Delta Electronics DIAEnergie

2 months ago

View CSAF

1. EXECUTIVE SUMMARY
  • CVSS v4 9.3
  • ATTENTION: Exploitable remotely/low attack complexity
  • Vendor: Delta Electronics
  • Equipment: DIAEnergie
  • Vulnerabilities: SQL Injection
2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to retrieve records or cause a denial of service.

3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS

The following versions of Delta Electronics DIAEnergie, an industrial energy management system, are affected:

  • DIAEnergie: Versions v1.10.01.008 and prior.
3.2 Vulnerability Overview 3.2.1 SQL Injection CWE-89

Delta Electronics DIAEnergie is vulnerable to an SQL injection in the script AM_RegReport.aspx. An unauthenticated attacker may be able to exploit this issue to obtain records contained in the targeted product.

CVE-2024-43699 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-43699. A base score of 9.3 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.2 SQL Injection CWE-89

Delta Electronics DIAEnergie is vulnerable to an SQL injection in the script Handler_CFG.ashx. An authenticated attacker may be able to exploit this issue to cause delay in the targeted product.

CVE-2024-42417 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-42417. A base score of 8.7 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND
  • CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
  • COUNTRIES/AREAS DEPLOYED: Worldwide
  • COMPANY HEADQUARTERS LOCATION: Taiwan
3.4 RESEARCHER

Michael Heinzl reported these vulnerabilities to CISA.

4. MITIGATIONS

Delta recommends users update to DIAEnergie v1.10.01.009. Users can request this version of DIAEnergie from Delta Electronics' regional sales or agents.

For more information on this issue, please see the Delta product cybersecurity advisory.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

  • Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
  • Locate control system networks and remote devices behind firewalls and isolating them from business networks.
  • When remote access is required, use more secure methods, such as virtual private networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY
  • October 3, 2024: Initial Publication
CISA

Optigo Networks ONS-S8 Spectra Aggregation Switch

2 months ago

View CSAF

1. EXECUTIVE SUMMARY
  • CVSS v4 9.3
  • ATTENTION: Exploitable remotely/Low attack complexity
  • Vendor: Optigo Networks
  • Equipment: ONS-S8 - Spectra Aggregation Switch
  • Vulnerabilities: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion'), Weak Authentication
2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to achieve remote code execution, arbitrary file upload, or bypass authentication.

3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS

The following versions of ONS-S8 - Spectra Aggregation Switch, an OT network management device, are affected:

  • ONS-S8 - Spectra Aggregation Switch: 1.3.7 and prior
3.2 Vulnerability Overview 3.2.1 IMPROPER CONTROL OF FILENAME FOR INCLUDE/REQUIRE STATEMENT IN PHP PROGRAM ('PHP REMOTE FILE INCLUSION') CWE-98

The web service for ONS-S8 - Spectra Aggregation Switch includes functions which do not properly validate user input, allowing an attacker to traverse directories, bypass authentication, and execute remote code.

CVE-2024-41925 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-41925. A base score of 9.3 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.2 WEAK AUTHENTICATION CWE-1390

The web server for ONS-S8 - Spectra Aggregation Switch includes an incomplete authentication process, which can lead to an attacker authenticating without a password.

CVE-2024-45367 has been assigned to this vulnerability. A CVSS v3 base score of 9.1 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N).

A CVSS v4 score has also been calculated for CVE-2024-45367. A base score of 9.3 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N).

3.3 BACKGROUND
  • CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
  • COUNTRIES/AREAS DEPLOYED: Worldwide
  • COMPANY HEADQUARTERS LOCATION: Canada
3.4 RESEARCHER

Claroty Team82 reported this vulnerability to CISA.

4. MITIGATIONS

Optigo Networks recommends users always use a unique management VLAN for the port on the ONS-S8 that is used to connect to OneView.

Optigo Networks also recommends users implement at least one of the following additional mitigations:

  • Use a dedicated NIC on the BMS computer and exclusively this computer for connecting to OneView to manage your OT network configuration.
  • Set up a router firewall with a white list for the devices permitted to access OneView.
  • Connect to OneView via secure VPN.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY
  • October 1, 2024: Initial Publication
CISA

Mitsubishi Electric MELSEC iQ-F FX5-OPC

2 months ago

View CSAF

1. EXECUTIVE SUMMARY
  • CVSS v3 7.5
  • ATTENTION: Exploitable remotely/low attack complexity
  • Vendor: Mitsubishi Electric
  • Equipment: MELSEC iQ-F FX5-OPC
  • Vulnerability: NULL Pointer Dereference
2. RISK EVALUATION

Successful exploitation of this vulnerability could allow a remote attacker to cause a Denial-of-Service (DoS) condition on the product by getting a legitimate user to import a specially crafted PKCS#12 format certificate.

3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS

The following Mitsubishi Electric products are affected:

  • MELSEC iQ-F FX5-OPC: All versions
3.2 Vulnerability Overview 3.2.1 NULL POINTER DEREFERENCE CWE-476

A Denial-of-Service (DoS) vulnerability due to NULL Pointer Dereference when processing PKCS#12 format certificate exists in OpenSSL installed on MELSEC iQ-F OPC UA Unit. Because OpenSSL does not correctly check if a certain field in the PKCS#12 format certificate is NULL, a NULL pointer dereference occurs when the field is NULL, causing the product to enter a Denial-of-Service condition.

CVE-2024-0727 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

3.3 BACKGROUND
  • CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
  • COUNTRIES/AREAS DEPLOYED: Worldwide
  • COMPANY HEADQUARTERS LOCATION: Japan
3.4 RESEARCHER

Mitsubishi Electric reported this vulnerability to CISA.

4. MITIGATIONS

Mitsubishi Electric recommends users take the following mitigations to minimize the risk of exploiting this vulnerability:

  • Use within a LAN and block access from untrusted networks and hosts through firewalls.
  • Restrict physical access to the product, as well as to computers and network devices located within the same network as the product.
  • Use a firewall or virtual private network (VPN), etc. to prevent unauthorized access when Internet access is required.
  • Use IP filter function to block access from untrusted hosts. For details on the IP filter function, please refer to the following manual. MELSEC iQ-F FX5 OPC UA Module User's Manual "4.4 IP Filter"
  • Do not import untrusted certificates.

For additional details, see Mitsubishi Electric advisory.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY
  • October 1, 2024: Initial Publication
CISA

Atelmo Atemio AM 520 HD Full HD Satellite Receiver

2 months 1 week ago

View CSAF

1. EXECUTIVE SUMMARY
  • CVSS v4 9.3
  • ATTENTION: Exploitable remotely/low attack complexity/public exploits are available
  • Vendor: Atelmo
  • Equipment: Atemio AM 520 HD Full HD Satellite Receiver
  • Vulnerability: OS Command Injection
2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an unauthorized attacker to execute system commands with elevated privileges.

3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS

The following versions of Atelmo Atemio AM 520 HD, a satellite receiver, are affected:

  • Atemio AM 520 HD: TitanNit 2.01 and prior
3.2 Vulnerability Overview 3.2.1 IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS USED IN AN OS COMMAND ('OS COMMAND INJECTION') CWE-78

The device enables an unauthorized attacker to execute system commands with elevated privileges. This exploit is facilitated through the use of the 'getcommand' query within the application, allowing the attacker to gain root access.

CVE-2024-9166 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-9166. A base score of 9.3 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND
  • CRITICAL INFRASTRUCTURE SECTORS: Communications, Commercial Facilities
  • COUNTRIES/AREAS DEPLOYED: Germany
  • COMPANY HEADQUARTERS LOCATION: Germany
3.4 RESEARCHER

CISA discovered a public Proof of Concept (PoC) as authored by Gjoko Krstic and reported it to Atelmo.

4. MITIGATIONS

Atelmo has stated that this product has been discontinued. There are no service or support addresses that can be contacted.

For more information, contact Atelmo.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

  • Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
  • Locate control system networks and remote devices behind firewalls and isolating them from business networks.
  • When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY
  • September 26, 2024: Initial Publication
CISA

goTenna Pro ATAK Plugin

2 months 1 week ago

View CSAF

1. EXECUTIVE SUMMARY
  • CVSS v4 7.1
  • ATTENTION: Low attack complexity
  • Vendor: goTenna
  • Equipment: Pro ATAK Plugin
  • Vulnerabilities: Weak Password Requirements, Insecure Storage of Sensitive Information, Missing Support for Integrity Check, Cleartext Transmission of Sensitive Information, Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG), Weak Authentication, Insertion of Sensitive Information Into Sent Data, Observable Response Discrepancy, Insertion of Sensitive Information Into Sent Data
2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to compromise the confidentiality and integrity of the communications between the affected devices.

3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS

The following versions of goTenna Pro ATAK Plugin, a mesh networking device, are affected:

  • goTenna Pro ATAK Plugin: Versions 1.9.12 and prior
3.2 Vulnerability Overview 3.2.1 Weak Password Requirements CWE-521

The goTenna Pro ATAK Plugin uses a weak password for the QR broadcast message. If the QR broadcast message is captured over RF it is possible to decrypt it and use it to decrypt all future and past messages sent via encrypted broadcast.

CVE-2024-45374 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.3 has been calculated; the CVSS vector string is (AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2024-45374. A base score of 6.0 has been calculated; the CVSS vector string is (CVSS4.0/AV:A/AC:H/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N).

3.2.2 Insecure Storage of Sensitive Information CWE-922

In the goTenna Pro ATAK Plugin application, the encryption keys are stored along with a static IV on the device. This allows for complete decryption of keys stored on the device. This allows an attacker to decrypt all encrypted broadcast communications based on broadcast keys stored on the device.

CVE-2024-43694 has been assigned to this vulnerability. A CVSS v3.1 base score of 4.3 has been calculated; the CVSS vector string is (AV:P/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2024-43694. A base score of 5.1 has been calculated; the CVSS vector string is (CVSS4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N).

3.2.3 Missing Support for Integrity Check CWE-353

The goTenna Pro ATAK Plugin use AES CTR mode for short, encrypted messages without any additional integrity checking mechanisms. This leaves messages malleable to any attacker that can access the message.

CVE-2024-43108 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.3 has been calculated; the CVSS vector string is (AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N)).

A CVSS v4 score has also been calculated for CVE-2024-43108. A base score of 6.0 has been calculated; the CVSS vector string is (CVSS4.0/AV:A/AC:H/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N).

3.2.4 Cleartext Transmission of Sensitive Information CWE-319

The goTenna Pro ATAK Plugin does not encrypt the callsigns of its users. These callsigns reveal information about the users and can also be leveraged for other vulnerabilities.

CVE-2024-45838 has been assigned to this vulnerability. A CVSS v3.1 base score of 4.3 has been calculated; the CVSS vector string is (AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2024-45838. A base score of 2.3 has been calculated; the CVSS vector string is (CVSS4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N).

3.2.5 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) CWE-338

The goTenna Pro ATAK Plugin does not use SecureRandom when generating its cryptographic keys. The random function in use is not suitable for cryptographic use.

CVE-2024-45723 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.5 has been calculated; the CVSS vector string is (AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2024-45723. A base score of 7.1 has been calculated; the CVSS vector string is (CVSS4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N).

3.2.6 Weak Authentication CWE-1390

In the goTenna Pro ATAK Plugin there is a vulnerability that makes it possible to inject any custom message with any GID and Callsign using a software defined radio in existing gotenna mesh networks. This vulnerability can be exploited if the device is being used in a unencrypted environment or if the cryptography has already been compromised.

CVE-2024-41722 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.5 has been calculated; the CVSS vector string is (AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2024-41722. A base score of 6.0 has been calculated; the CVSS vector string is (CVSS4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N).

3.2.7 Insertion of Sensitive Information Into Sent Data CWE-201

The goTenna Pro ATAK Plugin broadcast key name is always sent unencrypted and could reveal the location of operation.

CVE-2024-41931 has been assigned to this vulnerability. A CVSS v3.1 base score of 4.3 has been calculated; the CVSS vector string is (AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2024-41931. A base score of 5.3 has been calculated; the CVSS vector string is (CVSS4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N).

3.2.8 Observable Response Discrepancy CWE-204

The goTenna Pro ATAK Plugin has a payload length vulnerability that makes it possible to tell the length of the payload regardless of the encryption used.

CVE-2024-41715 has been assigned to this vulnerability. A CVSS v3.1 base score of 4.3 has been calculated; the CVSS vector string is (AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2024-41715. A base score of 5.3 has been calculated; the CVSS vector string is (CVSS4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N).

3.2.9 Insertion of Sensitive Information Into Sent Data CWE-201

goTenna Pro ATAK Plugin by default enables frequent unencrypted Position, Location and Information (PLI) transmission. This transmission is done without user's knowledge, revealing the exact location transmitted in unencrypted form.

CVE-2024-43814 has been assigned to this vulnerability. A CVSS v3.1 base score of 4.3 has been calculated; the CVSS vector string is (AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2024-43814. A base score of 5.3 has been calculated; the CVSS vector string is (CVSS4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N).

3.3 BACKGROUND
  • CRITICAL INFRASTRUCTURE SECTORS: Communications, Government Services and Facilities
  • COUNTRIES/AREAS DEPLOYED: United States
  • COMPANY HEADQUARTERS LOCATION: United States
3.4 RESEARCHER

Erwin Karincic, Clayton Smith, and Dale Wooden reported this these vulnerabilities to CISA.

4. MITIGATIONS

goTenna recommends that users mitigate these vulnerabilities by performing the following updates:

  • ATAK Plugin: v2.0.7 or greater

goTenna recommends that users follow these mitigations:

General Mitigations for All Users/Clients

  • Use Discreet Callsigns and Key Names: Choose callsigns and key names that do not disclose sensitive information, such as your location, team size, or team name. Avoid using any identifiers that could inadvertently reveal your location or the composition of your team.
  • Secure End-User Devices: Implement strong security measures on all end-user devices, including the use of encryption and ensuring regular software updates.
  • Follow Key Rotation Best Practices: Regularly rotate encryption keys according to industry best practices to maintain ongoing security.

Pro-Specific Mitigations

  • Share Encryption Keys via QR Code: Utilize QR codes, similar to ATAK, for the secure exchange of encryption keys.
  • Secure Broadcasting: When broadcasting, ensure you are in a secured area and transmit the key at a reduced power of 0.5 Watts to limit exposure.
  • Leverage Layered Encryption: Implement layered encryption keys to securely manage communications, whether interacting with individuals or teams.

If you have any questions please contact prosupport@gotenna.com

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

  • Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
  • Locate control system networks and remote devices behind firewalls and isolating them from business networks.
  • When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time. These vulnerabilities are not exploitable remotely.

5. UPDATE HISTORY
  • September 26, 2024: Initial Publication
CISA

Advantech ADAM-5630

2 months 1 week ago

View CSAF

1. EXECUTIVE SUMMARY
  • CVSS v4 8.5
  • ATTENTION: Low attack complexity
  • Vendor: Advantech
  • Equipment: ADAM-5630
  • Vulnerabilities: Use of Persistent Cookies Containing Sensitive Information
2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to hijack a legitimate user's session, perform cross-site request forgery, or cause a denial-of-service condition.

3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS

The following versions of Advantech's ADAM are affected:

  • Advantech ADAM-5630: versions prior to v2.5.2
3.2 Vulnerability Overview 3.2.1 USE OF PERSISTENT COOKIES CONTAINING SENSITIVE INFORMATION CWE-539

Cookies of authenticated users remain as active valid cookies when a session is closed. Forging requests with a legitimate cookie, even if the session was terminated, allows an unauthorized attacker to act with the same level of privileges of the legitimate user.

CVE-2024-39275 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.0 has been calculated; the CVSS vector string is (AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-39275. A base score of 8.5 has been calculated; the CVSS vector string is (CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.2 CROSS-SITE REQUEST FORGERY (CSRF) CWE-352

Cross-site request forgery (CSRF) is a web security vulnerability that allows an attacker to induce users to perform actions that they do not intend to perform. It allows an attacker to partly circumvent the same origin policy, which is designed to prevent different websites from interfering with each other.

CVE-2024-28948 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.0 has been calculated; the CVSS vector string is (AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-28948. A base score of 8.5 has been calculated; the CVSS vector string is (CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.3 WEAK ENCODING FOR PASSWORD CWE-261

User credentials are shared in plain text, between the device and the user source device, during the login process.

CVE-2024-34542 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.7 has been calculated; the CVSS vector string is (AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2024-34542. A base score of 6.9 has been calculated; the CVSS vector string is (CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N).

3.2.4 MISSING AUTHENTICATION FOR CRITICAL FUNCTION CWE-306

The device has built-in commands that can be executed without authenticating the user. These commands allow for restarting the operating system, rebooting the hardware, and stopping the execution. The commands can be sent to a simple HTTP request and are executed by the device automatically, without discrimination of origin or level of privileges of the user sending the commands.

CVE-2024-39364 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.3 has been calculated; the CVSS vector string is (AV:A/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H).

A CVSS v4 score has also been calculated for CVE-2024-39364. A base score of 8.3 has been calculated; the CVSS vector string is (CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:H/SC:N/SI:N/SA:H).

3.3 BACKGROUND
  • CRITICAL INFRASTRUCTURE SECTORS: Energy, Water and Wastewater Systems
  • COUNTRIES/AREAS DEPLOYED: Worldwide
  • COMPANY HEADQUARTERS LOCATION: Taiwan
3.4 RESEARCHER

Aarón Flecha Menéndez and Luis Villalba Pérez of S21sec reported these vulnerabilities to CISA.

4. MITIGATIONS

Advantech recommends users upgrade their ADAM-5630 devices to version 2.5.2.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

  • Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the Internet.
  • Locate control system networks and remote devices behind firewalls and isolating them from business networks.
  • When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time. These vulnerabilities are not exploitable remotely.

5. UPDATE HISTORY
  • September 26, 2024: Initial Publication
CISA

goTenna Pro X and Pro X2 (Update A)

2 months 1 week ago

View CSAF

1. EXECUTIVE SUMMARY
  • CVSS v4 8.7
  • ATTENTION: Low attack complexity
  • Vendor: goTenna
  • Equipment: Pro series
  • Vulnerabilities: Weak Password Requirements, Insecure Storage of Sensitive Information, Missing Support for Integrity Check, Cleartext Transmission of Sensitive Information, Improper Restriction of Communication Channel to Intended Endpoints, Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG), Weak Authentication, Insertion of Sensitive Information Into Sent Data, Observable Response Discrepancy, Missing Authentication for Critical Function
2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to compromise the confidentiality and integrity of the communications between the affected devices.

3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS

The following versions of goTenna Pro series, mesh networking device, are affected:

  • goTenna Pro App: versions 1.6.1 and prior
3.2 Vulnerability Overview 3.2.1 Weak Password Requirements CWE-521

The goTenna Pro App uses a weak password for sharing encryption keys via the key broadcast method. If the broadcasted encryption key is captured over RF, and password is cracked via brute force attack, it is possible to decrypt it and use it to decrypt all future and past messages sent via encrypted broadcast with that particular key. This only applies when the key is broadcasted over RF. This is an optional feature, so it is recommended to use local QR encryption key sharing for additional security on this and previous versions.

CVE-2024-47121 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.3 has been calculated; the CVSS vector string is (AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2024-47121. A base score of 6.0 has been calculated; the CVSS vector string is (CVSS4.0/AV:A/AC:H/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N).

3.2.2 Insecure Storage of Sensitive Information CWE-922

In the goTenna Pro App, the encryption keys are stored along with a static IV on the End User Device (EUD). This allows for complete decryption of keys stored on the EUD if physically compromised. This allows an attacker to decrypt all encrypted broadcast communications based on encryption keys stored on the EUD. This requires access to and control of the EUD, so it is recommended to use strong access control measures and layered encryption on the EUD for more secure operation.

CVE-2024-47122 has been assigned to this vulnerability. A CVSS v3.1 base score of 4.3 has been calculated; the CVSS vector string is (AV:P/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2024-47122. A base score of 5.1 has been calculated; the CVSS vector string is (CVSS4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N).

3.2.3 Missing Support for Integrity Check CWE-353

The goTenna Pro App uses AES CTR type encryption for short, encrypted messages without any additional integrity checking mechanisms. This leaves messages malleable to an attacker that can access the message. It is recommended to continue to use encryption in the app and update to the current release for more secure operations.

CVE-2024-47123 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.3 has been calculated; the CVSS vector string is (AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N)).

A CVSS v4 score has also been calculated for CVE-2024-47123. A base score of 6.0 has been calculated; the CVSS vector string is (CVSS4.0/AV:A/AC:H/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N).

3.2.4 Cleartext Transmission of Sensitive Information CWE-319

The goTenna Pro App does not encrypt callsigns in messages. It is recommended to not use sensitive information in callsigns when using this and previous versions of the app and update your app to the current app version which uses AES-256 encryption for callsigns in encrypted operation.

CVE-2024-47124 has been assigned to this vulnerability. A CVSS v3.1 base score of 4.3 has been calculated; the CVSS vector string is (AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2024-47124. A base score of 2.3 has been calculated; the CVSS vector string is (CVSS4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N).

3.2.5 Improper Restriction of Communication Channel to Intended Endpoints CWE-923

The goTenna Pro App does not authenticate public keys which allows an unauthenticated attacker to manipulate messages. It is advised to update your app to the current release for enhanced encryption protocols.

CVE-2024-47125 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.1 has been calculated; the CVSS vector string is (AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N).

A CVSS v4 score has also been calculated for CVE-2024-47125. A base score of 7.6 has been calculated; the CVSS vector string is (CVSS4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N).

3.2.6 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) CWE-338

The goTenna Pro App does not use SecureRandom when generating passwords for sharing cryptographic keys. The random function in use makes it easier for attackers to brute force this password if the broadcasted encryption key is captured over RF. This only applies to the optional broadcast of an encryption key, so it is advised to share the key with local QR code for higher security operations.

CVE-2024-47126 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.5 has been calculated; the CVSS vector string is (AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2024-47126. A base score of 7.1 has been calculated; the CVSS vector string is (CVSS4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N).

3.2.7 Weak Authentication CWE-1390

In the goTenna Pro App there is a vulnerability that makes it possible to inject any custom message with any GID and Callsign using a software defined radio in existing goTenna mesh networks. This vulnerability can be exploited if the device is being used in an unencrypted environment or if the cryptography has already been compromised. It is advised to share encryption keys via QR scanning for higher security operations and update your app to the current release for enhanced encryption protocols.

CVE-2024-47127 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.5 has been calculated; the CVSS vector string is (AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2024-47127. A base score of 6.0 has been calculated; the CVSS vector string is (CVSS4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N).

3.2.8 Insertion of Sensitive Information Into Sent Data CWE-201

The goTenna Pro App encryption key name is always sent unencrypted when the key is shared over RF through a broadcast message. It is advised to share the encryption key via local QR for higher security operations.

CVE-2024-47128 has been assigned to this vulnerability. A CVSS v3.1 base score of 4.3 has been calculated; the CVSS vector string is (AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2024-47128. A base score of 5.3 has been calculated; the CVSS vector string is (CVSS4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N).

3.2.9 Observable Response Discrepancy CWE-204

The goTenna Pro App does not inject extra characters into broadcasted frames to obfuscate the length of messages. This makes it possible to tell the length of the payload regardless of the encryption used.

CVE-2024-47129 has been assigned to this vulnerability. A CVSS v3.1 base score of 4.3 has been calculated; the CVSS vector string is (AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2024-47129. A base score of 5.3 has been calculated; the CVSS vector string is (CVSS4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N).

3.2.10 Missing Authentication for Critical Function CWE-306

The goTenna Pro App allows unauthenticated attackers to remotely update the local public keys used for P2P and group messages. It is advised to update your app to the current release for enhanced encryption protocols.

CVE-2024-47130 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.6 has been calculated; the CVSS vector string is (AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-47130. A base score of 8.7 has been calculated; the CVSS vector string is (CVSS4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND
  • CRITICAL INFRASTRUCTURE SECTORS: Communications, Government Services and Facilities
  • COUNTRIES/AREAS DEPLOYED: United States
  • COMPANY HEADQUARTERS LOCATION: United States
3.4 RESEARCHER

Erwin Karincic, Clayton Smith, and Dale Wooden reported this these vulnerabilities to CISA.

4. MITIGATIONS

goTenna recommends that users mitigate these vulnerabilities by performing the following updates:

  • Android Pro: v2.0.3 or greater
  • iOS Pro: v2.0.3 or greater

goTenna recommends that users follow these mitigations:

General Mitigations for All Users/Clients

  • Use Discreet Callsigns and Key Names: Choose callsigns and key names that do not disclose sensitive information, such as your location, team size, or team name. Avoid using any identifiers that could inadvertently reveal your location or the composition of your team.
  • Secure End-User Devices: Implement strong security measures on all end-user devices, including the use of encryption and ensuring regular software updates.
  • Follow Key Rotation Best Practices: Regularly rotate encryption keys according to industry best practices to maintain ongoing security.

Pro-Specific Mitigations

  • Share Encryption Keys via QR Code: Utilize QR codes, similar to ATAK, for the secure exchange of encryption keys.
  • Secure Broadcasting: When broadcasting, ensure you are in a secured area and transmit the key at a reduced power of 0.5 Watts to limit exposure.
  • Leverage Layered Encryption: Implement layered encryption keys to securely manage communications, whether interacting with individuals or teams.

If you have any questions please contact prosupport@gotenna.com.

goTenna recommends users follow their secure operating best practices

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

  • Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
  • Locate control system networks and remote devices behind firewalls and isolating them from business networks.
  • When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time. These vulnerabilities are not exploitable remotely.

5. UPDATE HISTORY
  • September 26, 2024: Initial Publication
  • October 17, 2024: Update A - Updates were made to Vulnerability Overview, Affected Products, and Mitigations.
CISA

Advantech ADAM-5550

2 months 1 week ago

View CSAF

1. EXECUTIVE SUMMARY
  • CVSS v4 8.7
  • ATTENTION: Low attack complexity
  • Vendor: Advantech
  • Equipment: ADAM-5550
  • Vulnerabilities: Weak Encoding for Password, Cross-site Scripting
2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow a remote attacker to intercept the easily decodable credentials of a legitimate user to gain full access to the device and could plant malicious code on the web page of the device.

3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS

The following versions of Advantech's ADAM, are affected:

  • Advantech ADAM 5550: All versions
3.2 Vulnerability Overview 3.2.1 WEAK ENCODING FOR PASSWORD CWE-261

User credentials are shared with a low level of encryption, consisting of base 64 encoding.

CVE-2024-37187 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.7 has been calculated; the CVSS vector string is (AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2024-37187. A base score of 6.8 has been calculated; the CVSS vector string is (CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N).

3.2.2 IMPROPER NEUTRALIZATION OF INPUT DURING WEB PAGE GENERATION ('CROSS-SITE SCRIPTING') CWE-79

Advantech ADAM 5550's web application includes a "logs" page where all the HTTP requests received are displayed to the user. The device doesn't correctly neutralize malicious code when parsing HTTP requests to generate page output.

CVE-2024-38308 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.8 has been calculated; the CVSS vector string is (AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-38308. A base score of 8.7 has been calculated; the CVSS vector string is (CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND
  • CRITICAL INFRASTRUCTURE SECTORS: Energy, Water and Wastewater Systems
  • COUNTRIES/AREAS DEPLOYED: Worldwide
  • COMPANY HEADQUARTERS LOCATION: Taiwan
3.4 RESEARCHER

Aarón Flecha Menéndez and Luis Villalba Pérez of S21sec reported these vulnerabilities to CISA.

4. MITIGATIONS

ADAM-5550 is currently being phased out, and Advantech strongly recommends all ADAM-5550 users upgrade to ADAM-5630 firmware version 2.5.2 or higher.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

  • Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the Internet.
  • Locate control system networks and remote devices behind firewalls and isolating them from business networks.
  • When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time. These vulnerabilities are not exploitable remotely.

5. UPDATE HISTORY
  • September 26, 2024: Initial Publication
CISA

OMNTEC Proteus Tank Monitoring

2 months 1 week ago

View CSAF

1. EXECUTIVE SUMMARY
  • CVSS v4 9.3
  • ATTENTION: Exploitable remotely/low attack complexity
  • Vendor: OMNTEC Mfg., Inc.
  • Equipment: Proteus Tank Monitoring
  • Vulnerability: Missing Authentication for Critical Function
2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to perform administrative actions without proper authentication.

3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS

The following version of Proteus Tank Monitoring is affected:

  • OMNTEC Proteus Tank Monitoring: OEL8000III Series
3.2 Vulnerability Overview 3.2.1 MISSING AUTHENTICATION FOR CRITICAL FUNCTION CWE-306

The affected product could allow an attacker to perform administrative actions without proper authentication.

CVE-2024-6981 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-6981. A base score of 9.3 has been calculated; the CVSS vector string is (CVSS:4.0AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND
  • CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
  • COUNTRIES/AREAS DEPLOYED: Worldwide
  • COMPANY HEADQUARTERS LOCATION: United States
3.4 RESEARCHER

Pedro Umbelino of Bitsight reported this vulnerability to CISA.

4. MITIGATIONS

OMNTEC Mfg., Inc. has not responded to CISA's requests to coordinate at this time. Users can reach out to the vendor on their website.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

  • Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the Internet.
  • Locate control system networks and remote devices behind firewalls and isolating them from business networks.
  • When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY
  • September 24, 2024: Initial Publication
CISA

Franklin Fueling Systems TS-550 EVO

2 months 1 week ago

View CSAF

1. EXECUTIVE SUMMARY
  • CVSS v4 8.7
  • ATTENTION: Exploitable remotely/low attack complexity
  • Vendor: Franklin Fueling Systems
  • Equipment: TS-550 EVO Automatic Tank Gauge
  • Vulnerability: Absolute Path Traversal
2. RISK EVALUATION

Successful exploitation of this vulnerability allow an attacker to gain administrative access over the affected device.

3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS

The following Franklin Fueling Systems products are affected:

  • TS-550 EVO: Versions prior to 2.26.4.8967
3.2 Vulnerability Overview 3.2.1 ABSOLUTE PATH TRAVERSAL CWE-36

Franklin Fueling Systems TS-550 EVO versions prior to 2.26.4.8967 possess a file that can be read arbitrarily that could allow an attacker obtain administrator credentials.

CVE-2024-8497 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2024-8497. A base score of 8.7 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N).

3.3 BACKGROUND
  • CRITICAL INFRASTRUCTURE SECTORS: Energy
  • COUNTRIES/AREAS DEPLOYED: Worldwide
  • COMPANY HEADQUARTERS LOCATION: United States
3.4 RESEARCHER

Pedro Umbelino of Bitsight reported this vulnerability to CISA.

4. MITIGATIONS

Franklin Fueling Systems recommends users update to 2.26.4.8967.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

  • Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
  • Locate control system networks and remote devices behind firewalls and isolating them from business networks.
  • When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY
  • September 24, 2024: Initial Publication
CISA

Moxa MXview One

2 months 1 week ago

View CSAF

1. EXECUTIVE SUMMARY
  • CVSS v4 6.8
  • ATTENTION: Exploitable remotely/low attack complexity
  • Vendor: Moxa
  • Equipment: MXview One, MXview One Central Manager Series
  • Vulnerabilities: Cleartext Storage In A File or On Disk, Path Traversal, Time-of-Check Time-of-Use Race Condition
2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to expose local credentials and write arbitrary files to the system, resulting in execution of malicious code.

3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS

The following Moxa products are affected:

  • MXview One Series: Versions 1.4.0 and prior
  • MXview One Central Manager Series: Version 1.0.0
3.2 Vulnerability Overview 3.2.1 CLEARTEXT STORAGE IN A FILE OR ON DISK CWE-313

The configuration file stores credentials in cleartext. An attacker with local access rights can read or modify the configuration file, potentially resulting in the service being abused because of sensitive information exposure.

CVE-2024-6785 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.5 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2024-6785. A base score of 6.8 has been calculated; the CVSS vector string is (CVSS4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N).

3.2.2 PATH TRAVERSAL: '../filedir' CWE-24

The vulnerability allows an attacker to craft MQTT messages that include relative path traversal sequences, enabling them to read arbitrary files on the system. This could lead to the disclosure of sensitive information, such as configuration files and JWT signing secrets.

CVE-2024-6786 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2024-6786. A base score of 6.0 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N).

3.2.3 TIME-OF-CHECK TIME-OF-USE (TOCTOU) RACE CONDITION CWE-367

This vulnerability occurs when an attacker exploits a race condition between the time a file is checked and the time it is used (TOCTOU). By exploiting this race condition, an attacker can write arbitrary files to the system. This could allow the attacker to execute malicious code and potentially cause file losses.

CVE-2024-6787 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.3 has been calculated; the CVSS vector string is (AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N).

A CVSS v4 score has also been calculated for CVE-2024-6787. A base score of 6.0 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N).

3.3 BACKGROUND
  • CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing, Energy, Transportation Systems
  • COUNTRIES/AREAS DEPLOYED: Worldwide
  • COMPANY HEADQUARTERS LOCATION: Taiwan
3.4 RESEARCHER

Noam Moshe of Claroty Research - Team82 reported these vulnerabilities to CISA.

4. MITIGATIONS

Moxa recommends the following to address the vulnerabilities:

  • MXview One Series: Upgrade to v1.4.1
  • MXview One Cerntral Manager Series: Upgrade to v1.0.3
  • Minimize network exposure to ensure the device is not accessible from the Internet.
  • Change the default credentials immediately upon first login to the service. This helps enhance security and prevent unauthorized access.

CISA recommends users take defensive measures to minimize the risk of exploitation of this these vulnerabilities, such as:

  • Locate control system networks and remote devices behind firewalls and isolating them from business networks.
  • When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY
  • September 24, 2024: Initial Publication
CISA

Alisonic Sibylla

2 months 1 week ago

View CSAF

1. EXECUTIVE SUMMARY
  • CVSS v4 9.3
  • ATTENTION: Exploitable remotely/Low attack complexity
  • Vendor: Alisonic
  • Equipment: Sibylla
  • Vulnerability: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
2. RISK EVALUATION

Successful exploitation of this vulnerability could result in an attacker obtaining device information from the database, dumping credentials, or potentially gaining administrator access.

3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS

The following versions of Sibylla, an automated tank gauge, are affected:

  • Sibylla: All Versions
3.2 Vulnerability Overview 3.2.1 IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS USED IN AN SQL COMMAND ('SQL INJECTION') CWE-89

Alisonic Sibylla devices are vulnerable to SQL injection attacks, which could allow complete access to the database.

CVE-2024-8630 has been assigned to this vulnerability. A CVSS v3 base score of 9.4 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L).

A CVSS v4 score has also been calculated for CVE-2024-8630. A base score of 9.3 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N).

3.3 BACKGROUND
  • CRITICAL INFRASTRUCTURE SECTORS: Transportation Systems
  • COUNTRIES/AREAS DEPLOYED: Worldwide
  • COMPANY HEADQUARTERS LOCATION: United States
3.4 RESEARCHER

Pedro Umbelino of Bitsight reported this vulnerability to CISA.

4. MITIGATIONS

Alisonic did not respond to CISA's attempts at coordination. Users of Alisonic Sibylla are encouraged to contact Alisonic (Telephone: +39 0362 1547580, Email: info@alisonic.it) and keep their systems up to date.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

  • Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
  • Locate control system networks and remote devices behind firewalls and isolating them from business networks.
  • When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY
  • September 24, 2024: Initial Publication
CISA

Dover Fueling Solutions ProGauge MAGLINK LX CONSOLE

2 months 1 week ago

View CSAF

1. EXECUTIVE SUMMARY
  • CVSS v4 10.0
  • ATTENTION: Exploitable remotely/low attack complexity
  • Vendor: Dover Fueling Solutions (DFS)
  • Equipment: ProGauge MAGLINK LX CONSOLE
  • Vulnerabilities: Command Injection, Improper Privilege Management, Use of Hard-coded Password, Cross-site Scripting, Authentication Bypass Using an Alternate Path or Channel
2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow a remote attacker to gain full control of the system.

3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS

The following versions of Dover Fueling Solutions ProGauge MAGLINK LX CONSOLE, tank gauge consoles, are affected:

  • ProGauge MAGLINK LX CONSOLE: Versions 3.4.2.2.6 and prior
  • ProGauge MAGLINK LX4 CONSOLE: Versions 4.17.9e and prior
3.2 Vulnerability Overview 3.2.1 Command Injection CWE-77

A specially crafted POST request to the ProGauge MAGLINK LX CONSOLE IP sub-menu can allow a remote attacker to inject arbitrary commands.

CVE-2024-45066 has been assigned to this vulnerability. A CVSS v3.1 base score of 10.0 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-45066. A base score of 10.0 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H).

3.2.2 Command Injection CWE-77

A specially crafted POST request to the ProGauge MAGLINK LX CONSOLE UTILITY sub-menu can allow a remote attacker to inject arbitrary commands.

CVE-2024-43693 has been assigned to this vulnerability. A CVSS v3.1 base score of 10.0 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-43693. A base score of 10.0 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H).

3.2.3 Improper Privilege Management CWE-269

Once logged in to ProGauge MAGLINK LX4 CONSOLE, a valid user can change their privileges to administrator.

CVE-2024-45373 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-45373. A base score of 8.7 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.4 Use of Hard-coded Password CWE-259

The web application for ProGauge MAGLINK LX4 CONSOLE contains an administrative-level user account with a password that cannot be changed.

CVE-2024-43423 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-43423. A base score of 9.3 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.5 Authentication Bypass Using an Alternate Path or Channel CWE-288

An attacker can directly request the ProGauge MAGLINK LX CONSOLE resource sub page with full privileges by requesting the URL directly.

CVE-2024-43692 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-43692. A base score of 9.3 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.6 Cross-site Scripting CWE-79

ProGauge MAGLINK LX CONSOLE does not have sufficient filtering on input fields that are used to render pages which may allow cross site scripting.

CVE-2024-41725 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-41725. A base score of 8.7 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND
  • CRITICAL INFRASTRUCTURE SECTORS: Energy, Transportation Systems
  • COUNTRIES/AREAS DEPLOYED: North America
  • COMPANY HEADQUARTERS LOCATION: United States
3.4 RESEARCHER

Pedro Umbelino of Bitsight reported these vulnerabilities to CISA.

4. MITIGATIONS

Dover Fueling Solutions released a new software update version 4.19.10 for the MagLink LX console to address these vulnerabilities. The software release is available for installation on consoles through DFS's authorized service organizations in North America. North American users can reach DFS's customer support team by telephone at 877-679-8324.

DFS strongly encourages users of MagLink products to:

  • Install MagLink consoles behind firewalls for security.
  • Monitor and install updates on a timely basis.
  • Contact DFS customer support with any questions about operations or updates of MagLink software.

Alternatively, MagLink may operate offfline or disconnected from a network.

Registered MagLink customers have access to technical information, updates, and technical bulletins via a DFS proprietary portal.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY
  • September 24, 2024: Initial Publication
CISA

OPW Fuel Management Systems SiteSentinel

2 months 1 week ago

View CSAF

1. EXECUTIVE SUMMARY
  • CVSS v4 9.3
  • ATTENTION: Exploitable remotely/low attack complexity
  • Vendor: OPW Fuel Managements Systems
  • Equipment: SiteSentinel
  • Vulnerability: Missing Authentication For Critical Function
2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to bypass authentication and obtain full administrative privileges to the server.

3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS

The following OPW Fuel Management Systems products are affected:

  • SiteSentinel: Versions prior to 17Q2.1
3.2 Vulnerability Overview 3.2.1 MISSING AUTHENTICATION FOR CRITICAL FUNCTION CWE-306

The affected product could allow an attacker to bypass authentication to the server and obtain full admin privileges.

CVE-2024-8310 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-8310. A base score of 9.3 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND
  • CRITICAL INFRASTRUCTURE SECTORS: Energy, Transportation Systems
  • COUNTRIES/AREAS DEPLOYED: Worldwide
  • COMPANY HEADQUARTERS LOCATION: United States
3.4 RESEARCHER

Pedro Umbelino of Bitsight reported this vulnerability to CISA.

4. MITIGATIONS

OPW Fuel Management Systems' parent company, Dover Fueling Systems (DFS), recommends users install all versions of the product behind a firewall as primary protection.

DFS recommends user running versions prior to V17Q.2.1 upgrade to V17Q.2.1. Users with products that were distributed with versions newer than V17Q.2.1 should contact DFS using the link below to confirm that their build has the required fixes.

The software is available to authorized service providers for DFS products. Users should contact DFS service providers to have the software on their system upgraded or changed.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

  • When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY
  • September 24, 2024: Initial Publication
CISA

Kastle Systems Access Control System

2 months 2 weeks ago

View CSAF

1. EXECUTIVE SUMMARY
  • CVSS v4 9.2
  • ATTENTION: Exploitable remotely/low attack complexity
  • Vendor: Kastle Systems
  • Equipment: Access Control System
  • Vulnerabilities: Use of Hard-coded Credentials, Cleartext Storage of Sensitive Information
2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to access sensitive information on the affected product.

3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS

The following versions of Kastle Systems Access Control System are affected:

  • Access Control System: Firmware before May 1, 2024
3.2 Vulnerability Overview 3.2.1 USE OF HARD-CODED CREDENTIALS CWE-798

Kastle Systems firmware prior to May 1, 2024, contained a hard-coded credential, which if accessed may allow an attacker to access sensitive information.

CVE-2024-45861 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.6 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2024-45861. A base score of 9.2 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N).

3.2.2 CLEARTEXT STORAGE OF SENSITIVE INFORMATION CWE-312

Kastle Systems firmware prior to May 1, 2024, stored machine credentials in cleartext, which may allow an attacker to access sensitive information.

CVE-2024-45862 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.6 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2024-45862. A base score of 8.7 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N).

3.3 BACKGROUND
  • CRITICAL INFRASTRUCTURE SECTORS: Commercial Facilities, Government Facilities
  • COUNTRIES/AREAS DEPLOYED: Worldwide
  • COMPANY HEADQUARTERS LOCATION: United States
3.4 RESEARCHER

evildaemond (Adam Foster) reported these vulnerabilities to CISA.

4. MITIGATIONS

Kastle Systems have fixed the system configuration vulnerabilities internally. No user interaction is required.

CISA would like to highlight that this is a cloud-based solution hosted by Kastle Systems, and CISA's traditional mitigation strategies may not be applicable in this context.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting these vulnerabilities have been reported to CISA at this time.

5. UPDATE HISTORY
  • September 19, 2024: Initial Publication
CISA

IDEC PLCs

2 months 2 weeks ago

View CSAF

1. EXECUTIVE SUMMARY
  • CVSS v3 5.3
  • ATTENTION: Low Attack Complexity
  • Vendor: IDEC Corporation
  • Equipment: IDEC PLCs
  • Vulnerabilities: Cleartext Transmission of Sensitive Information, Generation of Predictable Identifiers
2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to obtain user authentication information or disrupt communication.

3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS

The following versions of IDEC PLCs are affected:

  • FC6A Series MICROSmart All-in-One CPU module: Ver.2.60 and prior
  • FC6B Series MICROSmart All-in-One CPU module: Ver.2.60 and prior
  • FC6A Series MICROSmart Plus CPU module: Ver.2.40 and prior
  • FC6B Series MICROSmart Plus CPU module: Ver.2.60 and prior
  • FT1A Series SmartAXIS Pro/Lite: Ver.2.41 and prior (affected only by CVE-2024-41927)
3.2 Vulnerability Overview 3.2.1 CLEARTEXT TRANSMISSION OF SENSITIVE INFORMATION CWE-319

The affected products are vulnerable to a cleartext vulnerability that could allow an attacker to obtain user authentication information.

CVE-2024-41927 has been assigned to this vulnerability. A CVSS v3.1 base score of 4.6 has been calculated; the CVSS vector string is (AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

3.2.2 GENERATION OF PREDICTABLE NUMBERS OR IDENTIFIERS CWE-340

The affected products are vulnerable to a predictable identifiers vulnerability, which may allow an attacker to disrupt communications.

CVE-2024-28957 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.3 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).

3.3 BACKGROUND
  • CRITICAL INFRASTRUCTURE SECTORS: Food and Agriculture, Critical Manufacturing, Energy, Transportation
  • COUNTRIES/AREAS DEPLOYED: Worldwide
  • COMPANY HEADQUARTERS LOCATION: Japan
3.4 RESEARCHER

IDEC Corporation reported these vulnerabilities to CISA.

4. MITIGATIONS

Apply the appropriate software update according to the information provided by the developer:

  • FC6A Series MICROSmart All-in-One CPU module: Ver.2.70 and later
  • FC6B Series MICROSmart All-in-One CPU module: Ver.2.70 and later
  • FC6A Series MICROSmart Plus CPU module: Ver.2.50 and later
  • FC6B Series MICROSmart Plus CPU module: Ver.2.70 and later
  • FT1A Series SmartAXIS Pro/Lite: Ver.2.50 and later

For more information, reference the IDEC Corporation advisory:

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

  • Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
  • Locate control system networks and remote devices behind firewalls and isolating them from business networks.
  • When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY
  • September 19, 2024: Initial Publication
CISA

MegaSys Computer Technologies Telenium Online Web Application

2 months 2 weeks ago

View CSAF

1. EXECUTIVE SUMMARY
  • CVSS v4 9.3
  • ATTENTION: Exploitable remotely/low attack complexity
  • Vendor: MegaSys Computer Technologies
  • Equipment: Telenium Online Web Application
  • Vulnerability: Improper Input Validation
2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to inject arbitrary Perl code through a crafted HTTP request, leading to remote code execution on the server.

3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS

The following MegaSys Computer Technologies products are affected:

  • Telenium Online Web Application: versions 8.3 and prior
3.2 Vulnerability Overview 3.2.1 IMPROPER INPUT VALIDATION CWE-20

Telenium Online Web Application is vulnerable due to a Perl script that is called to load the login page. Due to improper input validation, an attacker can inject arbitrary Perl code through a crafted HTTP request, leading to remote code execution on the server.

CVE-2024-6404 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-6404. A base score of 9.3 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND
  • CRITICAL INFRASTRUCTURE SECTORS: Information Technology, Communications
  • COUNTRIES/AREAS DEPLOYED: Worldwide
  • COMPANY HEADQUARTERS LOCATION: Canada
3.4 RESEARCHER

Blake Rash and Bryan Sears reported this vulnerability to CISA.

4. MITIGATIONS

MegaSys Computer technologies released the following patches:

  • Telenium Online Web Application: v7.4.72
  • Telenium Online Web Application: v8.3.36

If users are unable to promptly install the patched versions that address the vulnerability, MegaSys Computer Technologies recommends mitigating the risk by disabling the web/browser-based interface.

For additional information or assistance, contact Megasys Computer Technologies support directly.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

  • Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
  • Locate control system networks and remote devices behind firewalls and isolating them from business networks.
  • When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY
  • September 19, 2024: Initial Publication
CISA

Rockwell Automation RSLogix 5 and RSLogix 500

2 months 2 weeks ago

View CSAF

1. EXECUTIVE SUMMARY
  • CVSS v4 8.8
  • ATTENTION: Exploitable locally/high attack complexity
  • Vendor: Rockwell Automation
  • Equipment: RSLogix 5 and RSLogix 500
  • Vulnerability: Insufficient verification of data authenticity
2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to perform remote code execution.

3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS

The following versions of Rockwell Automation RSLogix 5 and RSLogix 500, a programming software, are affected:

  • RSLogix 500: All versions
  • RSLogix Micro Developer and Starter: All versions
  • RSLogix 5: All versions
3.2 Vulnerability Overview 3.2.1 INSUFFICIENT VERIFICATION OF DATA AUTHENTICITY CWE-345

A feature in the affected products enables users to prepare a project file with an embedded VBA script and can be configured to run once the project file has been opened without user intervention. This feature can be abused to trick a legitimate user into executing malicious code upon opening an infected RSP/RSS project file. If exploited, a threat actor may be able to perform a remote code execution.

CVE-2024-7847 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.7 has been calculated; the CVSS vector string is (AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-7847. A base score of 8.8 has been calculated; the CVSS vector string is (CVSS4.0/AV:L/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H).

3.3 BACKGROUND
  • CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
  • COUNTRIES/AREAS DEPLOYED: Worldwide
  • COMPANY HEADQUARTERS LOCATION: United States
3.4 RESEARCHER

Sharon Brizinov of Claroty Research - Team82 reported this vulnerability to Rockwell Automation.

4. MITIGATIONS

Rockwell Automation offers users the following solutions:

Users using the affected software are encouraged to apply the following mitigations and security best practices, where possible:

  • Deny the execution feature in FactoryTalk Administration Console, when not needed, by navigating to "Policies", selecting ‘"Enable/Disable VBA", and then checking the "Deny" box to block VBA code execution.
  • Save project files in a Trusted location where only administrators can modify it and verify file integrity.
  • Utilize the VBA editor protection feature, which locks the VBA code from viewing and editing by setting a password.

For more information about this issue, please see the advisory on the Rockwell Automation security page.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

  • Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
  • Locate control system networks and remote devices behind firewalls and isolating them from business networks.
  • When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability is not exploitable remotely. This vulnerability has a high attack complexity.

5. UPDATE HISTORY
  • September 19, 2024: Initial Publication
CISA

IDEC CORPORATION WindLDR and WindO/I-NV4

2 months 2 weeks ago

View CSAF

1. EXECUTIVE SUMMARY
  • CVSS v3 5.9
  • ATTENTION: Exploitable remotely
  • Vendor: IDEC Corporation
  • Equipment: WindLDR, WindO/I-NV4
  • Vulnerability: Cleartext Storage of Sensitive Information
2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to obtain sensitive information.

3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS

The following versions of WindLDR and WindO/I-NV4 are affected:

  • WindLDR: Ver.9.1.0 and prior
  • WindO/I-NV4: Ver.3.0.1 and prior
3.2 Vulnerability Overview 3.2.1 CLEARTEXT STORAGE OF SENSITIVE INFORMATION CWE-312

The affected products are vulnerable to a cleartext vulnerability that could allow an attacker to obtain user authentication information.

CVE-2024-41716 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.9 has been calculated; the CVSS vector string is (/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N).

3.3 BACKGROUND
  • CRITICAL INFRASTRUCTURE SECTORS: Food and Agriculture, Critical Manufacturing, Energy, Transportation
  • COUNTRIES/AREAS DEPLOYED: Worldwide
  • COMPANY HEADQUARTERS LOCATION: Japan
3.4 RESEARCHER

Yuki Meguro of Toinx Co., Ltd. reported this vulnerability to IPA.

4. MITIGATIONS

Apply the appropriate software update according to the information provided by the developer:

  • WindLDR: Ver.9.2.0
  • WindO/I-NV4: Ver.3.1.0

For more information, reference the IDEC Corporation advisory:

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

  • Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
  • Locate control system networks and remote devices behind firewalls and isolating them from business networks.
  • When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability has a high attack complexity.

5. UPDATE HISTORY
  • September 19, 2024: Initial Publication
CISA

Millbeck Communications Proroute H685t-w

2 months 2 weeks ago

View CSAF

1. EXECUTIVE SUMMARY
  • CVSS v3 8.8
  • ATTENTION: Exploitable remotely/low attack complexity
  • Vendor: Millbeck Communications
  • Equipment: Proroute H685t-w
  • Vulnerabilities: Command Injection, Cross-site Scripting
2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to execute arbitrary commands on the device's operating system.

3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS

The following versions of Millbeck Communications Proroute H685t-w, a 4G router, are affected:

  • Proroute H685t-w: Version 3.2.334
3.2 Vulnerability Overview 3.2.1 Improper Neutralization of Special Elements used in a Command ('Command Injection') CWE-77

There is a command injection vulnerability that may allow an attacker to inject malicious input on the device's operating system.

CVE-2024-45682 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

3.2.2 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-79

This vulnerability occurs when user-supplied input is improperly sanitized and then reflected back to the user's browser, allowing an attacker to execute arbitrary JavaScript in the context of the victim's browser session.

CVE-2024-38380 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L).

3.3 BACKGROUND
  • CRITICAL INFRASTRUCTURE SECTORS: Commercial Facilities, Energy
  • COUNTRIES/AREAS DEPLOYED: Worldwide
  • COMPANY HEADQUARTERS LOCATION: United Kingdom
3.4 RESEARCHER

Joe Lovett from Pen Test Partners reported these vulnerabilities to CISA.

4. MITIGATIONS

Millbeck Communications recommends that users download the firmware patch v3.2.335 or higher.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

  • Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
  • Locate control system networks and remote devices behind firewalls and isolating them from business networks.
  • When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY
  • September 17, 2024: Initial Publication
CISA