors Exploiting Multiple CVEs Against Zimbra Collaboration Suite
- AA22-228A: Threat Actors Exploiting Multiple CVEs Against Zimbra Collaboration Suite
- AA22-228A: Threat Actors Exploiting Multiple CVEs Against Zimbra Collaboration Suite
- CISA releases 7 Industrial Control Systems Advisories
- Vulnerability Summary for the Week of August 15, 2022
- AA22-228A: Threat Actors Exploiting Multiple CVEs Against Zimbra Collaboration Suite
- CISA Updates Advisory on Threat Actors Exploiting Multiple CVEs Against Zimbra Collaboration Suite
- CISA Adds One Known Exploited Vulnerabilities to Catalog
- AA22-074A: Russian State-Sponsored Cyber Actors Gain Network Access by Exploiting Default Multifactor Authentication Protocols and “PrintNightmare” Vulnerability
- AA22-074A: Russian State-Sponsored Cyber Actors Gain Network Access by Exploiting Default Multifactor Authentication Protocols and “PrintNightmare” Vulnerability
- AA22-011A: Understanding and Mitigating Russian State-Sponsored Cyber Threats to U.S. Critical Infrastructure
- Cisco Releases Security Update for Cisco Secure Web Appliance
- Apple Zero Day (Aug 2022) and List of Apple App Updates
- CISA Adds Seven Known Exploited Vulnerabilities to Catalog
- Chrome browser gets 11 security fixes with 1 zero-day – update now!
- CISA releases 5 Industrial Control Systems Advisories
- Apple Releases Security Updates for Multiple Products
- Cisco Releases Security Update for Cisco Secure Web Appliance
- AA22-158A: People’s Republic of China State-Sponsored Cyber Actors Exploit Network Providers and Devices
- AA22-138A: Threat Actors Exploiting F5 BIG-IP CVE-2022-1388
- AA22-138B: Threat Actors Chaining Unpatched VMware Vulnerabilities for Full System Control
- AA22-152A: Karakurt Data Extortion Group
- AA22-187A: North Korean State-Sponsored Cyber Actors Use Maui Ransomware to Target the Healthcare and Public Health Sector
- AA22-174A: Malicious Cyber Actors Continue to Exploit Log4Shell in VMware Horizon Systems
- AA22-228A: Threat Actors Exploiting Multiple CVEs Against Zimbra Collaboration Suite
- AA22-158A: People’s Republic of China State-Sponsored Cyber Actors Exploit Network Providers and Devices
- AA22-138B: Threat Actors Chaining Unpatched VMware Vulnerabilities for Full System Control
- AA22-138A: Threat Actors Exploiting F5 BIG-IP CVE-2022-1388
- AA22-187A: North Korean State-Sponsored Cyber Actors Use Maui Ransomware to Target the Healthcare and Public Health Sector
- AA22-152A: Karakurt Data Extortion Group
- AA22-174A: Malicious Cyber Actors Continue to Exploit Log4Shell in VMware Horizon Systems
- AA22-228A: Threat Actors Exploiting Multiple CVEs Against Zimbra Collaboration Suite
- Threat Actors Exploiting Multiple Vulnerabilities Against Zimbra Collaboration Suite
- AA21-356A: Mitigating Log4Shell and Other Log4j-Related Vulnerabilities
- AA21-336A: APT Actors Exploiting CVE-2021-44077 in Zoho ManageEngine ServiceDesk Plus
- AA21-356A: Mitigating Log4Shell and Other Log4j-Related Vulnerabilities
- Chrome browser gets 11 security fixes with 1 zero-day – update now!
- AA21-336A: APT Actors Exploiting CVE-2021-44077 in Zoho ManageEngine ServiceDesk Plus
- AA22-074A: Russian State-Sponsored Cyber Actors Gain Network Access by Exploiting Default Multifactor Authentication Protocols and “PrintNightmare” Vulnerability
- AA22-174A: Malicious Cyber Actors Continue to Exploit Log4Shell in VMware Horizon Systems
- AA22-011A: Understanding and Mitigating Russian State-Sponsored Cyber Threats to U.S. Critical Infrastructure
- AA22-152A: Karakurt Data Extortion Group
- AA22-057A: Destructive Malware Targeting Organizations in Ukraine
- AA22-131A: Protecting Against Cyber Threats to Managed Service Providers and their Customers
- AA22-103A: APT Cyber Tools Targeting ICS/SCADA Devices
- AA22-040A: 2021 Trends Show Increased Globalized Threat of Ransomware
- AA22-138B: Threat Actors Chaining Unpatched VMware Vulnerabilities for Full System Control
- AA22-076A: Strengthening Cybersecurity of SATCOM Network Providers and Customers
- AA22-108A: TraderTraitor: North Korean State-Sponsored APT Targets Blockchain Companies
- AA22-137A: Weak Security Controls and Practices Routinely Exploited for Initial Access
- AA21-243A: Ransomware Awareness for Holidays and Weekends
- AA22-187A: North Korean State-Sponsored Cyber Actors Use Maui Ransomware to Target the Healthcare and Public Health Sector
- AA22-074A: Russian State-Sponsored Cyber Actors Gain Network Access by Exploiting Default Multifactor Authentication Protocols and “PrintNightmare” Vulnerability
- AA22-138A: Threat Actors Exploiting F5 BIG-IP CVE-2022-1388
- AA22-228A: Threat Actors Exploiting Multiple CVEs Against Zimbra Collaboration Suite
- AA22-137A: Weak Security Controls and Practices Routinely Exploited for Initial Access
- Exploitation Of Fortinet FortiOS Vulnerabilities
- Gdown – Google Explains Dec 2020 Outage
- Agility Doors Open
Aug
27
Reasons to Choose Agility Networks
By Elle CeeDee
I.T. Services for Your Business Remote or In-Person. Services throughout Midwest – Chicago Based
Aug
27
Testimonials
By Elle CeeDee
I.T. Services for Your Business Remote or In-Person. Services throughout Midwest – Chicago Based
Dec
25
Locations
By Elle CeeDee
I.T. Services for Your Business Remote or In-Person. Services throughout Midwest – Chicago Based
Dec
25
Newsletter Sign-up and Archive
By Elle CeeDee
I.T. Services for Your Business Remote or In-Person. Services throughout Midwest – Chicago Based
Dec
25
Who We Are
By Elle CeeDee
I.T. Services for Your Business Remote or In-Person. Services throughout Midwest – Chicago Based
Dec
28
Agent Core – Two Factor Authentication
By Elle CeeDee
I.T. Services for Your Business Remote or In-Person. Services throughout Midwest – Chicago Based
Dec
29
Microsoft Office 365 Suite
By Elle CeeDee
I.T. Services for Your Business Remote or In-Person. Services throughout Midwest – Chicago Based
Dec
29
Purchasing
By Elle CeeDee
I.T. Services for Your Business Remote or In-Person. Services throughout Midwest – Chicago Based
Dec
29
Office 365 Application Suite
By Elle CeeDee
I.T. Services for Your Business Remote or In-Person. Services throughout Midwest – Chicago Based
Dec
29
SharePoint Services
By Elle CeeDee
I.T. Services for Your Business Remote or In-Person. Services throughout Midwest – Chicago Based
Dec
29
I.T. Security: Threat Solution Management & Ethical Hacking
By Elle CeeDee
Firewall Solutions, Penetration (PEN) Testing, Application PEN, Vulnerability Assessments, Wireless Network Security Installations (Secure, Mesh, Remote Management), Zero-Day Solutions and Mitigation.
Dec
29
Pen Testing (perimeter / firewalls)
By Elle CeeDee
I.T. Services for Your Business Remote or In-Person. Services throughout Midwest – Chicago Based
Dec
29
Pen Testing (applications)
By Elle CeeDee
I.T. Services for Your Business Remote or In-Person. Services throughout Midwest – Chicago Based
Dec
29
Phishing Testing
By Elle CeeDee
I.T. Services for Your Business Remote or In-Person. Services throughout Midwest – Chicago Based
Dec
29
Anti-Virus & Anti-Malware – I.T. Security
By Elle CeeDee
I.T. Services for Your Business Remote or In-Person. Services throughout Midwest – Chicago Based
Dec
29
Cylance Protect End-Point Security / On-Site MSSP Consulting
By Elle CeeDee
I.T. Services for Your Business Remote or In-Person. Services throughout Midwest – Chicago Based
Dec
29
Firewalls
By Elle CeeDee
I.T. Services for Your Business Remote or In-Person. Services throughout Midwest – Chicago Based
Dec
30
Microsoft Azure
By Elle CeeDee
Highly scalable (small to enormous), ever-growing cloud integrated analytics, computing, database, mobile, networking, storage, and web.
Dec
30
Disaster Recovery
By Elle CeeDee
I.T. Services for Your Business Remote or In-Person. Services throughout Midwest – Chicago Based
Dec
30
Virtual Desktop Interface (VDI)
By Elle CeeDee
I.T. Services for Your Business Remote or In-Person. Services throughout Midwest – Chicago Based
Dec
30
Remote Desktop Services (RDS)
By Elle CeeDee
I.T. Services for Your Business Remote or In-Person. Services throughout Midwest – Chicago Based
Dec
30
Full I.T. Outsourcing
By Elle CeeDee
I.T. Services for Your Business Remote or In-Person. Services throughout Midwest – Chicago Based
Jan
05
Cloud Migration Services
By Elle CeeDee
Migrate to the Cloud, Management of Purchased Cloud Services, Migrations from the Cloud.
Jan
05
I.T. Audits And I.T. Assessments
By Elle CeeDee
I.T. Services for Your Business Remote or In-Person. Services throughout Midwest – Chicago Based
Jan
05
Business Continuity
By Elle CeeDee
I.T. Services for Your Business Remote or In-Person. Services throughout Midwest – Chicago Based
Jan
05
Wireless Products / Services
By Elle CeeDee
Wired, Wireless, Wireless Access Points, Surveys, Wired Headspace Testing, and all things 802.11/Wired.
Jan
05
Systems Virtualization & Consolidation
By Elle CeeDee
I.T. Services for Your Business Remote or In-Person. Services throughout Midwest – Chicago Based
Jan
05
IT Services and IT Projects
By Elle CeeDee
I.T. Services for Your Business Remote or In-Person. Services throughout Midwest – Chicago Based
Jan
05
Book Chicago IT Firm Time
By Elle CeeDee
I.T. Services for Your Business Remote or In-Person. Services throughout Midwest – Chicago Based
Jan
06
Sitemap
By Elle CeeDee
I.T. Services for Your Business Remote or In-Person. Services throughout Midwest – Chicago Based
Jan
06
Privacy Policy
By Elle CeeDee
I.T. Services for Your Business Remote or In-Person. Services throughout Midwest – Chicago Based
Jan
06
Office 365 Free Trial
By Elle CeeDee
I.T. Services for Your Business Remote or In-Person. Services throughout Midwest – Chicago Based
Jan
06
Visio
By Elle CeeDee
I.T. Services for Your Business Remote or In-Person. Services throughout Midwest – Chicago Based
Jan
06
Yammer
By Elle CeeDee
I.T. Services for Your Business Remote or In-Person. Services throughout Midwest – Chicago Based
Jan
06
Project
By Elle CeeDee
I.T. Services for Your Business Remote or In-Person. Services throughout Midwest – Chicago Based
Jan
06
Storage
By Elle CeeDee
I.T. Services for Your Business Remote or In-Person. Services throughout Midwest – Chicago Based
Jan
06
Word Online
By Elle CeeDee
I.T. Services for Your Business Remote or In-Person. Services throughout Midwest – Chicago Based
Jan
06
Excel Online
By Elle CeeDee
I.T. Services for Your Business Remote or In-Person. Services throughout Midwest – Chicago Based
Jan
06
Exchange Online
By Elle CeeDee
I.T. Services for Your Business Remote or In-Person. Services throughout Midwest – Chicago Based
Jan
06
Sharepoint Online
By Elle CeeDee
I.T. Services for Your Business Remote or In-Person. Services throughout Midwest – Chicago Based
Jan
06
Skype For Business
By Elle CeeDee
I.T. Services for Your Business Remote or In-Person. Services throughout Midwest – Chicago Based
Jan
06
Office 365 For Ipad
By Elle CeeDee
I.T. Services for Your Business Remote or In-Person. Services throughout Midwest – Chicago Based
Jan
06
Onedrive For Business
By Elle CeeDee
I.T. Services for Your Business Remote or In-Person. Services throughout Midwest – Chicago Based
Jan
06
Service Request
By Elle CeeDee
I.T. Services for Your Business Remote or In-Person. Services throughout Midwest – Chicago Based
Jan
07
AMP Enterprise
By Elle CeeDee
I.T. Services for Your Business Remote or In-Person. Services throughout Midwest – Chicago Based
Jan
07
Chicago MSP Cost Calculator Cost Estimator
By Elle CeeDee
I.T. Services for Your Business Remote or In-Person. Services throughout Midwest – Chicago Based
Jan
07
Frameworkit
By Elle CeeDee
I.T. Services for Your Business Remote or In-Person. Services throughout Midwest – Chicago Based
Jan
07
Client Portal
By Elle CeeDee
I.T. Services for Your Business Remote or In-Person. Services throughout Midwest – Chicago Based
Jan
07
Please Read
By Elle CeeDee
a particular person/party stole our site and is scamming peoplea government agency has an open case file. Please help us help many. We are victims too. There is an Internet IC3 form you can search for and fill-out against them. You can call our offices during normal business hours Central Standard Time GMT-5.
Jan
07
Estimate Received
By Elle CeeDee
I.T. Services for Your Business Remote or In-Person. Services throughout Midwest – Chicago Based
Jan
07
Newsletter Sign Up
By Elle CeeDee
I.T. Services for Your Business Remote or In-Person. Services throughout Midwest – Chicago Based
Jan
07
IT Services Projects 2
By Elle CeeDee
I.T. Services for Your Business Remote or In-Person. Services throughout Midwest – Chicago Based
Jan
07
Thank You for Contacting Us
By Elle CeeDee
I.T. Services for Your Business Remote or In-Person. Services throughout Midwest – Chicago Based
Jan
08
Additional Microsoft Office 365 Information
By Elle CeeDee
I.T. Services for Your Business Remote or In-Person. Services throughout Midwest – Chicago Based
