Category: CISA Alerts

 ​Fortinet has released security updates to address vulnerabilities in multiple products, including FortiOS. A cyber threat actor could exploit some of these vulnerabilities to take control of an affected system.
CISA encourages users and administrators to review the following advisories and apply necessary updates:

FG-IR-23-396 ReadOnly Users Could Run Some Sensitive Operations
FG-IR-23-475 FortiOS – SSLVPN Session Hijacking Using SAML Authentication
FG-IR-24-144 Privilege Escalation via Lua Auto Patch Function
FG-IR-24-199 Named Pipes Improper Access Control 

Fortinet has released security updates to address vulnerabilities in multiple products, including FortiOS. A cyber threat actor could exploit some of these vulnerabilities to take control of an affected system.

CISA encourages users and administrators to review the following advisories and apply necessary updates:

• FG-IR-23-396 ReadOnly Users Could Run Some Sensitive Operations
• FG-IR-23-475 FortiOS – SSLVPN Session Hijacking Using SAML Authentication
• FG-IR-24-144 Privilege Escalation via Lua Auto Patch Function
• FG-IR-24-199 Named Pipes Improper Access Control

 Read More

 ​Adobe released security updates to address multiple vulnerabilities in Adobe software. A cyber threat actor could exploit some of these vulnerabilities to take control of an affected system.    
CISA encourages users and administrators to review the following Adobe Security Bulletins and apply the necessary updates:  

Security update available for Adobe Bridge | APSB24-77
Security update available for Adobe Audition | APSB24-83
Security update available for Adobe After Effects | APSB24-85
Security update available for Adobe Substance 3D Painter | APSB24-86
Security update available for Adobe Illustrator| APSB24-87
Security update available for Adobe InDesign | APSB24-88
Security update available for Adobe Photoshop | APSB24-89
Security update available for Adobe Commerce | APSB24-90 

Adobe released security updates to address multiple vulnerabilities in Adobe software. A cyber threat actor could exploit some of these vulnerabilities to take control of an affected system.    

CISA encourages users and administrators to review the following Adobe Security Bulletins and apply the necessary updates:  

• Security update available for Adobe Bridge | APSB24-77
• Security update available for Adobe Audition | APSB24-83
• Security update available for Adobe After Effects | APSB24-85
• Security update available for Adobe Substance 3D Painter | APSB24-86
• Security update available for Adobe Illustrator| APSB24-87
• Security update available for Adobe InDesign | APSB24-88
• Security update available for Adobe Photoshop | APSB24-89
• Security update available for Adobe Commerce | APSB24-90

 Read More

 ​CISA has added five new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.

CVE-2021-26086 Atlassian Jira Server and Data Center Path Traversal Vulnerability
CVE-2014-2120 Cisco Adaptive Security Appliance (ASA) Cross-Site Scripting (XSS) Vulnerability
CVE-2021-41277 Metabase GeoJSON API Local File Inclusion Vulnerability
CVE-2024-43451 Microsoft Windows NTLMv2 Hash Disclosure Spoofing Vulnerability
CVE-2024-49039 Microsoft Windows Task Scheduler Privilege Escalation Vulnerability

These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.
Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information.
Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria. 

CISA has added five new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.

• CVE-2021-26086 Atlassian Jira Server and Data Center Path Traversal Vulnerability
• CVE-2014-2120 Cisco Adaptive Security Appliance (ASA) Cross-Site Scripting (XSS) Vulnerability
• CVE-2021-41277 Metabase GeoJSON API Local File Inclusion Vulnerability
• CVE-2024-43451 Microsoft Windows NTLMv2 Hash Disclosure Spoofing Vulnerability
• CVE-2024-49039 Microsoft Windows Task Scheduler Privilege Escalation Vulnerability

These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.

Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information.

Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.

 Read More

 ​Ivanti released security updates to address vulnerabilities in Ivanti Endpoint Manager (EPM), Ivanti Avalanche, Ivanti Connect Secure, Ivanti Policy Secure, and Ivanti Security Access Client.
CISA encourages users and administrators to review the following Ivanti security advisories and apply the necessary guidance and updates:

Ivanti Security Advisory EPM
Ivanti Security Advisory Avalanche
Ivanti Security Advisory Connect Secure, Ivanti Policy Secure, and Ivanti Security Access Client 

Ivanti released security updates to address vulnerabilities in Ivanti Endpoint Manager (EPM), Ivanti Avalanche, Ivanti Connect Secure, Ivanti Policy Secure, and Ivanti Security Access Client.

CISA encourages users and administrators to review the following Ivanti security advisories and apply the necessary guidance and updates:

• Ivanti Security Advisory EPM
• Ivanti Security Advisory Avalanche
• Ivanti Security Advisory Connect Secure, Ivanti Policy Secure, and Ivanti Security Access Client

 Read More

 ​The Cybersecurity and Infrastructure Security Agency (CISA), through the Joint Cyber Defense Collaborative (JCDC), enabled proactive coordination and information sharing to bolster cybersecurity ahead of the 2024 Olympic and Paralympic Games in Paris. Recognizing the potential for cyber threats targeting the Games, CISA worked to strengthen U.S. private sector ties and facilitate connections with key French counterparts to promote collective defense measures.
Utilizing its role as a key facilitator between public and private sector partners, JCDC established monitoring channels and launched cyber threat information-sharing forums to prepare for significant incidents. Throughout the Games, JCDC industry partners remained vigilant, promptly alerting CISA to any potential impacts on Olympic and Paralympic activities. This allowed CISA to provide prompt updates and share critical information with the French Agence Nationale de la Sécurité des Systèmes d’Information to aid swift response efforts.
This collaboration underscores JCDC’s essential role in uniting global partners to defend against cyber challenges that threaten national security and international events. The partnership highlights the value of voluntary information sharing to build trust and strengthen the protection of critical infrastructure in an evolving threat landscape. For more information about JCDC’s initiatives, visit the JCDC Success Stories webpage and CISA.gov/JCDC.  

The Cybersecurity and Infrastructure Security Agency (CISA), through the Joint Cyber Defense Collaborative (JCDC), enabled proactive coordination and information sharing to bolster cybersecurity ahead of the 2024 Olympic and Paralympic Games in Paris. Recognizing the potential for cyber threats targeting the Games, CISA worked to strengthen U.S. private sector ties and facilitate connections with key French counterparts to promote collective defense measures.

Utilizing its role as a key facilitator between public and private sector partners, JCDC established monitoring channels and launched cyber threat information-sharing forums to prepare for significant incidents. Throughout the Games, JCDC industry partners remained vigilant, promptly alerting CISA to any potential impacts on Olympic and Paralympic activities. This allowed CISA to provide prompt updates and share critical information with the French Agence Nationale de la Sécurité des Systèmes d’Information to aid swift response efforts.

This collaboration underscores JCDC’s essential role in uniting global partners to defend against cyber challenges that threaten national security and international events. The partnership highlights the value of voluntary information sharing to build trust and strengthen the protection of critical infrastructure in an evolving threat landscape. For more information about JCDC’s initiatives, visit the JCDC Success Stories webpage and CISA.gov/JCDC. 

 Read More

 ​Citrix released security updates to address multiple vulnerabilities in NetScaler ADC, NetScaler Gateway, and Citrix Session Recording. A cyber threat actor could exploit some of these vulnerabilities to take control of an affected system.  

 CISA encourages users and administrators to review the following and apply necessary updates:   

NetScaler ADC and NetScaler Gateway Security Bulletin for CVE-2024-8534 and CVE-2024-8535

Citrix Session Recording Security Bulletin for CVE-2024-8068 and CVE-2024-8069 

 Read More

 ​View CSAF
1. EXECUTIVE SUMMARY

CVSS v4 7.0
ATTENTION: Low attack complexity
Vendor: Rockwell Automation
Equipment: FactoryTalk View ME
Vulnerability: Improper Input Validation

2. RISK EVALUATION
Successful exploitation of this vulnerability could allow a local low-privileged user to escalate their privileges by changing the macro to execute arbitrary code.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
Rockwell Automation reports that the following versions of FactoryTalk Software are affected:

FactoryTalk View ME, when using default folder privileges: v14.0 and prior

3.2 Vulnerability Overview
3.2.1 Improper Input Validation CWE-20
A remote code execution vulnerability exists in FactoryTalk View ME. The vulnerability allows users to save projects within the public directory allowing anyone with local access to modify and/or delete files. Additionally, a malicious user could potentially leverage this vulnerability to escalate their privileges by changing the macro to execute arbitrary code.
CVE-2024-37365 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.3 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H).
A CVSS v4 score has also been calculated forCVE-2024-37365. A base score of 7.0 has been calculated; the CVSS vector string is (CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).
3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER
Rockwell Automation reported this vulnerability to CISA.
4. MITIGATIONS
Rockwell Automation has corrected this problem in V15.0.
Rockwell Automation encourages users of the affected software who are not able to upgrade to one of the corrected versions to apply the following risk mitigations where possible.

To enhance security and help prevent unauthorized modifications to HMI project files, harden the Windows OS by removing the INTERACTIVE group from the folder’s security properties.
Add specific users or user groups and assign their permissions to this folder using the least privileges principle. Users with read-only permission can still test run and run the FactoryTalk View ME Station.
Guidance can be found in FactoryTalk View ME v14 Help topic: “HMI projects folder settings”. It can be opened through the FactoryTalk View ME Studio menu “helpContentsFactoryTalk View ME HelpCreate a Machine Edition application->Open applications->HMI project folder settings”.
Security Best Practices

For more information, see Rockwell Automation’s security advisory
CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as virtual private networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.
5. UPDATE HISTORY

November 12, 2024: Initial Publication 

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v4 7.0
• ATTENTION: Low attack complexity
• Vendor: Rockwell Automation
• Equipment: FactoryTalk View ME
• Vulnerability: Improper Input Validation

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow a local low-privileged user to escalate their privileges by changing the macro to execute arbitrary code.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

Rockwell Automation reports that the following versions of FactoryTalk Software are affected:

• FactoryTalk View ME, when using default folder privileges: v14.0 and prior

3.2 Vulnerability Overview

3.2.1 Improper Input Validation CWE-20

A remote code execution vulnerability exists in FactoryTalk View ME. The vulnerability allows users to save projects within the public directory allowing anyone with local access to modify and/or delete files. Additionally, a malicious user could potentially leverage this vulnerability to escalate their privileges by changing the macro to execute arbitrary code.

CVE-2024-37365 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.3 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated forCVE-2024-37365. A base score of 7.0 has been calculated; the CVSS vector string is (CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER

Rockwell Automation reported this vulnerability to CISA.

4. MITIGATIONS

Rockwell Automation has corrected this problem in V15.0.

Rockwell Automation encourages users of the affected software who are not able to upgrade to one of the corrected versions to apply the following risk mitigations where possible.

• To enhance security and help prevent unauthorized modifications to HMI project files, harden the Windows OS by removing the INTERACTIVE group from the folder’s security properties.
• Add specific users or user groups and assign their permissions to this folder using the least privileges principle. Users with read-only permission can still test run and run the FactoryTalk View ME Station.
• Guidance can be found in FactoryTalk View ME v14 Help topic: “HMI projects folder settings”. It can be opened through the FactoryTalk View ME Studio menu “helpContentsFactoryTalk View ME HelpCreate a Machine Edition application->Open applications->HMI project folder settings”.
• Security Best Practices

For more information, see Rockwell Automation’s security advisory

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

• Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
• Locate control system networks and remote devices behind firewalls and isolating them from business networks.
• When remote access is required, use more secure methods, such as virtual private networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

• November 12, 2024: Initial Publication

 Read More

 ​View CSAF
1. EXECUTIVE SUMMARY

CVSS v3 7.2
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Hitachi Energy
Equipment: TRO600 Series
Vulnerabilities: Command Injection, Improper Removal of Sensitive Information Before Storage or Transfer

2. RISK EVALUATION
Command injection vulnerability in the Edge Computing UI for the TRO600 series radios that allows for the execution of arbitrary system commands. If exploited, an attacker with write access to the web UI can execute commands on the device with root privileges, far more extensively than the write privilege intends. Profile files from TRO600 series radios are extracted in plain-text and encrypted file formats. Profile files provide potential attackers valuable configuration information about the Tropos network. Profiles can only be exported by authenticated users with write access.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following products of Hitachi Energy are affected:

Hitachi Energy TRO600 series firmware versions: 9.0.1.0 – 9.2.0.0 (CVE-2024-41156)
Hitachi Energy TRO600 series firmware versions: 9.1.0.0 – 9.2.0.0 (CVE-2024-41153)

3.2 Vulnerability Overview
3.2.1 IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS USED IN A COMMAND (‘COMMAND INJECTION’) CWE-77
Command injection vulnerability in the Edge Computing UI for the TRO600 series radios that allows for the execution of arbitrary system commands. If exploited, an attacker with write access to the web UI can execute commands on the device with root privileges, far more extensive than what the write privilege intends.
CVE-2024-41153 has been assigned to this vulnerability. A CVSS v3 base score of 7.2 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).
3.2.2 IMPROPER REMOVAL OF SENSITIVE INFORMATION BEFORE STORAGE OR TRANSFER CWE-212
Profile files from TRO600 series radios are extracted in plain-text and encrypted file formats. Profile files provide potential attackers valuable configuration information about the Tropos network. Profiles can only be exported by authenticated users with write access.
CVE-2024-41156 has been assigned to this vulnerability. A CVSS v3 base score of 2.7 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N).
3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Energy
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Switzerland

3.4 RESEARCHER
Riley Barello-Myers, Idaho National Lab – CyTRICS reported these vulnerabilities to Hitachi Energy.
4. MITIGATIONS
Hitachi Energy has identified the following specific workarounds and mitigations users can apply to reduce risk:

(CVE-2024-41153) Hitachi Energy TRO600 series firmware versions from 9.1.0.0 to 9.2.0.0 (Edge computing functionality): Update to version 9.2.0.5
(CVE-2024-41156) Hitachi Energy TRO600 series firmware versions from 9.0.1.0 to 9.2.0.0 (Configuration utility): Update to version 9.2.0.5

Hitachi Energy has provided the additional following security practices and firewall configurations can help protect a process control network from attacks that originate from outside the network:

Physically protect process control systems from direct access by unauthorized personnel.
Do not connect directly to the Internet.
Separate from other networks by means of a firewall system that has a minimal number of ports exposed.
Process control systems should not be used for Internet surfing, instant messaging, or receiving e-mails.
Portable computers and removable storage media should be carefully scanned for viruses before they are connected to a control system.

For more details, refer to the “Configuration Guide” document for the respective TRO600 series router version.
For more information, see Hitachi Energy’s security advisory 8DBD000147
CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.
5. UPDATE HISTORY

November 12, 2024: Initial Publication 

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v3 7.2
• ATTENTION: Exploitable remotely/low attack complexity
• Vendor: Hitachi Energy
• Equipment: TRO600 Series
• Vulnerabilities: Command Injection, Improper Removal of Sensitive Information Before Storage or Transfer

2. RISK EVALUATION

Command injection vulnerability in the Edge Computing UI for the TRO600 series radios that allows for the execution of arbitrary system commands. If exploited, an attacker with write access to the web UI can execute commands on the device with root privileges, far more extensively than the write privilege intends. Profile files from TRO600 series radios are extracted in plain-text and encrypted file formats. Profile files provide potential attackers valuable configuration information about the Tropos network. Profiles can only be exported by authenticated users with write access.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following products of Hitachi Energy are affected:

• Hitachi Energy TRO600 series firmware versions: 9.0.1.0 – 9.2.0.0 (CVE-2024-41156)
• Hitachi Energy TRO600 series firmware versions: 9.1.0.0 – 9.2.0.0 (CVE-2024-41153)

3.2 Vulnerability Overview

3.2.1 IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS USED IN A COMMAND (‘COMMAND INJECTION’) CWE-77

Command injection vulnerability in the Edge Computing UI for the TRO600 series radios that allows for the execution of arbitrary system commands. If exploited, an attacker with write access to the web UI can execute commands on the device with root privileges, far more extensive than what the write privilege intends.

CVE-2024-41153 has been assigned to this vulnerability. A CVSS v3 base score of 7.2 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).

3.2.2 IMPROPER REMOVAL OF SENSITIVE INFORMATION BEFORE STORAGE OR TRANSFER CWE-212

Profile files from TRO600 series radios are extracted in plain-text and encrypted file formats. Profile files provide potential attackers valuable configuration information about the Tropos network. Profiles can only be exported by authenticated users with write access.

CVE-2024-41156 has been assigned to this vulnerability. A CVSS v3 base score of 2.7 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Energy
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: Switzerland

3.4 RESEARCHER

Riley Barello-Myers, Idaho National Lab – CyTRICS reported these vulnerabilities to Hitachi Energy.

4. MITIGATIONS

Hitachi Energy has identified the following specific workarounds and mitigations users can apply to reduce risk:

• (CVE-2024-41153) Hitachi Energy TRO600 series firmware versions from 9.1.0.0 to 9.2.0.0 (Edge computing functionality): Update to version 9.2.0.5
• (CVE-2024-41156) Hitachi Energy TRO600 series firmware versions from 9.0.1.0 to 9.2.0.0 (Configuration utility): Update to version 9.2.0.5

Hitachi Energy has provided the additional following security practices and firewall configurations can help protect a process control network from attacks that originate from outside the network:

• Physically protect process control systems from direct access by unauthorized personnel.
• Do not connect directly to the Internet.
• Separate from other networks by means of a firewall system that has a minimal number of ports exposed.
• Process control systems should not be used for Internet surfing, instant messaging, or receiving e-mails.
• Portable computers and removable storage media should be carefully scanned for viruses before they are connected to a control system.

For more details, refer to the “Configuration Guide” document for the respective TRO600 series router version.

For more information, see Hitachi Energy’s security advisory 8DBD000147

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

• Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
• Locate control system networks and remote devices behind firewalls and isolating them from business networks.
• When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY

• November 12, 2024: Initial Publication

 Read More

 ​CISA released five Industrial Control Systems (ICS) advisories on November 12, 2024. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS.

ICSA-24-317-01 Subnet Solutions PowerSYSTEM Center
ICSA-24-317-02 Hitachi Energy TRO600
ICSA-24-317-03 Rockwell Automation FactoryTalk View ME
ICSA-23-306-03 Mitsubishi Electric MELSEC Series (Update A)
ICSA-23-136-01 Snap One OvrC Cloud (Update A)

CISA encourages users and administrators to review newly released ICS advisories for technical details and mitigations. 

CISA released five Industrial Control Systems (ICS) advisories on November 12, 2024. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS.

• ICSA-24-317-01 Subnet Solutions PowerSYSTEM Center
• ICSA-24-317-02 Hitachi Energy TRO600
• ICSA-24-317-03 Rockwell Automation FactoryTalk View ME
• ICSA-23-306-03 Mitsubishi Electric MELSEC Series (Update A)
• ICSA-23-136-01 Snap One OvrC Cloud (Update A)

CISA encourages users and administrators to review newly released ICS advisories for technical details and mitigations.

 Read More

 ​Today, the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), National Security Agency (NSA), and international partners released joint Cybersecurity Advisory, 2023 Top Routinely Exploited Vulnerabilities.
This advisory supplies details on the top Common Vulnerabilities and Exposures (CVEs) routinely exploited by malicious cyber actors and their associated Common Weakness Enumeration(s) (CWE) to help organizations better understand the impact of exploitation. International partners contributing to this advisory include:

Australian Signals Directorate’s Australian Cyber Security Centre
Canadian Centre for Cyber Security
New Zealand National Cyber Security Centre and New Zealand Computer Emergency Response Team
United Kingdom’s National Cyber Security Centre

The authoring agencies urge all organizations to review and implement the recommended mitigations detailed in this advisory. The advisory provides vendors, designers, and developers a guide for implementing secure by design and default principles and tactics to reduce the prevalence of vulnerabilities in their software and end-user organizations mitigations. Following this guidance will help reduce the risk of compromise by malicious cyber actors.
Vendors and developers are encouraged to take appropriate steps to provide products that protect their customers’ sensitive data. To learn more about secure by design principles and practices, visit CISA’s Secure by Design. 

Today, the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), National Security Agency (NSA), and international partners released joint Cybersecurity Advisory, 2023 Top Routinely Exploited Vulnerabilities.

This advisory supplies details on the top Common Vulnerabilities and Exposures (CVEs) routinely exploited by malicious cyber actors and their associated Common Weakness Enumeration(s) (CWE) to help organizations better understand the impact of exploitation. International partners contributing to this advisory include:

• Australian Signals Directorate’s Australian Cyber Security Centre
• Canadian Centre for Cyber Security
• New Zealand National Cyber Security Centre and New Zealand Computer Emergency Response Team
• United Kingdom’s National Cyber Security Centre

The authoring agencies urge all organizations to review and implement the recommended mitigations detailed in this advisory. The advisory provides vendors, designers, and developers a guide for implementing secure by design and default principles and tactics to reduce the prevalence of vulnerabilities in their software and end-user organizations mitigations. Following this guidance will help reduce the risk of compromise by malicious cyber actors.

Vendors and developers are encouraged to take appropriate steps to provide products that protect their customers’ sensitive data. To learn more about secure by design principles and practices, visit CISA’s Secure by Design.

 Read More