Category: CISA Alerts

 ​View CSAF
1. EXECUTIVE SUMMARY

CVSS v4 8.7
ATTENTION: Exploitable remotely/low attack complexity
Vendor: MOBOTIX
Equipment: P3 Cameras, Mx6 Cameras
Vulnerability: Improper Neutralization of Expression/Command Delimiters

2. RISK EVALUATION
Successful exploitation of these vulnerabilities could allow an authenticated attacker to achieve remote code execution.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following products of MOBOTIX are affected:

P3 D24M: MX-V4.1.4.11, MX-V4.1.4.70, MX-V4.1.6.25, MX-V4.1.6.27, MX-V4.1.9.29, MX-V4.1.10.28, MX-V4.1.10.35, MX-V4.2.1.43, MX-V4.2.1.61, MX-V4.3.0.15, MX-V4.3.2.45, MX-V4.3.2.53, MX-V4.3.2.68, MX-V4.3.2.72, MX-V4.3.2.77, MX-V4.3.4.50, MX-V4.3.4.66, MX-V4.3.4.83, MX-V4.4.0.31, MX-V4.4.0.31.r1, MX-V4.4.1.55, MX-V4.4.1.56, MX-V4.4.2.34, MX-V4.4.2.51.r1, MX-V4.4.2.69, MX-V4.4.2.73
P3 M24M: MX-V4.1.4.11, MX-V4.1.4.70, MX-V4.1.6.25, MX-V4.1.6.27, MX-V4.1.9.29, MX-V4.1.10.28, MX-V4.1.10.35, MX-V4.2.1.43, MX-V4.2.1.61, MX-V4.3.0.15, MX-V4.3.2.45, MX-V4.3.2.53, MX-V4.3.2.68, MX-V4.3.2.72, MX-V4.3.2.77, MX-V4.3.4.50, MX-V4.3.4.66, MX-V4.3.4.83, MX-V4.4.0.31, MX-V4.4.0.31.r1, MX-V4.4.1.55, MX-V4.4.1.56, MX-V4.4.2.34, MX-V4.4.2.51.r1, MX-V4.4.2.69, MX-V4.4.2.73
P3 Q24M: MX-V4.1.4.11, MX-V4.1.4.70, MX-V4.1.6.25, MX-V4.1.6.27, MX-V4.1.9.29, MX-V4.1.10.28, MX-V4.1.10.35, MX-V4.2.1.43, MX-V4.2.1.61, MX-V4.3.0.15, MX-V4.3.2.45, MX-V4.3.2.53, MX-V4.3.2.68, MX-V4.3.2.72, MX-V4.3.2.77, MX-V4.3.4.50, MX-V4.3.4.66, MX-V4.3.4.83, MX-V4.4.0.31, MX-V4.4.0.31.r1, MX-V4.4.1.55, MX-V4.4.1.56, MX-V4.4.2.34, MX-V4.4.2.51.r1, MX-V4.4.2.69, MX-V4.4.2.73
P3 T24M: MX-V4.1.4.11, MX-V4.1.4.70, MX-V4.1.6.25, MX-V4.1.6.27, MX-V4.1.9.29, MX-V4.1.10.28, MX-V4.1.10.35, MX-V4.2.1.43, MX-V4.2.1.61, MX-V4.3.0.15, MX-V4.3.2.45, MX-V4.3.2.53, MX-V4.3.2.68, MX-V4.3.2.72, MX-V4.3.2.77, MX-V4.3.4.50, MX-V4.3.4.66, MX-V4.3.4.83, MX-V4.4.0.31, MX-V4.4.0.31.r1, MX-V4.4.1.55, MX-V4.4.1.56, MX-V4.4.2.34, MX-V4.4.2.51.r1, MX-V4.4.2.69, MX-V4.4.2.73
P3 D14Di: MX-V4.1.4.11, MX-V4.1.4.70, MX-V4.1.6.25, MX-V4.1.6.27, MX-V4.1.9.29, MX-V4.1.10.28, MX-V4.1.10.35, MX-V4.2.1.43, MX-V4.2.1.61, MX-V4.3.0.15, MX-V4.3.2.45, MX-V4.3.2.53, MX-V4.3.2.68, MX-V4.3.2.72, MX-V4.3.2.77, MX-V4.3.4.50, MX-V4.3.4.66, MX-V4.3.4.83, MX-V4.4.0.31, MX-V4.4.0.31.r1, MX-V4.4.1.55, MX-V4.4.1.56, MX-V4.4.2.34, MX-V4.4.2.51.r1, MX-V4.4.2.69, MX-V4.4.2.73
P3 S14: MX-V4.1.4.11, MX-V4.1.4.70, MX-V4.1.6.25, MX-V4.1.6.27, MX-V4.1.9.29, MX-V4.1.10.28, MX-V4.1.10.35, MX-V4.2.1.43, MX-V4.2.1.61, MX-V4.3.0.15, MX-V4.3.2.45, MX-V4.3.2.53, MX-V4.3.2.68, MX-V4.3.2.72, MX-V4.3.2.77, MX-V4.3.4.50, MX-V4.3.4.66, MX-V4.3.4.83, MX-V4.4.0.31, MX-V4.4.0.31.r1, MX-V4.4.1.55, MX-V4.4.1.56, MX-V4.4.2.34, MX-V4.4.2.51.r1, MX-V4.4.2.69, MX-V4.4.2.73
P3 V14D: MX-V4.1.4.11, MX-V4.1.4.70, MX-V4.1.6.25, MX-V4.1.6.27, MX-V4.1.9.29, MX-V4.1.10.28, MX-V4.1.10.35, MX-V4.2.1.43, MX-V4.2.1.61, MX-V4.3.0.15, MX-V4.3.2.45, MX-V4.3.2.53, MX-V4.3.2.68, MX-V4.3.2.72, MX-V4.3.2.77, MX-V4.3.4.50, MX-V4.3.4.66, MX-V4.3.4.83, MX-V4.4.0.31, MX-V4.4.0.31.r1, MX-V4.4.1.55, MX-V4.4.1.56, MX-V4.4.2.34, MX-V4.4.2.51.r1, MX-V4.4.2.69, MX-V4.4.2.73
P3 i25: MX-V4.1.4.11, MX-V4.1.4.70, MX-V4.1.6.25, MX-V4.1.6.27, MX-V4.1.9.29, MX-V4.1.10.28, MX-V4.1.10.35, MX-V4.2.1.43, MX-V4.2.1.61, MX-V4.3.0.15, MX-V4.3.2.45, MX-V4.3.2.53, MX-V4.3.2.68, MX-V4.3.2.72, MX-V4.3.2.77, MX-V4.3.4.50, MX-V4.3.4.66, MX-V4.3.4.83, MX-V4.4.0.31, MX-V4.4.0.31.r1, MX-V4.4.1.55, MX-V4.4.1.56, MX-V4.4.2.34, MX-V4.4.2.51.r1, MX-V4.4.2.69, MX-V4.4.2.73
P3 c25: MX-V4.1.4.11, MX-V4.1.4.70, MX-V4.1.6.25, MX-V4.1.6.27, MX-V4.1.9.29, MX-V4.1.10.28, MX-V4.1.10.35, MX-V4.2.1.43, MX-V4.2.1.61, MX-V4.3.0.15, MX-V4.3.2.45, MX-V4.3.2.53, MX-V4.3.2.68, MX-V4.3.2.72, MX-V4.3.2.77, MX-V4.3.4.50, MX-V4.3.4.66, MX-V4.3.4.83, MX-V4.4.0.31, MX-V4.4.0.31.r1, MX-V4.4.1.55, MX-V4.4.1.56, MX-V4.4.2.34, MX-V4.4.2.51.r1, MX-V4.4.2.69, MX-V4.4.2.73
P3 p25: MX-V4.1.4.11, MX-V4.1.4.70, MX-V4.1.6.25, MX-V4.1.6.27, MX-V4.1.9.29, MX-V4.1.10.28, MX-V4.1.10.35, MX-V4.2.1.43, MX-V4.2.1.61, MX-V4.3.0.15, MX-V4.3.2.45, MX-V4.3.2.53, MX-V4.3.2.68, MX-V4.3.2.72, MX-V4.3.2.77, MX-V4.3.4.50, MX-V4.3.4.66, MX-V4.3.4.83, MX-V4.4.0.31, MX-V4.4.0.31.r1, MX-V4.4.1.55, MX-V4.4.1.56, MX-V4.4.2.34, MX-V4.4.2.51.r1, MX-V4.4.2.69, MX-V4.4.2.73
P3 v25: MX-V4.1.4.11, MX-V4.1.4.70, MX-V4.1.6.25, MX-V4.1.6.27, MX-V4.1.9.29, MX-V4.1.10.28, MX-V4.1.10.35, MX-V4.2.1.43, MX-V4.2.1.61, MX-V4.3.0.15, MX-V4.3.2.45, MX-V4.3.2.53, MX-V4.3.2.68, MX-V4.3.2.72, MX-V4.3.2.77, MX-V4.3.4.50, MX-V4.3.4.66, MX-V4.3.4.83, MX-V4.4.0.31, MX-V4.4.0.31.r1, MX-V4.4.1.55, MX-V4.4.1.56, MX-V4.4.2.34, MX-V4.4.2.51.r1, MX-V4.4.2.69, MX-V4.4.2.73
P3 D25M: MX-V4.1.4.11, MX-V4.1.4.70, MX-V4.1.6.25, MX-V4.1.6.27, MX-V4.1.9.29, MX-V4.1.10.28, MX-V4.1.10.35, MX-V4.2.1.43, MX-V4.2.1.61, MX-V4.3.0.15, MX-V4.3.2.45, MX-V4.3.2.53, MX-V4.3.2.68, MX-V4.3.2.72, MX-V4.3.2.77, MX-V4.3.4.50, MX-V4.3.4.66, MX-V4.3.4.83, MX-V4.4.0.31, MX-V4.4.0.31.r1, MX-V4.4.1.55, MX-V4.4.1.56, MX-V4.4.2.34, MX-V4.4.2.51.r1, MX-V4.4.2.69, MX-V4.4.2.73
P3 M25M: MX-V4.1.4.11, MX-V4.1.4.70, MX-V4.1.6.25, MX-V4.1.6.27, MX-V4.1.9.29, MX-V4.1.10.28, MX-V4.1.10.35, MX-V4.2.1.43, MX-V4.2.1.61, MX-V4.3.0.15, MX-V4.3.2.45, MX-V4.3.2.53, MX-V4.3.2.68, MX-V4.3.2.72, MX-V4.3.2.77, MX-V4.3.4.50, MX-V4.3.4.66, MX-V4.3.4.83, MX-V4.4.0.31, MX-V4.4.0.31.r1, MX-V4.4.1.55, MX-V4.4.1.56, MX-V4.4.2.34, MX-V4.4.2.51.r1, MX-V4.4.2.69, MX-V4.4.2.73
P3 Q25M: MX-V4.1.4.11, MX-V4.1.4.70, MX-V4.1.6.25, MX-V4.1.6.27, MX-V4.1.9.29, MX-V4.1.10.28, MX-V4.1.10.35, MX-V4.2.1.43, MX-V4.2.1.61, MX-V4.3.0.15, MX-V4.3.2.45, MX-V4.3.2.53, MX-V4.3.2.68, MX-V4.3.2.72, MX-V4.3.2.77, MX-V4.3.4.50, MX-V4.3.4.66, MX-V4.3.4.83, MX-V4.4.0.31, MX-V4.4.0.31.r1, MX-V4.4.1.55, MX-V4.4.1.56, MX-V4.4.2.34, MX-V4.4.2.51.r1, MX-V4.4.2.69, MX-V4.4.2.73
P3 T25M: MX-V4.1.4.11, MX-V4.1.4.70, MX-V4.1.6.25, MX-V4.1.6.27, MX-V4.1.9.29, MX-V4.1.10.28, MX-V4.1.10.35, MX-V4.2.1.43, MX-V4.2.1.61, MX-V4.3.0.15, MX-V4.3.2.45, MX-V4.3.2.53, MX-V4.3.2.68, MX-V4.3.2.72, MX-V4.3.2.77, MX-V4.3.4.50, MX-V4.3.4.66, MX-V4.3.4.83, MX-V4.4.0.31, MX-V4.4.0.31.r1, MX-V4.4.1.55, MX-V4.4.1.56, MX-V4.4.2.34, MX-V4.4.2.51.r1, MX-V4.4.2.69, MX-V4.4.2.73
P3 D15Di: MX-V4.1.4.11, MX-V4.1.4.70, MX-V4.1.6.25, MX-V4.1.6.27, MX-V4.1.9.29, MX-V4.1.10.28, MX-V4.1.10.35, MX-V4.2.1.43, MX-V4.2.1.61, MX-V4.3.0.15, MX-V4.3.2.45, MX-V4.3.2.53, MX-V4.3.2.68, MX-V4.3.2.72, MX-V4.3.2.77, MX-V4.3.4.50, MX-V4.3.4.66, MX-V4.3.4.83, MX-V4.4.0.31, MX-V4.4.0.31.r1, MX-V4.4.1.55, MX-V4.4.1.56, MX-V4.4.2.34, MX-V4.4.2.51.r1, MX-V4.4.2.69, MX-V4.4.2.73
P3 M15: MX-V4.1.4.11, MX-V4.1.4.70, MX-V4.1.6.25, MX-V4.1.6.27, MX-V4.1.9.29, MX-V4.1.10.28, MX-V4.1.10.35, MX-V4.2.1.43, MX-V4.2.1.61, MX-V4.3.0.15, MX-V4.3.2.45, MX-V4.3.2.53, MX-V4.3.2.68, MX-V4.3.2.72, MX-V4.3.2.77, MX-V4.3.4.50, MX-V4.3.4.66, MX-V4.3.4.83, MX-V4.4.0.31, MX-V4.4.0.31.r1, MX-V4.4.1.55, MX-V4.4.1.56, MX-V4.4.2.34, MX-V4.4.2.51.r1, MX-V4.4.2.69, MX-V4.4.2.73
P3 M15-Thermal: MX-V4.1.4.11, MX-V4.1.4.70, MX-V4.1.6.25, MX-V4.1.6.27, MX-V4.1.9.29, MX-V4.1.10.28, MX-V4.1.10.35, MX-V4.2.1.43, MX-V4.2.1.61, MX-V4.3.0.15, MX-V4.3.2.45, MX-V4.3.2.53, MX-V4.3.2.68, MX-V4.3.2.72, MX-V4.3.2.77, MX-V4.3.4.50, MX-V4.3.4.66, MX-V4.3.4.83, MX-V4.4.0.31, MX-V4.4.0.31.r1, MX-V4.4.1.55, MX-V4.4.1.56, MX-V4.4.2.34, MX-V4.4.2.51.r1, MX-V4.4.2.69, MX-V4.4.2.73
P3 S15: MX-V4.1.4.11, MX-V4.1.4.70, MX-V4.1.6.25, MX-V4.1.6.27, MX-V4.1.9.29, MX-V4.1.10.28, MX-V4.1.10.35, MX-V4.2.1.43, MX-V4.2.1.61, MX-V4.3.0.15, MX-V4.3.2.45, MX-V4.3.2.53, MX-V4.3.2.68, MX-V4.3.2.72, MX-V4.3.2.77, MX-V4.3.4.50, MX-V4.3.4.66, MX-V4.3.4.83, MX-V4.4.0.31, MX-V4.4.0.31.r1, MX-V4.4.1.55, MX-V4.4.1.56, MX-V4.4.2.34, MX-V4.4.2.51.r1, MX-V4.4.2.69, MX-V4.4.2.73
P3 V15D: MX-V4.1.4.11, MX-V4.1.4.70, MX-V4.1.6.25, MX-V4.1.6.27, MX-V4.1.9.29, MX-V4.1.10.28, MX-V4.1.10.35, MX-V4.2.1.43, MX-V4.2.1.61, MX-V4.3.0.15, MX-V4.3.2.45, MX-V4.3.2.53, MX-V4.3.2.68, MX-V4.3.2.72, MX-V4.3.2.77, MX-V4.3.4.50, MX-V4.3.4.66, MX-V4.3.4.83, MX-V4.4.0.31, MX-V4.4.0.31.r1, MX-V4.4.1.55, MX-V4.4.1.56, MX-V4.4.2.34, MX-V4.4.2.51.r1, MX-V4.4.2.69, MX-V4.4.2.73
Mx6 D16: MX-V5.0.0.127, MX-V5.0.0.130, MX-V5.0.0.133, MX-V5.0.1.53, MX-V5.0.2.14, MX-V5.1.0.99, MX-V5.1.0.99-r3, MX-V5.1.0.99-r4
Mx6 M16: MX-V5.0.0.127, MX-V5.0.0.130, MX-V5.0.0.133, MX-V5.0.1.53, MX-V5.0.2.14, MX-V5.1.0.99, MX-V5.1.0.99-r3, MX-V5.1.0.99-r4
Mx6 S16: MX-V5.0.0.127, MX-V5.0.0.130, MX-V5.0.0.133, MX-V5.0.1.53, MX-V5.0.2.14, MX-V5.1.0.99, MX-V5.1.0.99-r3, MX-V5.1.0.99-r4
Mx6 V16: MX-V5.0.0.127, MX-V5.0.0.130, MX-V5.0.0.133, MX-V5.0.1.53, MX-V5.0.2.14, MX-V5.1.0.99, MX-V5.1.0.99-r3, MX-V5.1.0.99-r4
Mx6 D26: MX-V5.0.0.127, MX-V5.0.0.130, MX-V5.0.0.133, MX-V5.0.1.53, MX-V5.0.2.14, MX-V5.1.0.99, MX-V5.1.0.99-r3, MX-V5.1.0.99-r4
Mx6 M26: MX-V5.0.0.127, MX-V5.0.0.130, MX-V5.0.0.133, MX-V5.0.1.53, MX-V5.0.2.14, MX-V5.1.0.99, MX-V5.1.0.99-r3, MX-V5.1.0.99-r4
Mx6 Q26: MX-V5.0.0.127, MX-V5.0.0.130, MX-V5.0.0.133, MX-V5.0.1.53, MX-V5.0.2.14, MX-V5.1.0.99, MX-V5.1.0.99-r3, MX-V5.1.0.99-r4
Mx6 S26: MX-V5.0.0.127, MX-V5.0.0.130, MX-V5.0.0.133, MX-V5.0.1.53, MX-V5.0.2.14, MX-V5.1.0.99, MX-V5.1.0.99-r3, MX-V5.1.0.99-r4
Mx6 T26: MX-V5.0.0.127, MX-V5.0.0.130, MX-V5.0.0.133, MX-V5.0.1.53, MX-V5.0.2.14, MX-V5.1.0.99, MX-V5.1.0.99-r3, MX-V5.1.0.99-r4
Mx6 c26: MX-V5.0.0.127, MX-V5.0.0.130, MX-V5.0.0.133, MX-V5.0.1.53, MX-V5.0.2.14, MX-V5.1.0.99, MX-V5.1.0.99-r3, MX-V5.1.0.99-r4
Mx6 i26: MX-V5.0.0.127, MX-V5.0.0.130, MX-V5.0.0.133, MX-V5.0.1.53, MX-V5.0.2.14, MX-V5.1.0.99, MX-V5.1.0.99-r3, MX-V5.1.0.99-r4
Mx6 p26: MX-V5.0.0.127, MX-V5.0.0.130, MX-V5.0.0.133, MX-V5.0.1.53, MX-V5.0.2.14, MX-V5.1.0.99, MX-V5.1.0.99-r3, MX-V5.1.0.99-r4
Mx6 v26: MX-V5.0.0.127, MX-V5.0.0.130, MX-V5.0.0.133, MX-V5.0.1.53, MX-V5.0.2.14, MX-V5.1.0.99, MX-V5.1.0.99-r3, MX-V5.1.0.99-r4

3.2 Vulnerability Overview
3.2.1 IMPROPER NEUTRALIZATION OF EXPRESSION/COMMAND DELIMITERS CWE-146
The tcpdump feature does not properly validate input, which allows authenticated users to execute code.
CVE-2023-34873 has been assigned to this vulnerability. A CVSS v3 base score of 8.8 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2023-34873. A base score of 8.7 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).
3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Commercial Facilities
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER
CISA discovered a public Proof of Concept (PoC) as authored by mrgedik.
BSI reported the vulnerability to MOBOTIX and supported the coordination.
4. MITIGATIONS
MOBOTIX has identified the following specific workarounds and mitigations users can apply to reduce risk:

Update P3 cameras to firmware version MX-V4.7.2.18 or later that includes a fixed version of the vulnerability.
Update Mx6 cameras to firmware version MX-V5.2.0.61 or later that includes a fixed version of the vulnerability.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.
5. UPDATE HISTORY

August 22, 2024: Initial Publication 

View CSAF

1. EXECUTIVE SUMMARY

CVSS v4 8.7
ATTENTION: Exploitable remotely/low attack complexity
Vendor: MOBOTIX
Equipment: P3 Cameras, Mx6 Cameras
Vulnerability: Improper Neutralization of Expression/Command Delimiters

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an authenticated attacker to achieve remote code execution.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following products of MOBOTIX are affected:

P3 D24M: MX-V4.1.4.11, MX-V4.1.4.70, MX-V4.1.6.25, MX-V4.1.6.27, MX-V4.1.9.29, MX-V4.1.10.28, MX-V4.1.10.35, MX-V4.2.1.43, MX-V4.2.1.61, MX-V4.3.0.15, MX-V4.3.2.45, MX-V4.3.2.53, MX-V4.3.2.68, MX-V4.3.2.72, MX-V4.3.2.77, MX-V4.3.4.50, MX-V4.3.4.66, MX-V4.3.4.83, MX-V4.4.0.31, MX-V4.4.0.31.r1, MX-V4.4.1.55, MX-V4.4.1.56, MX-V4.4.2.34, MX-V4.4.2.51.r1, MX-V4.4.2.69, MX-V4.4.2.73
P3 M24M: MX-V4.1.4.11, MX-V4.1.4.70, MX-V4.1.6.25, MX-V4.1.6.27, MX-V4.1.9.29, MX-V4.1.10.28, MX-V4.1.10.35, MX-V4.2.1.43, MX-V4.2.1.61, MX-V4.3.0.15, MX-V4.3.2.45, MX-V4.3.2.53, MX-V4.3.2.68, MX-V4.3.2.72, MX-V4.3.2.77, MX-V4.3.4.50, MX-V4.3.4.66, MX-V4.3.4.83, MX-V4.4.0.31, MX-V4.4.0.31.r1, MX-V4.4.1.55, MX-V4.4.1.56, MX-V4.4.2.34, MX-V4.4.2.51.r1, MX-V4.4.2.69, MX-V4.4.2.73
P3 Q24M: MX-V4.1.4.11, MX-V4.1.4.70, MX-V4.1.6.25, MX-V4.1.6.27, MX-V4.1.9.29, MX-V4.1.10.28, MX-V4.1.10.35, MX-V4.2.1.43, MX-V4.2.1.61, MX-V4.3.0.15, MX-V4.3.2.45, MX-V4.3.2.53, MX-V4.3.2.68, MX-V4.3.2.72, MX-V4.3.2.77, MX-V4.3.4.50, MX-V4.3.4.66, MX-V4.3.4.83, MX-V4.4.0.31, MX-V4.4.0.31.r1, MX-V4.4.1.55, MX-V4.4.1.56, MX-V4.4.2.34, MX-V4.4.2.51.r1, MX-V4.4.2.69, MX-V4.4.2.73
P3 T24M: MX-V4.1.4.11, MX-V4.1.4.70, MX-V4.1.6.25, MX-V4.1.6.27, MX-V4.1.9.29, MX-V4.1.10.28, MX-V4.1.10.35, MX-V4.2.1.43, MX-V4.2.1.61, MX-V4.3.0.15, MX-V4.3.2.45, MX-V4.3.2.53, MX-V4.3.2.68, MX-V4.3.2.72, MX-V4.3.2.77, MX-V4.3.4.50, MX-V4.3.4.66, MX-V4.3.4.83, MX-V4.4.0.31, MX-V4.4.0.31.r1, MX-V4.4.1.55, MX-V4.4.1.56, MX-V4.4.2.34, MX-V4.4.2.51.r1, MX-V4.4.2.69, MX-V4.4.2.73
P3 D14Di: MX-V4.1.4.11, MX-V4.1.4.70, MX-V4.1.6.25, MX-V4.1.6.27, MX-V4.1.9.29, MX-V4.1.10.28, MX-V4.1.10.35, MX-V4.2.1.43, MX-V4.2.1.61, MX-V4.3.0.15, MX-V4.3.2.45, MX-V4.3.2.53, MX-V4.3.2.68, MX-V4.3.2.72, MX-V4.3.2.77, MX-V4.3.4.50, MX-V4.3.4.66, MX-V4.3.4.83, MX-V4.4.0.31, MX-V4.4.0.31.r1, MX-V4.4.1.55, MX-V4.4.1.56, MX-V4.4.2.34, MX-V4.4.2.51.r1, MX-V4.4.2.69, MX-V4.4.2.73
P3 S14: MX-V4.1.4.11, MX-V4.1.4.70, MX-V4.1.6.25, MX-V4.1.6.27, MX-V4.1.9.29, MX-V4.1.10.28, MX-V4.1.10.35, MX-V4.2.1.43, MX-V4.2.1.61, MX-V4.3.0.15, MX-V4.3.2.45, MX-V4.3.2.53, MX-V4.3.2.68, MX-V4.3.2.72, MX-V4.3.2.77, MX-V4.3.4.50, MX-V4.3.4.66, MX-V4.3.4.83, MX-V4.4.0.31, MX-V4.4.0.31.r1, MX-V4.4.1.55, MX-V4.4.1.56, MX-V4.4.2.34, MX-V4.4.2.51.r1, MX-V4.4.2.69, MX-V4.4.2.73
P3 V14D: MX-V4.1.4.11, MX-V4.1.4.70, MX-V4.1.6.25, MX-V4.1.6.27, MX-V4.1.9.29, MX-V4.1.10.28, MX-V4.1.10.35, MX-V4.2.1.43, MX-V4.2.1.61, MX-V4.3.0.15, MX-V4.3.2.45, MX-V4.3.2.53, MX-V4.3.2.68, MX-V4.3.2.72, MX-V4.3.2.77, MX-V4.3.4.50, MX-V4.3.4.66, MX-V4.3.4.83, MX-V4.4.0.31, MX-V4.4.0.31.r1, MX-V4.4.1.55, MX-V4.4.1.56, MX-V4.4.2.34, MX-V4.4.2.51.r1, MX-V4.4.2.69, MX-V4.4.2.73
P3 i25: MX-V4.1.4.11, MX-V4.1.4.70, MX-V4.1.6.25, MX-V4.1.6.27, MX-V4.1.9.29, MX-V4.1.10.28, MX-V4.1.10.35, MX-V4.2.1.43, MX-V4.2.1.61, MX-V4.3.0.15, MX-V4.3.2.45, MX-V4.3.2.53, MX-V4.3.2.68, MX-V4.3.2.72, MX-V4.3.2.77, MX-V4.3.4.50, MX-V4.3.4.66, MX-V4.3.4.83, MX-V4.4.0.31, MX-V4.4.0.31.r1, MX-V4.4.1.55, MX-V4.4.1.56, MX-V4.4.2.34, MX-V4.4.2.51.r1, MX-V4.4.2.69, MX-V4.4.2.73
P3 c25: MX-V4.1.4.11, MX-V4.1.4.70, MX-V4.1.6.25, MX-V4.1.6.27, MX-V4.1.9.29, MX-V4.1.10.28, MX-V4.1.10.35, MX-V4.2.1.43, MX-V4.2.1.61, MX-V4.3.0.15, MX-V4.3.2.45, MX-V4.3.2.53, MX-V4.3.2.68, MX-V4.3.2.72, MX-V4.3.2.77, MX-V4.3.4.50, MX-V4.3.4.66, MX-V4.3.4.83, MX-V4.4.0.31, MX-V4.4.0.31.r1, MX-V4.4.1.55, MX-V4.4.1.56, MX-V4.4.2.34, MX-V4.4.2.51.r1, MX-V4.4.2.69, MX-V4.4.2.73
P3 p25: MX-V4.1.4.11, MX-V4.1.4.70, MX-V4.1.6.25, MX-V4.1.6.27, MX-V4.1.9.29, MX-V4.1.10.28, MX-V4.1.10.35, MX-V4.2.1.43, MX-V4.2.1.61, MX-V4.3.0.15, MX-V4.3.2.45, MX-V4.3.2.53, MX-V4.3.2.68, MX-V4.3.2.72, MX-V4.3.2.77, MX-V4.3.4.50, MX-V4.3.4.66, MX-V4.3.4.83, MX-V4.4.0.31, MX-V4.4.0.31.r1, MX-V4.4.1.55, MX-V4.4.1.56, MX-V4.4.2.34, MX-V4.4.2.51.r1, MX-V4.4.2.69, MX-V4.4.2.73
P3 v25: MX-V4.1.4.11, MX-V4.1.4.70, MX-V4.1.6.25, MX-V4.1.6.27, MX-V4.1.9.29, MX-V4.1.10.28, MX-V4.1.10.35, MX-V4.2.1.43, MX-V4.2.1.61, MX-V4.3.0.15, MX-V4.3.2.45, MX-V4.3.2.53, MX-V4.3.2.68, MX-V4.3.2.72, MX-V4.3.2.77, MX-V4.3.4.50, MX-V4.3.4.66, MX-V4.3.4.83, MX-V4.4.0.31, MX-V4.4.0.31.r1, MX-V4.4.1.55, MX-V4.4.1.56, MX-V4.4.2.34, MX-V4.4.2.51.r1, MX-V4.4.2.69, MX-V4.4.2.73
P3 D25M: MX-V4.1.4.11, MX-V4.1.4.70, MX-V4.1.6.25, MX-V4.1.6.27, MX-V4.1.9.29, MX-V4.1.10.28, MX-V4.1.10.35, MX-V4.2.1.43, MX-V4.2.1.61, MX-V4.3.0.15, MX-V4.3.2.45, MX-V4.3.2.53, MX-V4.3.2.68, MX-V4.3.2.72, MX-V4.3.2.77, MX-V4.3.4.50, MX-V4.3.4.66, MX-V4.3.4.83, MX-V4.4.0.31, MX-V4.4.0.31.r1, MX-V4.4.1.55, MX-V4.4.1.56, MX-V4.4.2.34, MX-V4.4.2.51.r1, MX-V4.4.2.69, MX-V4.4.2.73
P3 M25M: MX-V4.1.4.11, MX-V4.1.4.70, MX-V4.1.6.25, MX-V4.1.6.27, MX-V4.1.9.29, MX-V4.1.10.28, MX-V4.1.10.35, MX-V4.2.1.43, MX-V4.2.1.61, MX-V4.3.0.15, MX-V4.3.2.45, MX-V4.3.2.53, MX-V4.3.2.68, MX-V4.3.2.72, MX-V4.3.2.77, MX-V4.3.4.50, MX-V4.3.4.66, MX-V4.3.4.83, MX-V4.4.0.31, MX-V4.4.0.31.r1, MX-V4.4.1.55, MX-V4.4.1.56, MX-V4.4.2.34, MX-V4.4.2.51.r1, MX-V4.4.2.69, MX-V4.4.2.73
P3 Q25M: MX-V4.1.4.11, MX-V4.1.4.70, MX-V4.1.6.25, MX-V4.1.6.27, MX-V4.1.9.29, MX-V4.1.10.28, MX-V4.1.10.35, MX-V4.2.1.43, MX-V4.2.1.61, MX-V4.3.0.15, MX-V4.3.2.45, MX-V4.3.2.53, MX-V4.3.2.68, MX-V4.3.2.72, MX-V4.3.2.77, MX-V4.3.4.50, MX-V4.3.4.66, MX-V4.3.4.83, MX-V4.4.0.31, MX-V4.4.0.31.r1, MX-V4.4.1.55, MX-V4.4.1.56, MX-V4.4.2.34, MX-V4.4.2.51.r1, MX-V4.4.2.69, MX-V4.4.2.73
P3 T25M: MX-V4.1.4.11, MX-V4.1.4.70, MX-V4.1.6.25, MX-V4.1.6.27, MX-V4.1.9.29, MX-V4.1.10.28, MX-V4.1.10.35, MX-V4.2.1.43, MX-V4.2.1.61, MX-V4.3.0.15, MX-V4.3.2.45, MX-V4.3.2.53, MX-V4.3.2.68, MX-V4.3.2.72, MX-V4.3.2.77, MX-V4.3.4.50, MX-V4.3.4.66, MX-V4.3.4.83, MX-V4.4.0.31, MX-V4.4.0.31.r1, MX-V4.4.1.55, MX-V4.4.1.56, MX-V4.4.2.34, MX-V4.4.2.51.r1, MX-V4.4.2.69, MX-V4.4.2.73
P3 D15Di: MX-V4.1.4.11, MX-V4.1.4.70, MX-V4.1.6.25, MX-V4.1.6.27, MX-V4.1.9.29, MX-V4.1.10.28, MX-V4.1.10.35, MX-V4.2.1.43, MX-V4.2.1.61, MX-V4.3.0.15, MX-V4.3.2.45, MX-V4.3.2.53, MX-V4.3.2.68, MX-V4.3.2.72, MX-V4.3.2.77, MX-V4.3.4.50, MX-V4.3.4.66, MX-V4.3.4.83, MX-V4.4.0.31, MX-V4.4.0.31.r1, MX-V4.4.1.55, MX-V4.4.1.56, MX-V4.4.2.34, MX-V4.4.2.51.r1, MX-V4.4.2.69, MX-V4.4.2.73
P3 M15: MX-V4.1.4.11, MX-V4.1.4.70, MX-V4.1.6.25, MX-V4.1.6.27, MX-V4.1.9.29, MX-V4.1.10.28, MX-V4.1.10.35, MX-V4.2.1.43, MX-V4.2.1.61, MX-V4.3.0.15, MX-V4.3.2.45, MX-V4.3.2.53, MX-V4.3.2.68, MX-V4.3.2.72, MX-V4.3.2.77, MX-V4.3.4.50, MX-V4.3.4.66, MX-V4.3.4.83, MX-V4.4.0.31, MX-V4.4.0.31.r1, MX-V4.4.1.55, MX-V4.4.1.56, MX-V4.4.2.34, MX-V4.4.2.51.r1, MX-V4.4.2.69, MX-V4.4.2.73
P3 M15-Thermal: MX-V4.1.4.11, MX-V4.1.4.70, MX-V4.1.6.25, MX-V4.1.6.27, MX-V4.1.9.29, MX-V4.1.10.28, MX-V4.1.10.35, MX-V4.2.1.43, MX-V4.2.1.61, MX-V4.3.0.15, MX-V4.3.2.45, MX-V4.3.2.53, MX-V4.3.2.68, MX-V4.3.2.72, MX-V4.3.2.77, MX-V4.3.4.50, MX-V4.3.4.66, MX-V4.3.4.83, MX-V4.4.0.31, MX-V4.4.0.31.r1, MX-V4.4.1.55, MX-V4.4.1.56, MX-V4.4.2.34, MX-V4.4.2.51.r1, MX-V4.4.2.69, MX-V4.4.2.73
P3 S15: MX-V4.1.4.11, MX-V4.1.4.70, MX-V4.1.6.25, MX-V4.1.6.27, MX-V4.1.9.29, MX-V4.1.10.28, MX-V4.1.10.35, MX-V4.2.1.43, MX-V4.2.1.61, MX-V4.3.0.15, MX-V4.3.2.45, MX-V4.3.2.53, MX-V4.3.2.68, MX-V4.3.2.72, MX-V4.3.2.77, MX-V4.3.4.50, MX-V4.3.4.66, MX-V4.3.4.83, MX-V4.4.0.31, MX-V4.4.0.31.r1, MX-V4.4.1.55, MX-V4.4.1.56, MX-V4.4.2.34, MX-V4.4.2.51.r1, MX-V4.4.2.69, MX-V4.4.2.73
P3 V15D: MX-V4.1.4.11, MX-V4.1.4.70, MX-V4.1.6.25, MX-V4.1.6.27, MX-V4.1.9.29, MX-V4.1.10.28, MX-V4.1.10.35, MX-V4.2.1.43, MX-V4.2.1.61, MX-V4.3.0.15, MX-V4.3.2.45, MX-V4.3.2.53, MX-V4.3.2.68, MX-V4.3.2.72, MX-V4.3.2.77, MX-V4.3.4.50, MX-V4.3.4.66, MX-V4.3.4.83, MX-V4.4.0.31, MX-V4.4.0.31.r1, MX-V4.4.1.55, MX-V4.4.1.56, MX-V4.4.2.34, MX-V4.4.2.51.r1, MX-V4.4.2.69, MX-V4.4.2.73
Mx6 D16: MX-V5.0.0.127, MX-V5.0.0.130, MX-V5.0.0.133, MX-V5.0.1.53, MX-V5.0.2.14, MX-V5.1.0.99, MX-V5.1.0.99-r3, MX-V5.1.0.99-r4
Mx6 M16: MX-V5.0.0.127, MX-V5.0.0.130, MX-V5.0.0.133, MX-V5.0.1.53, MX-V5.0.2.14, MX-V5.1.0.99, MX-V5.1.0.99-r3, MX-V5.1.0.99-r4
Mx6 S16: MX-V5.0.0.127, MX-V5.0.0.130, MX-V5.0.0.133, MX-V5.0.1.53, MX-V5.0.2.14, MX-V5.1.0.99, MX-V5.1.0.99-r3, MX-V5.1.0.99-r4
Mx6 V16: MX-V5.0.0.127, MX-V5.0.0.130, MX-V5.0.0.133, MX-V5.0.1.53, MX-V5.0.2.14, MX-V5.1.0.99, MX-V5.1.0.99-r3, MX-V5.1.0.99-r4
Mx6 D26: MX-V5.0.0.127, MX-V5.0.0.130, MX-V5.0.0.133, MX-V5.0.1.53, MX-V5.0.2.14, MX-V5.1.0.99, MX-V5.1.0.99-r3, MX-V5.1.0.99-r4
Mx6 M26: MX-V5.0.0.127, MX-V5.0.0.130, MX-V5.0.0.133, MX-V5.0.1.53, MX-V5.0.2.14, MX-V5.1.0.99, MX-V5.1.0.99-r3, MX-V5.1.0.99-r4
Mx6 Q26: MX-V5.0.0.127, MX-V5.0.0.130, MX-V5.0.0.133, MX-V5.0.1.53, MX-V5.0.2.14, MX-V5.1.0.99, MX-V5.1.0.99-r3, MX-V5.1.0.99-r4
Mx6 S26: MX-V5.0.0.127, MX-V5.0.0.130, MX-V5.0.0.133, MX-V5.0.1.53, MX-V5.0.2.14, MX-V5.1.0.99, MX-V5.1.0.99-r3, MX-V5.1.0.99-r4
Mx6 T26: MX-V5.0.0.127, MX-V5.0.0.130, MX-V5.0.0.133, MX-V5.0.1.53, MX-V5.0.2.14, MX-V5.1.0.99, MX-V5.1.0.99-r3, MX-V5.1.0.99-r4
Mx6 c26: MX-V5.0.0.127, MX-V5.0.0.130, MX-V5.0.0.133, MX-V5.0.1.53, MX-V5.0.2.14, MX-V5.1.0.99, MX-V5.1.0.99-r3, MX-V5.1.0.99-r4
Mx6 i26: MX-V5.0.0.127, MX-V5.0.0.130, MX-V5.0.0.133, MX-V5.0.1.53, MX-V5.0.2.14, MX-V5.1.0.99, MX-V5.1.0.99-r3, MX-V5.1.0.99-r4
Mx6 p26: MX-V5.0.0.127, MX-V5.0.0.130, MX-V5.0.0.133, MX-V5.0.1.53, MX-V5.0.2.14, MX-V5.1.0.99, MX-V5.1.0.99-r3, MX-V5.1.0.99-r4
Mx6 v26: MX-V5.0.0.127, MX-V5.0.0.130, MX-V5.0.0.133, MX-V5.0.1.53, MX-V5.0.2.14, MX-V5.1.0.99, MX-V5.1.0.99-r3, MX-V5.1.0.99-r4

3.2 Vulnerability Overview

3.2.1 IMPROPER NEUTRALIZATION OF EXPRESSION/COMMAND DELIMITERS CWE-146

The tcpdump feature does not properly validate input, which allows authenticated users to execute code.

CVE-2023-34873 has been assigned to this vulnerability. A CVSS v3 base score of 8.8 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2023-34873. A base score of 8.7 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Commercial Facilities
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

CISA discovered a public Proof of Concept (PoC) as authored by mrgedik.

BSI reported the vulnerability to MOBOTIX and supported the coordination.

4. MITIGATIONS

MOBOTIX has identified the following specific workarounds and mitigations users can apply to reduce risk:

Update P3 cameras to firmware version MX-V4.7.2.18 or later that includes a fixed version of the vulnerability.
Update Mx6 cameras to firmware version MX-V5.2.0.61 or later that includes a fixed version of the vulnerability.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

August 22, 2024: Initial Publication
 Read More

 ​Executive Summary
This publication defines a baseline for event logging best practices to mitigate cyber threats. It was developed by the Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) in cooperation with the following international partners: 

United States (US) Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI) and the National Security Agency (NSA).
United Kingdom (UK) National Cyber Security Centre (NCSC-UK).
Canadian Centre for Cyber Security (CCCS).
New Zealand National Cyber Security Centre (NCSC-NZ) and Computer Emergency Response Team (CERT NZ).
Japan National Center of Incident Readiness and Strategy for Cybersecurity (NISC) and Computer Emergency Response Team Coordination Center (JPCERT/CC).
The Republic of Korea National Intelligence Services (NIS) and NIS’s National Cyber Security Center (NCSC-Korea).
Singapore Cyber Security Agency (CSA).
The Netherlands General Intelligence and Security Service (AIVD) and Military Intelligence and Security Service (MIVD).

Event logging supports the continued delivery of operations and improves the security and resilience of critical systems by enabling network visibility. This guidance makes recommendations that improve an organization’s resilience in the current cyber threat environment, with regard for resourcing constraints. The guidance is of moderate technical complexity and assumes a basic understanding of event logging.
An effective event logging solution aims to:

Send alerts to the network defenders responsible for monitoring when cyber security events such as critical software configuration changes are made or new software solutions are deployed.
Identify cyber security events that may indicate a cyber security incident, such as malicious actors employing living off the land (LOTL) techniques or lateral movement post-compromise.
Support incident response by revealing the scope and extent of a compromise.
Monitor account compliance with organizational policies.
Reduce alert noise, saving on costs associated with storage and query time.
Enable network defenders to make agile and informed decisions based on prioritization of alerts and analytics.
Ensure logs and the logging platforms are useable and performant for analysts.

There are four key factors to consider when pursuing logging best practices:

Enterprise-approved event logging policy.
Centralized event log access and correlation.
Secure storage and event log integrity.
Detection strategy for relevant threats.

To access the PDF version of this report, visit here.
Introduction
The increased prevalence of malicious actors employing LOTL techniques, such as LOTL binaries (LOLBins) and fileless malware, highlights the importance of implementing and maintaining an effective event logging solution. As demonstrated in the joint-sealed publication Identifying and Mitigating Living Off the Land Techniques, advanced persistent threats (APTs) are employing LOTL techniques to evade detection. The purpose of this publication is to detail best practice guidance for event logging and threat detection for cloud services, enterprise networks, enterprise mobility, and operational technology (OT) networks. The guidance in this publication focuses on general best practices for event logging and threat detection; however, LOTL techniques feature as they provide a great case study due to the high difficulty in detecting them.
Audience
This guidance is technical in nature and is intended for those within medium to large organizations. As such, it is primarily aimed at:

Senior information technology (IT) and OT decision makers.
IT and OT operators.
Network administrators.
Critical infrastructure providers.

Best Practices
Enterprise-approved Event Logging Policy
Developing and implementing an enterprise approved logging policy improves an organization’s chances of detecting malicious behavior on their systems and enforces a consistent method of logging across an organization’s environments. The logging policy should take into consideration any shared responsibilities between service providers and the organization. The policy should also include details of the events to be logged, event logging facilities to be used, how event logs will be monitored, event log retention durations, and when to reassess which logs are worthy of collection.
Event Log Quality
Organizations are encouraged to implement an event logging policy focused on capturing high-quality cyber security events to aid network defenders in correctly identifying cyber security incidents. In the context of cyber security incident response and threat detection, event log quality refers to the types of events collected rather than how well a log is formatted. Log quality can vary between organizations due to differences in network environments, the reason behind the need to log, differences in critical assets and the organization’s risk appetite. 
Useful event logs enrich a network defender’s ability to assess security events to identify whether they are false positives or true positives. Implementing high-quality logging will aid network defenders in discovering LOTL techniques that are designed to appear benign in nature.
Note: Capturing a large volume of well-formatted logs can be invaluable for incident responders in forensics analysis scenarios. However, organizations are encouraged to properly organize logged data into ‘hot’ data storage that is readily available and searchable, or ‘cold’ data storage that has deprioritized availability and is stored through more economical solutions – an important consideration when evaluating an organization’s log storage capacity.
For more information on how to prioritize collection of high-quality event logs please refer to CISA’s Guidance for Implementing M-21-3: Improving the Federal Government’s Investigative and Remediation Capabilities.[1] 
To strengthen detection of malicious actors employing LOTL techniques, some relevant considerations for event logging include:

On Linux-based systems, logs capturing the use of curl, systemctl, systemd, python and other common LOLBins leveraged by malicious actors.
On Microsoft Windows-based systems, logs capturing the use of wmic.exe, ntdsutil.exe, Netsh, cmd.exe, PowerShell, mshta.exe, rundll32.exe, resvr32.exe and other common LOLBins leveraged by malicious actors. Ensure that logging captures command execution, script block logging and module logging for PowerShell, and detailed tracking of administrative tasks.
For cloud environments, logging all control plane operations, including API calls and end user logins. The control plane logs should be configured to capture read and write activities, administrative changes, and authentication events.

Captured Event Log Details
As a part of an organization’s event logging policy, captured event logs should contain sufficient detail to aid network defenders and incident responders. If a logging solution fails to capture data relevant to security, its effectiveness as a cyber security incident detection capability is heavily impacted.
The US Office of Management and Budget’s M-21-31[2] outlines a good baseline for what an event log should capture, if applicable:

Properly formatted and accurate timestamp (millisecond granularity is ideal).
Event type (status code).
Device identifier (mac address or other unique identifier).
Session/transaction ID.
Autonomous system number.
Source and destination IP (includes both IPv4 and IPv6).
Status code.
Response time.
Additional headers (e.g., HTTP headers).
The user ID, where appropriate.
The command executed, where appropriate.
A unique event identifier to assist with event correlation, where possible.

Note: Where possible, all data should be formatted as ‘key-value-pairs’ to allow for easier extraction.
Operational Technology Considerations
Network administrators and network operators should take into consideration the OT devices within their OT networks. Most OT devices use embedded software that is memory and/or processor constrained. An excessive level of logging could adversely affect the operation of those OT devices. Additionally, such OT devices may not be capable of generating detailed logs, in which case, sensors can be used to supplement logging capabilities. Out-of-band log communications, or generating logs based on error codes and the payloads of existing communications, can account for embedded devices with limited logging capabilities.
Additional Resources

ASD’s ACSC Information Security Manual (ISM) provides event log details to record in the Guidelines for System Monitoring.
CISA’s Guidance for Implementing M-21-31: Improving the Federal Government’s Investigative and Remediation Capabilities details another approach to prioritizing log collection and is aimed at US federal civilian executive branch organizations.
NIST has outlined OT considerations for event logging in their Guide to Operational Technology (OT) Security.
For examples of detection uses cases, consider visiting the MITRE ATT&CK® list of data sources.

Content and Format Consistency
When centralizing event logs, organizations should consider using a structured log format, such as JSON, where each type of log captures and presents content consistently (that is, consistent schema, format, and order). This is particularly important when event logs have been forwarded to a central storage facility as this improves a network defender’s ability to search for, filter and correlate event logs. Since logs may vary in structure (or lack thereof), implementing a method of automated log normalization is recommended. This is an important consideration for logs that can change over time or without notice such as software and software-as-a-service (SaaS) logs.
Timestamp Consistency
Organizations should consider establishing an accurate and trustworthy time source and use this consistently across all systems to assist network defenders in identifying connections between event logs. This should also include using the same date-time format across all systems. Where possible, organizations should use multiple accurate time sources in case the primary time source becomes degraded or unavailable. Note that, particularly in distributed systems, time zones and distance can influence how timestamps read in relation to each other. Network owners, system owners and cyber security incident responders are encouraged to understand how this could impact their own environments. ASD and co-authors urge organizations to consider implementing the recommendations below to help ensure consistent timestamp collection.

Time servers should be synchronized and validated throughout all environments and set to capture significant events, such as device boots and reboots.
Using Coordinated Universal Time (UTC) has the advantage of no time zones as well as no daylight savings, and is the preferred time standard.

Implement ISO 8601 formatting, with the year listed first, followed by the month, day, hour, minutes, seconds, and milliseconds (e.g., 2024-07-25T20:54:59.649Z).

Timesharing should be unidirectional. The OT environment should synchronize time sync with the IT environment and not the other way around.
Data historians may be implemented on some operational assets to record and store time-series data of industrial processes running on the computer system. These can provide an additional source of event log data for OT networks.

Additional Resources

ASD has released Windows Event Logging and Forwarding guidance that details important event categories and recommendations for configurations, log retention periods and event forwarding.
For more information about logging, please explore CISA’s Logging Made Easy (LME), a no-cost solution providing essential log management for small to medium-sized organizations, on CISA’s website or GitHub page.
The Joint SIGINT Cyber Unit (JSCU) of the AIVD and MIVD has published a repository on GitHub with a Microsoft Windows event logging and collections baseline focused on finding balance between forensic value and optimizing retention. You can find this repository on the JSCU’s GitHub.

Event Log Retention
Organizations should ensure they retain logs for long enough to support cyber security incident investigations. Default log retention periods are often insufficient. Log retention periods should be informed by an assessment of the risks to a given system. When assessing the risks to a system, consider that in some cases, it can take up to 18 months to discover a cyber security incident and some malware can dwell on the network from 70 to 200 days before causing overt harm.[3] Log retention periods should also be compliant with any regulatory requirements and cyber security frameworks that may apply in an organization’s jurisdiction. Logs that are crucial in confirming an intrusion and its impact should be prioritized for longer retention. 
It is important to review log storage allocations, in parallel with retention periods. Insufficient storage is a common obstacle to log retention. For example, many systems will overwrite old logs when their storage allocation is exhausted. The longer that logs can be kept, the higher the chances are of determining the extent of a cyber security incident, including the potential intrusion vectors that require remediation. For effective security logging practices, organizations should implement data tiering such as hot and cold storage. This ensures that logs can be promptly retrieved to facilitate querying and threat detection.
Centralized Log Collection and Correlation
The following sections detail prioritized lists of log sources for enterprise networks, OT, cloud computing and enterprise mobility using mobile computing devices. The prioritization takes into consideration the likelihood that the logged asset will be targeted by a malicious actor, as well as the impact if the asset were to be compromised. It also prioritizes log sources that can assist in identifying LOTL techniques. Please note that this is not an exhaustive list of log sources and their threats, and their priority may differ between organizations.
Logging Priorities for Enterprise Networks
Enterprise networks face a large variety of cyber threats. These include malware, malicious insiders, and exploitation of unpatched applications and services. In the context of LOTL, enterprise networks provide malicious actors with a wide variety of native tools to exploit.
ASD and co-authors recommend that organizations prioritize the following log sources within their enterprise network:

Critical systems and data holdings likely to be targeted.
Internet-facing services, including remote access, network metadata, and their underlying server operating system.
Identity and domain management servers.
Any other critical servers.
Edge devices such as boundary routers and firewalls.
Administrative workstations.
Highly privileged systems such as configuration management, performance and availability monitoring (in cases where privileged access is used), Continuous Integration/Continuous Delivery (CI/CD), vulnerability scanning services, secret and privilege management.
Data repositories.
Security-related and critical software.
User computers.
User application logs.
Web proxies used by organizational users and service accounts.
DNS services used by organizational users.
Email servers.
DHCP servers.
Legacy IT assets (that are not previously captured in critical or internet-facing services).

ASD and co-authors recommend organizations monitor lower priority logs as well. These include:

Underlying infrastructure, such as hypervisor hosts.
IT devices, such as printers.
Network components such as application gateways.

Logging Priorities for Operational Technology
Historically, IT and OT have operated separately and have provided distinct functions within organizations. Advancements in technology and digital transformation have led to the growing interconnectedness and convergence of these networks. Organizations are integrating IT and OT networks to enable the seamless flow of data between management systems and industrial operations. Their integration has introduced new cyber threats to OT networks. For example, malicious actors can access OT networks through IT networks by exploiting unpatched vulnerabilities, delivering malware, or conducting denial-of-service campaigns to impact critical services. 
ASD and co-authors recommend that organizations prioritize the following log sources in their OT environment:

OT devices critical to safety and service delivery, except for air-gapped systems.[4]
Internet-facing OT devices.
OT devices accessible via network boundaries.

Note that in cases where OT devices do not support logging, device logs are not available, or are available in a non-standard format, it is good practice to ensure network traffic and communications to and from the OT devices are logged.
Logging Priorities for Enterprise Mobility Using Mobile Computing Devices
Enterprise mobility is an important aspect of an organization’s security posture. Mobile device management (MDM) solutions allow organizations to manage the security of their enterprise mobility, typically including logging functionality. In the context of enterprise mobility, the aim of effective event logging is to detect compromised accounts or devices; for example, due to phishing or interactions with malicious applications and websites.
ASD and co-authors recommend organizations priorities the following log sources in their enterprise mobility solution:

Web proxies used by organizational users.
Organization operated DNS services.
Device security posture of organizationally managed devices.
Device behavior of organizationally managed devices.
User account behavior such as sign-ins.
VPN solutions.
MDM and Mobile Application Management (MAM) events.[5]

Additional monitoring should be implemented in collaboration with the telecommunications network provider. Such monitoring includes:

Signaling exploitation.
Binary/invisible SMS.
CLI spoofing.
SIM/eSIM activities such as SIM swapping.
Null cipher downgrade.
Connection downgrade (false base station).
Network API/query against user.
Roaming traffic protection.
Roaming steering.

Organizations should obtain legal advice about what can be logged from any personally owned mobile devices that are enrolled in an MDM solution. For example, logging GPS location may be subject to restrictions.
Logging Priorities for Cloud Computing
ASD and co-authors recommend organizations adjust event logging practices in accordance with the cloud service that is administered, whether infrastructure-as-a-service (IaaS), platform-as-a-service (PaaS), or SaaS are implemented.  For example, IaaS would include a significant amount of logging responsibility on the tenant, whereas SaaS would place a significant amount of the logging responsibility on the provider. Therefore, organizations should coordinate closely with their cloud service provider to understand the shared-responsibility model in place, as it will influence their logging priorities. Logging priorities will also be influenced by different cloud computing service models and deployment models (that is, public, private, hybrid, community). Where privacy and data sovereignty laws apply, logging priorities may also be influenced by the location of the cloud service provider’s infrastructure. See NSA’s Manage Cloud Logs for Effective Threat Hunting guidance for additional information.
Organizations should prioritize the following log sources in their use of cloud computing services:

Critical systems and data holdings likely to be targeted.
Internet-facing services (including remote access) and, where applicable, their underlying server operating systems.
Use of the tenant’s user accounts that access and administer cloud services.
Logs for administrative configuration changes.
Logs for the creation, deletion and modification of all security principals, including setting and changing permissions.
Authentication success and/or failures to third party services (e.g., SAML/OAuth).
Logs generated by the cloud services, including logs for cloud APIs, all network-related events, compliance events and billing events.

Secure Storage and Event Log Integrity
ASD and co-authors recommend that organizations implement a centralized event logging facility such as a secured data lake to enable log aggregation and then forward select, processed logs to analytic tools, such as security information and event management (SIEM) solution and extended detection and response (XDR) solutions. Many commercially available network infrastructure devices have limited local storage. Forwarding event logs to a centralized and secure storage capability prevents the loss of logs once the local device’s storage is exhausted [CPG 2.U]. This can be further mitigated by ensuring default maximum event log storage sizes are configured appropriately on local devices. In the event of a cyber security incident, an absence of historical event logs will frequently have a negative impact on cyber security incident response activities. 
Secure Transport and Storage of Event Logs
ASD and co-authors recommend that organizations implement secure mechanisms such as Transport Layer Security (TLS) 1.3 and methods of cryptographic verification to ensure the integrity of event logs in-transit and at rest. Organizations should prioritize securing and restricting access to event logs that have a justified requirement to record sensitive data.
Protecting Event Logs from Unauthorized Access, Modification and Deletion
It is important to perform event log aggregation as some malicious actors are known to modify or delete local system event logs to avoid detection and to delay or degrade the efficacy of cyber security incident response. Logs may contain sensitive data that is useful to a malicious actor. As a result, users should only have access to the event logs they need to do their job.
An event logging facility should enable the protection of logs from unauthorized modification and deletion. Ensure that only personnel with a justified requirement have permission to delete or modify event logs and view the audit logs for access to the centralized logging environment.  The storage of logs should be in a separate or segmented network with additional security controls to reduce the risk of logs being tampered with in the event of network or system compromise. Events logs should also be backed up and data redundancy practices should be implemented.
Organizations are encouraged to harden and segment their SIEM solutions from general IT environments. SIEMs are attractive targets for malicious actors because they contain a wealth of information, provide an analysis function, and can be a single point of failure in an organization’s detection capability.  Organizations should consider filtering event logs before sending them to a SIEM or XDR to ensure it is receiving the most valuable logs to minimize any additional costs or capacity issues.
Centralized Event Logging Enables Threat Detection
The aggregation of event logs to a central logging facility that a SIEM can draw from enables the identification of: 

Deviations from a baseline.

A baseline should include installed tools and software, user account behavior, network traffic, system intercommunications and other items, as applicable. Particular attention should be paid to privileged user accounts and critical assets such as domain controllers.
A baseline is derived by performing an analysis of normal behavior of some user accounts and establishing ‘always abnormal’ conditions for those same accounts.

Cyber security events.

For the purpose of this document, a cyber security event is an occurrence of a system, service or network state indicating a possible breach of security policy, failure of safeguards or a previously unknown situation that may be relevant to security.

Cyber security incidents.

For the purpose of this document, a cyber security incident is an unwanted or unexpected cyber security event, or a series of such events, that either has compromised business operations or has a significant probability of compromising business operations.

Timely Ingestion
Timely ingestion of event logs is important in the early detection of a cyber security events and cyber security incidents. If the generation, collection and ingestion of event logs is delayed, the organization’s ability to identify cyber security incidents is also delayed.
Detection Strategy for Relevant Threats
Detecting Living Off the Land Techniques
ASD and co-authors recommend that organizations consider implementing user and entity behavioral analytics capabilities to enable automated detection of behavioral anomalies on networks, devices, or accounts. SIEMs can detect anomalous activity by comparing event logs to a baseline of business-as-usual traffic and activity. Behavioral analytics plays a key role in detecting malicious actors employing LOTL techniques. Below is a case study that shows how threat actors leveraged LOTL to infiltrate Windows-based systems.

Case study – Volt Typhoon
Since mid-2021, Volt Typhoon has targeted critical infrastructure organizations by relying almost exclusively on LOTL techniques. Their campaign has been enabled by privately-owned SOHO routers, infected with the ‘KV Botnet’ malware. 
Volt Typhoon uses PowerShell, a command and scripting interpreter, to:

Discover remote systems [T1059.001, T1018].
Identify associated user and computer account names using the command Get-EventLog security –instanceid 4624 [T1033].
Enumerate event logs to search for successful logons using wevtutil.exe and the command Get-EventLog Security [T1654].

Volt Typhoon consistently obtains valid credentials by extracting the Active Directory database file NTDS.dit.[6] To do so, Volt Typhoon has been observed to:

Execute the Windows-native vsssadmin command to create a volume shadow copy [T1006].
Use Windows Management Instrumentation Console (WMIC) commands [T1047] to execute ntdsutil.exe to copy NTDS.dit and the SYSTEM registry from the volume shadow copy.
Move laterally to the Microsoft Active Directory Domain Services (AD DS) domain controller via an interactive RDP session using a compromised user account with domain administrator privileges [T1021.001].

Other LOTL techniques that Volt Typhoon has been observed to use includes:

Accessing hashed credentials from the Local Security Authority SubSystem Service (LSASS) process memory space [T1003.001].
Using ntdsutil.exe to create installation media from Microsoft AD DS domain controllers, either remote or locally, which contain username and password hashes [T1003.003].
Using PowerShell, WMIC, and the ping command, to facilitate system discovery [T1018].
Using the built-in netsh portproxy command to create proxies on compromised systems to facilitate access [T1090].

While Volt Typhoon uses LOTL techniques to make detection more difficult, the behaviors that the malware exhibits would be considered abnormal compared to business-as-usual activity and could be used to create detection use cases.
For more information, consider visiting MITRE ATT&CK®’s Volt Typhoon page and the MITRE ATT&CK framework.

Examples of anomalous behavior can include:

A user logging in during unusual hours (e.g. non-working hours, holidays or on leave).
An account accessing services that it does not usually access; for example, administrator or HR services.
A user logging in using an unusual device.
A high volume of access attempts.
Instances of impossible travel[7] or concurrent sign-ins from multiple geographic locations.
Downloading or exporting a large volume of data.[8]
Network logins without defined computer access or physical access log validation.
A single IP address attempting to authenticate as multiple different users.
The creation of user accounts, or disabled accounts being re-enabled, especially accounts with administrative privileges.
Netflow data indicating one device talking to other internal devices it normally does not connect to.
Unusual script execution, software installation, or use of administrative tools.
Unexpected clearing of logs.
An execution of the process from an unusual or suspicious path.
Configuration changes to security software, such as Windows Defender, and logging management software.

Note that the above items could be legitimate behavior and not malicious activity. In these instances, further investigation by a network defender is required to determine if they are, in fact, evidence of a cyber security event.
To detect threats on endpoints such as user devices, organizations should consider implementing an endpoint detection and response solution. These solutions enable an organization to monitor malicious activity, such as malicious actors disabling security monitoring services, and process creation events with enhanced detail and fidelity.
By following the guidance in this publication to improve the collection and centralization of event logs, it will improve an organization’s ability to undertake effective threat hunting to proactively investigate LOTL compromises. Organizations should consider conducting threat hunting on their networks as a proactive measure to detect cyber security incidents. This is a particularly effective activity for detecting malicious actors employing LOTL techniques.
Organizations may also consider the following methods to increase the effectiveness of detecting potential LOTL techniques:
Cloud Considerations
The joint-sealed publication Identifying and Mitigating Living Off the Land Techniques contains detailed detection guidance for cloud environments. One point states that if machine learning-powered detection capabilities are available within cloud provider security services, organizations should consider leveraging these capabilities and provide log data in real time from multiple sources to enhance log analysis. Using machine learning allows for the detection of anomalous behaviors that may indicate malicious activity. These include irregular API call patterns (especially those that involve changes to security groups, configuration of cloud resources or access to sensitive data), unusual cloud storage access and atypical network traffic.
Operational Technology Considerations
Effective detection in an OT environment typically involves expertise from both IT and OT personnel; thus, an effective network security instrumentation involves collaborative efforts from both parties. This collaborative approach helps ensure that network defenders can quickly investigate relevant issues, and OT experts can raise operational concerns that may be tied to a cyber security incident. Furthermore, network defenders should leverage real-time alerts to determine any abnormal activity on an OT network. These alerts can include safety data, availability data, logins, failed logins[9], configuration changes, and network access and traffic. Organizations may need to consider whether alerts for OT environments should be approached differently. For example, OT devices may be in remote or hard-to-reach locations. 
For detecting anomalous behavior in OT environments, look for:

Unexpected use of engineering and configuration tools.
Abnormal use of vendor or third-party accesses, maintenance methods, or remote monitoring.
Unauthorized updates or changes to operating systems, software, firmware, configurations, or databases.
Unexpected communication between the control system and external network or unusual communication between components that do not usually communicate.

Execution of scripts that are not part of regular operations.
Intrusion detection and intrusion prevention systems (IDS/IPS) are often designed with rules based on IT protocols; therefore, they may be more useful in OT operation systems or the OT demilitarized zone (DMZ) than in supervisory and process areas. Note, it is not recommended to deploy an IPS unless it is tailored to the OT environment, or is outside of critical process control. IPS risk interrupting critical OT devices.
Additional Guidance
For further guidance, consider visiting: 

Joint-sealed Identifying and Mitigating Living off the Land Techniques
ASD ACSC’s Windows Event Logging and Forwarding
CISA’s Guidance for Implementing M-21-31: Improving the Federal Government’s Investigative and Remediation Capabilities
CISA’s SCuBA TRA and eVRF Guidance Documents
NSA’s Cyber Event Forwarding Guidance
NCSC-UK’s What exactly should we be logging?
NIST’s SP 800-92 Rev. 1, Cybersecurity Log Management Planning Guide
NIST’s Guide to Operational Technology (OT) Security
US White House’s M-21-31
Malcolm | A powerful, easily deployable network traffic analysis tool suite
MITRE ATT&CK®’s Data Sources

Footnotes
[1] While the audience for the cited guidance is U.S. Federal Civilian Executive Branch agencies, it may provide useful guidance to all entities regarding logging best practices.[2] While only binding on U.S. Federal information systems, excluding national security systems, this memorandum may provide useful guidance to all entities regarding logging best practices.[3] CISA’s “First 48”: What to Expect When a Cyber Incident Occurs[4] The prioritized list focuses on logs that enable the detection of a malicious actor operating remotely. In this context, collecting logs from an air-gapped system is not a high priority unless malicious insiders are a concern.[5] MDM and MAM events are likely to be server-sent events, but they may also be generated by software deployed to the mobile device.[6] NTDS.dit contains usernames, hashed passwords, and group memberships for all domain accounts, allowing for full domain compromise if the hashes can be cracked offline.[7] Impossible travel occurs when a user logs in from multiple IP addresses that are a significant geographic distance apart (i.e., a person could not realistically travel between the geographic locations of the two IP addresses during the time period between the logins).[8] Large/continuous data exports should be alerted by default.[9] Note that not all successful authentication events will be benign (e.g., credential theft or malicious insiders).
Disclaimer
The material in this guide is of a general nature and should not be regarded as legal advice or relied on for assistance in any particular circumstance or emergency situation. In any important matter, you should seek appropriate independent professional advice in relation to your own circumstances.
CISA and the Commonwealth of Australia accept no responsibility or liability for any damage, loss or expense incurred as a result of the reliance on information contained in this guide.
Copyright
© Commonwealth of Australia 2024.
All material presented in this publication is provided under a Creative Commons (CC) Attribution 4.0 International license.
For the avoidance of doubt, this means this license only applies to material as set out in this document.
The details of the relevant license conditions are available on the Creative Commons website as is the full legal code for the CC BY 4.0 license. 

Executive Summary

This publication defines a baseline for event logging best practices to mitigate cyber threats. It was developed by the Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) in cooperation with the following international partners: 

United States (US) Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI) and the National Security Agency (NSA).
United Kingdom (UK) National Cyber Security Centre (NCSC-UK).
Canadian Centre for Cyber Security (CCCS).
New Zealand National Cyber Security Centre (NCSC-NZ) and Computer Emergency Response Team (CERT NZ).
Japan National Center of Incident Readiness and Strategy for Cybersecurity (NISC) and Computer Emergency Response Team Coordination Center (JPCERT/CC).
The Republic of Korea National Intelligence Services (NIS) and NIS’s National Cyber Security Center (NCSC-Korea).
Singapore Cyber Security Agency (CSA).
The Netherlands General Intelligence and Security Service (AIVD) and Military Intelligence and Security Service (MIVD).

Event logging supports the continued delivery of operations and improves the security and resilience of critical systems by enabling network visibility. This guidance makes recommendations that improve an organization’s resilience in the current cyber threat environment, with regard for resourcing constraints. The guidance is of moderate technical complexity and assumes a basic understanding of event logging.

An effective event logging solution aims to:

Send alerts to the network defenders responsible for monitoring when cyber security events such as critical software configuration changes are made or new software solutions are deployed.
Identify cyber security events that may indicate a cyber security incident, such as malicious actors employing living off the land (LOTL) techniques or lateral movement post-compromise.
Support incident response by revealing the scope and extent of a compromise.
Monitor account compliance with organizational policies.
Reduce alert noise, saving on costs associated with storage and query time.
Enable network defenders to make agile and informed decisions based on prioritization of alerts and analytics.
Ensure logs and the logging platforms are useable and performant for analysts.

There are four key factors to consider when pursuing logging best practices:

Enterprise-approved event logging policy.
Centralized event log access and correlation.
Secure storage and event log integrity.
Detection strategy for relevant threats.

To access the PDF version of this report, visit here.

Introduction

The increased prevalence of malicious actors employing LOTL techniques, such as LOTL binaries (LOLBins) and fileless malware, highlights the importance of implementing and maintaining an effective event logging solution. As demonstrated in the joint-sealed publication Identifying and Mitigating Living Off the Land Techniques, advanced persistent threats (APTs) are employing LOTL techniques to evade detection. The purpose of this publication is to detail best practice guidance for event logging and threat detection for cloud services, enterprise networks, enterprise mobility, and operational technology (OT) networks. The guidance in this publication focuses on general best practices for event logging and threat detection; however, LOTL techniques feature as they provide a great case study due to the high difficulty in detecting them.

Audience

This guidance is technical in nature and is intended for those within medium to large organizations. As such, it is primarily aimed at:

Senior information technology (IT) and OT decision makers.
IT and OT operators.
Network administrators.
Critical infrastructure providers.

Best Practices

Enterprise-approved Event Logging Policy

Developing and implementing an enterprise approved logging policy improves an organization’s chances of detecting malicious behavior on their systems and enforces a consistent method of logging across an organization’s environments. The logging policy should take into consideration any shared responsibilities between service providers and the organization. The policy should also include details of the events to be logged, event logging facilities to be used, how event logs will be monitored, event log retention durations, and when to reassess which logs are worthy of collection.

Event Log Quality

Organizations are encouraged to implement an event logging policy focused on capturing high-quality cyber security events to aid network defenders in correctly identifying cyber security incidents. In the context of cyber security incident response and threat detection, event log quality refers to the types of events collected rather than how well a log is formatted. Log quality can vary between organizations due to differences in network environments, the reason behind the need to log, differences in critical assets and the organization’s risk appetite. 

Useful event logs enrich a network defender’s ability to assess security events to identify whether they are false positives or true positives. Implementing high-quality logging will aid network defenders in discovering LOTL techniques that are designed to appear benign in nature.

Note: Capturing a large volume of well-formatted logs can be invaluable for incident responders in forensics analysis scenarios. However, organizations are encouraged to properly organize logged data into ‘hot’ data storage that is readily available and searchable, or ‘cold’ data storage that has deprioritized availability and is stored through more economical solutions – an important consideration when evaluating an organization’s log storage capacity.

For more information on how to prioritize collection of high-quality event logs please refer to CISA’s Guidance for Implementing M-21-3: Improving the Federal Government’s Investigative and Remediation Capabilities.[1] 

To strengthen detection of malicious actors employing LOTL techniques, some relevant considerations for event logging include:

On Linux-based systems, logs capturing the use of curl, systemctl, systemd, python and other common LOLBins leveraged by malicious actors.
On Microsoft Windows-based systems, logs capturing the use of wmic.exe, ntdsutil.exe, Netsh, cmd.exe, PowerShell, mshta.exe, rundll32.exe, resvr32.exe and other common LOLBins leveraged by malicious actors. Ensure that logging captures command execution, script block logging and module logging for PowerShell, and detailed tracking of administrative tasks.
For cloud environments, logging all control plane operations, including API calls and end user logins. The control plane logs should be configured to capture read and write activities, administrative changes, and authentication events.

Captured Event Log Details

As a part of an organization’s event logging policy, captured event logs should contain sufficient detail to aid network defenders and incident responders. If a logging solution fails to capture data relevant to security, its effectiveness as a cyber security incident detection capability is heavily impacted.

The US Office of Management and Budget’s M-21-31[2] outlines a good baseline for what an event log should capture, if applicable:

Properly formatted and accurate timestamp (millisecond granularity is ideal).
Event type (status code).
Device identifier (mac address or other unique identifier).
Session/transaction ID.
Autonomous system number.
Source and destination IP (includes both IPv4 and IPv6).
Status code.
Response time.
Additional headers (e.g., HTTP headers).
The user ID, where appropriate.
The command executed, where appropriate.
A unique event identifier to assist with event correlation, where possible.

Note: Where possible, all data should be formatted as ‘key-value-pairs’ to allow for easier extraction.

Operational Technology Considerations

Network administrators and network operators should take into consideration the OT devices within their OT networks. Most OT devices use embedded software that is memory and/or processor constrained. An excessive level of logging could adversely affect the operation of those OT devices. Additionally, such OT devices may not be capable of generating detailed logs, in which case, sensors can be used to supplement logging capabilities. Out-of-band log communications, or generating logs based on error codes and the payloads of existing communications, can account for embedded devices with limited logging capabilities.

Additional Resources

ASD’s ACSC Information Security Manual (ISM) provides event log details to record in the Guidelines for System Monitoring.
CISA’s Guidance for Implementing M-21-31: Improving the Federal Government’s Investigative and Remediation Capabilities details another approach to prioritizing log collection and is aimed at US federal civilian executive branch organizations.
NIST has outlined OT considerations for event logging in their Guide to Operational Technology (OT) Security.
For examples of detection uses cases, consider visiting the MITRE ATT&CK® list of data sources.

Content and Format Consistency

When centralizing event logs, organizations should consider using a structured log format, such as JSON, where each type of log captures and presents content consistently (that is, consistent schema, format, and order). This is particularly important when event logs have been forwarded to a central storage facility as this improves a network defender’s ability to search for, filter and correlate event logs. Since logs may vary in structure (or lack thereof), implementing a method of automated log normalization is recommended. This is an important consideration for logs that can change over time or without notice such as software and software-as-a-service (SaaS) logs.

Timestamp Consistency

Organizations should consider establishing an accurate and trustworthy time source and use this consistently across all systems to assist network defenders in identifying connections between event logs. This should also include using the same date-time format across all systems. Where possible, organizations should use multiple accurate time sources in case the primary time source becomes degraded or unavailable. Note that, particularly in distributed systems, time zones and distance can influence how timestamps read in relation to each other. Network owners, system owners and cyber security incident responders are encouraged to understand how this could impact their own environments. ASD and co-authors urge organizations to consider implementing the recommendations below to help ensure consistent timestamp collection.

Time servers should be synchronized and validated throughout all environments and set to capture significant events, such as device boots and reboots.
Using Coordinated Universal Time (UTC) has the advantage of no time zones as well as no daylight savings, and is the preferred time standard.

Implement ISO 8601 formatting, with the year listed first, followed by the month, day, hour, minutes, seconds, and milliseconds (e.g., 2024-07-25T20:54:59.649Z).

Timesharing should be unidirectional. The OT environment should synchronize time sync with the IT environment and not the other way around.
Data historians may be implemented on some operational assets to record and store time-series data of industrial processes running on the computer system. These can provide an additional source of event log data for OT networks.

Additional Resources

ASD has released Windows Event Logging and Forwarding guidance that details important event categories and recommendations for configurations, log retention periods and event forwarding.
For more information about logging, please explore CISA’s Logging Made Easy (LME), a no-cost solution providing essential log management for small to medium-sized organizations, on CISA’s website or GitHub page.
The Joint SIGINT Cyber Unit (JSCU) of the AIVD and MIVD has published a repository on GitHub with a Microsoft Windows event logging and collections baseline focused on finding balance between forensic value and optimizing retention. You can find this repository on the JSCU’s GitHub.

Event Log Retention

Organizations should ensure they retain logs for long enough to support cyber security incident investigations. Default log retention periods are often insufficient. Log retention periods should be informed by an assessment of the risks to a given system. When assessing the risks to a system, consider that in some cases, it can take up to 18 months to discover a cyber security incident and some malware can dwell on the network from 70 to 200 days before causing overt harm.[3] Log retention periods should also be compliant with any regulatory requirements and cyber security frameworks that may apply in an organization’s jurisdiction. Logs that are crucial in confirming an intrusion and its impact should be prioritized for longer retention. 

It is important to review log storage allocations, in parallel with retention periods. Insufficient storage is a common obstacle to log retention. For example, many systems will overwrite old logs when their storage allocation is exhausted. The longer that logs can be kept, the higher the chances are of determining the extent of a cyber security incident, including the potential intrusion vectors that require remediation. For effective security logging practices, organizations should implement data tiering such as hot and cold storage. This ensures that logs can be promptly retrieved to facilitate querying and threat detection.

Centralized Log Collection and Correlation

The following sections detail prioritized lists of log sources for enterprise networks, OT, cloud computing and enterprise mobility using mobile computing devices. The prioritization takes into consideration the likelihood that the logged asset will be targeted by a malicious actor, as well as the impact if the asset were to be compromised. It also prioritizes log sources that can assist in identifying LOTL techniques. Please note that this is not an exhaustive list of log sources and their threats, and their priority may differ between organizations.

Logging Priorities for Enterprise Networks

Enterprise networks face a large variety of cyber threats. These include malware, malicious insiders, and exploitation of unpatched applications and services. In the context of LOTL, enterprise networks provide malicious actors with a wide variety of native tools to exploit.

ASD and co-authors recommend that organizations prioritize the following log sources within their enterprise network:

Critical systems and data holdings likely to be targeted.
Internet-facing services, including remote access, network metadata, and their underlying server operating system.
Identity and domain management servers.
Any other critical servers.
Edge devices such as boundary routers and firewalls.
Administrative workstations.
Highly privileged systems such as configuration management, performance and availability monitoring (in cases where privileged access is used), Continuous Integration/Continuous Delivery (CI/CD), vulnerability scanning services, secret and privilege management.
Data repositories.
Security-related and critical software.
User computers.
User application logs.
Web proxies used by organizational users and service accounts.
DNS services used by organizational users.
Email servers.
DHCP servers.
Legacy IT assets (that are not previously captured in critical or internet-facing services).

ASD and co-authors recommend organizations monitor lower priority logs as well. These include:

Underlying infrastructure, such as hypervisor hosts.
IT devices, such as printers.
Network components such as application gateways.

Logging Priorities for Operational Technology

Historically, IT and OT have operated separately and have provided distinct functions within organizations. Advancements in technology and digital transformation have led to the growing interconnectedness and convergence of these networks. Organizations are integrating IT and OT networks to enable the seamless flow of data between management systems and industrial operations. Their integration has introduced new cyber threats to OT networks. For example, malicious actors can access OT networks through IT networks by exploiting unpatched vulnerabilities, delivering malware, or conducting denial-of-service campaigns to impact critical services. 

ASD and co-authors recommend that organizations prioritize the following log sources in their OT environment:

OT devices critical to safety and service delivery, except for air-gapped systems.[4]
Internet-facing OT devices.
OT devices accessible via network boundaries.

Note that in cases where OT devices do not support logging, device logs are not available, or are available in a non-standard format, it is good practice to ensure network traffic and communications to and from the OT devices are logged.

Logging Priorities for Enterprise Mobility Using Mobile Computing Devices

Enterprise mobility is an important aspect of an organization’s security posture. Mobile device management (MDM) solutions allow organizations to manage the security of their enterprise mobility, typically including logging functionality. In the context of enterprise mobility, the aim of effective event logging is to detect compromised accounts or devices; for example, due to phishing or interactions with malicious applications and websites.

ASD and co-authors recommend organizations priorities the following log sources in their enterprise mobility solution:

Web proxies used by organizational users.
Organization operated DNS services.
Device security posture of organizationally managed devices.
Device behavior of organizationally managed devices.
User account behavior such as sign-ins.
VPN solutions.
MDM and Mobile Application Management (MAM) events.[5]

Additional monitoring should be implemented in collaboration with the telecommunications network provider. Such monitoring includes:

Signaling exploitation.
Binary/invisible SMS.
CLI spoofing.
SIM/eSIM activities such as SIM swapping.
Null cipher downgrade.
Connection downgrade (false base station).
Network API/query against user.
Roaming traffic protection.
Roaming steering.

Organizations should obtain legal advice about what can be logged from any personally owned mobile devices that are enrolled in an MDM solution. For example, logging GPS location may be subject to restrictions.

Logging Priorities for Cloud Computing

ASD and co-authors recommend organizations adjust event logging practices in accordance with the cloud service that is administered, whether infrastructure-as-a-service (IaaS), platform-as-a-service (PaaS), or SaaS are implemented.  For example, IaaS would include a significant amount of logging responsibility on the tenant, whereas SaaS would place a significant amount of the logging responsibility on the provider. Therefore, organizations should coordinate closely with their cloud service provider to understand the shared-responsibility model in place, as it will influence their logging priorities. Logging priorities will also be influenced by different cloud computing service models and deployment models (that is, public, private, hybrid, community). Where privacy and data sovereignty laws apply, logging priorities may also be influenced by the location of the cloud service provider’s infrastructure. See NSA’s Manage Cloud Logs for Effective Threat Hunting guidance for additional information.

Organizations should prioritize the following log sources in their use of cloud computing services:

Critical systems and data holdings likely to be targeted.
Internet-facing services (including remote access) and, where applicable, their underlying server operating systems.
Use of the tenant’s user accounts that access and administer cloud services.
Logs for administrative configuration changes.
Logs for the creation, deletion and modification of all security principals, including setting and changing permissions.
Authentication success and/or failures to third party services (e.g., SAML/OAuth).
Logs generated by the cloud services, including logs for cloud APIs, all network-related events, compliance events and billing events.

Secure Storage and Event Log Integrity

ASD and co-authors recommend that organizations implement a centralized event logging facility such as a secured data lake to enable log aggregation and then forward select, processed logs to analytic tools, such as security information and event management (SIEM) solution and extended detection and response (XDR) solutions. Many commercially available network infrastructure devices have limited local storage. Forwarding event logs to a centralized and secure storage capability prevents the loss of logs once the local device’s storage is exhausted [CPG 2.U]. This can be further mitigated by ensuring default maximum event log storage sizes are configured appropriately on local devices. In the event of a cyber security incident, an absence of historical event logs will frequently have a negative impact on cyber security incident response activities. 

Secure Transport and Storage of Event Logs

ASD and co-authors recommend that organizations implement secure mechanisms such as Transport Layer Security (TLS) 1.3 and methods of cryptographic verification to ensure the integrity of event logs in-transit and at rest. Organizations should prioritize securing and restricting access to event logs that have a justified requirement to record sensitive data.

Protecting Event Logs from Unauthorized Access, Modification and Deletion

It is important to perform event log aggregation as some malicious actors are known to modify or delete local system event logs to avoid detection and to delay or degrade the efficacy of cyber security incident response. Logs may contain sensitive data that is useful to a malicious actor. As a result, users should only have access to the event logs they need to do their job.

An event logging facility should enable the protection of logs from unauthorized modification and deletion. Ensure that only personnel with a justified requirement have permission to delete or modify event logs and view the audit logs for access to the centralized logging environment.  The storage of logs should be in a separate or segmented network with additional security controls to reduce the risk of logs being tampered with in the event of network or system compromise. Events logs should also be backed up and data redundancy practices should be implemented.

Organizations are encouraged to harden and segment their SIEM solutions from general IT environments. SIEMs are attractive targets for malicious actors because they contain a wealth of information, provide an analysis function, and can be a single point of failure in an organization’s detection capability.  Organizations should consider filtering event logs before sending them to a SIEM or XDR to ensure it is receiving the most valuable logs to minimize any additional costs or capacity issues.

Centralized Event Logging Enables Threat Detection

The aggregation of event logs to a central logging facility that a SIEM can draw from enables the identification of: 

Deviations from a baseline.

A baseline should include installed tools and software, user account behavior, network traffic, system intercommunications and other items, as applicable. Particular attention should be paid to privileged user accounts and critical assets such as domain controllers.
A baseline is derived by performing an analysis of normal behavior of some user accounts and establishing ‘always abnormal’ conditions for those same accounts.

Cyber security events.

For the purpose of this document, a cyber security event is an occurrence of a system, service or network state indicating a possible breach of security policy, failure of safeguards or a previously unknown situation that may be relevant to security.

Cyber security incidents.

For the purpose of this document, a cyber security incident is an unwanted or unexpected cyber security event, or a series of such events, that either has compromised business operations or has a significant probability of compromising business operations.

Timely Ingestion

Timely ingestion of event logs is important in the early detection of a cyber security events and cyber security incidents. If the generation, collection and ingestion of event logs is delayed, the organization’s ability to identify cyber security incidents is also delayed.

Detection Strategy for Relevant Threats

Detecting Living Off the Land Techniques

ASD and co-authors recommend that organizations consider implementing user and entity behavioral analytics capabilities to enable automated detection of behavioral anomalies on networks, devices, or accounts. SIEMs can detect anomalous activity by comparing event logs to a baseline of business-as-usual traffic and activity. Behavioral analytics plays a key role in detecting malicious actors employing LOTL techniques. Below is a case study that shows how threat actors leveraged LOTL to infiltrate Windows-based systems.

Case study – Volt Typhoon

Since mid-2021, Volt Typhoon has targeted critical infrastructure organizations by relying almost exclusively on LOTL techniques. Their campaign has been enabled by privately-owned SOHO routers, infected with the ‘KV Botnet’ malware. 

Volt Typhoon uses PowerShell, a command and scripting interpreter, to:

Discover remote systems [T1059.001, T1018].
Identify associated user and computer account names using the command 
Get-EventLog security –instanceid 4624 [T1033].
Enumerate event logs to search for successful logons using wevtutil.exe and the command Get-EventLog Security [T1654].

Volt Typhoon consistently obtains valid credentials by extracting the Active Directory database file NTDS.dit.[6] 
To do so, Volt Typhoon has been observed to:

Execute the Windows-native vsssadmin command to create a volume shadow copy [T1006].
Use Windows Management Instrumentation Console (WMIC) commands [T1047] to execute ntdsutil.exe to copy NTDS.dit and the SYSTEM registry from the volume shadow copy.
Move laterally to the Microsoft Active Directory Domain Services (AD DS) domain controller via an interactive RDP session using a compromised user account with domain administrator privileges [T1021.001].

Other LOTL techniques that Volt Typhoon has been observed to use includes:

Accessing hashed credentials from the Local Security Authority SubSystem Service (LSASS) process memory space [T1003.001].
Using ntdsutil.exe to create installation media from Microsoft AD DS domain controllers, either remote or locally, which contain username and password hashes [T1003.003].
Using PowerShell, WMIC, and the ping command, to facilitate system discovery [T1018].
Using the built-in netsh portproxy command to create proxies on compromised systems to facilitate access [T1090].

While Volt Typhoon uses LOTL techniques to make detection more difficult, the behaviors that the malware exhibits would be considered abnormal compared to business-as-usual activity and could be used to create detection use cases.

For more information, consider visiting MITRE ATT&CK®’s Volt Typhoon page and the MITRE ATT&CK framework.

 Read More

 ​Today, the Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC), CISA, FBI, NSA, and international partners are releasing Best Practices for Event Logging and Threat Detection. This guide will assist organizations in defining a baseline for event logging to mitigate malicious cyber threats.
The increased prevalence of malicious actors employing living off the land (LOTL) techniques, such as living off the land binaries (LOLBins) and fileless malware, highlights the importance of implementing and maintaining an effective event logging program.
 CISA encourages public and private sector senior information technology (IT) decision makers, operational technology (OT) operators, network administrators, network operators, and critical infrastructure organizations to review the best practices in the guide and implement recommended actions. These actions can help detect malicious activity, behavioral anomalies, and compromised networks, devices, or accounts.
For more information on LOTL techniques, see joint guidance Identifying and Mitigating Living Off the Land Techniques and CISA’s Secure by Design Alert Series.
For more information and guidance on event logging and threat detection, see CISA’s Secure Cloud Business Applications (SCuBA) products, network traffic analysis tool Malcom, and Logging Made Easy. 

Today, the Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC), CISA, FBI, NSA, and international partners are releasing Best Practices for Event Logging and Threat Detection. This guide will assist organizations in defining a baseline for event logging to mitigate malicious cyber threats.

The increased prevalence of malicious actors employing living off the land (LOTL) techniques, such as living off the land binaries (LOLBins) and fileless malware, highlights the importance of implementing and maintaining an effective event logging program.

 CISA encourages public and private sector senior information technology (IT) decision makers, operational technology (OT) operators, network administrators, network operators, and critical infrastructure organizations to review the best practices in the guide and implement recommended actions. These actions can help detect malicious activity, behavioral anomalies, and compromised networks, devices, or accounts.

For more information on LOTL techniques, see joint guidance Identifying and Mitigating Living Off the Land Techniques and CISA’s Secure by Design Alert Series.

For more information and guidance on event logging and threat detection, see CISA’s Secure Cloud Business Applications (SCuBA) products, network traffic analysis tool Malcom, and Logging Made Easy.

 Read More

 ​CISA has added four new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.

CVE-2021-33044 Dahua IP Camera Authentication Bypass Vulnerability
CVE-2021-33045 Dahua IP Camera Authentication Bypass Vulnerability
CVE-2022-0185 Linux Kernel Heap-Based Buffer Overflow
CVE-2021-31196 Microsoft Exchange Server Information Disclosure Vulnerability

These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.
Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information.
Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria. 

CISA has added four new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.

CVE-2021-33044 Dahua IP Camera Authentication Bypass Vulnerability
CVE-2021-33045 Dahua IP Camera Authentication Bypass Vulnerability
CVE-2022-0185 Linux Kernel Heap-Based Buffer Overflow
CVE-2021-31196 Microsoft Exchange Server Information Disclosure Vulnerability

These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.

Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information.

Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.

 Read More

 ​CISA has added one new vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.

CVE-2024-23897 Jenkins Command Line Interface (CLI) Path Traversal Vulnerability

These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.
Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information.
Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria. 

CISA has added one new vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.

CVE-2024-23897 Jenkins Command Line Interface (CLI) Path Traversal Vulnerability

These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.

Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information.

Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.

 Read More

 ​CISA has added one new vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.

CVE-2024-28986 SolarWinds Web Help Desk Deserialization of Untrusted Data Vulnerability

These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.
Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information.
Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria. 

CISA has added one new vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.

CVE-2024-28986 SolarWinds Web Help Desk Deserialization of Untrusted Data Vulnerability

These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.

Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information.

Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.

 Read More

 ​As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens’ ProductCERT Security Advisories (CERT Services | Services | Siemens Global). View CSAF
1. EXECUTIVE SUMMARY

CVSS v3 7.8
ATTENTION: Low attack complexity
Vendor: Siemens
Equipment: COMOS
Vulnerabilities: Out-of-bounds Write, Use After Free

2. RISK EVALUATION
Successful exploitation of these vulnerabilities could allow an attacker to execute arbitrary code.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following versions of Siemens COMOS, a unified data platform, are affected:

COMOS: All versions prior to V10.5

3.2 Vulnerability Overview
3.2.1 OUT-OF-BOUNDS WRITE CWE-787
An issue was discovered in Open Design Alliance Drawings SDK before 2024.12. A corrupted value of number of sectors used by the Fat structure in a crafted DGN file leads to an out-of-bounds write. An attacker can leverage this vulnerability to execute code in the context of the current process.
CVE-2023-5180 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).
3.2.2 USE AFTER FREE CWE-416
Open Design Alliance Drawings SDK (versions before 2024.1) contains a use-after-free vulnerability that could be triggered while parsing specially crafted DWG file. An attacker could leverage this in conjunction with other vulnerabilities to execute arbitrary code.
CVE-2023-26495 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).
3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER
Siemens reported these vulnerabilities to CISA.
4. MITIGATIONS
Siemens recommends users update to the latest version:

Update to V10.5 or later version

Siemens has identified the following specific workarounds and mitigations that users can apply to reduce the risk:

CVE-2023-5180, CVE-2023-26495: Ensure all files imported into the affected product originate from a trusted source and are transmitted over secure channels

Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage.
For more information see the associated Siemens security advisory SSA-659443 in HTML and CSAF.
CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the Internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
CISA also recommends users take the following measures to protect themselves from social engineering attacks:

Do not click web links or open attachments in unsolicited email messages.
Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time. These vulnerabilities are not exploitable remotely.
5. UPDATE HISTORY

August 15, 2024: Initial Publication 

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens’ ProductCERT Security Advisories (CERT Services | Services | Siemens Global). 

View CSAF

1. EXECUTIVE SUMMARY

CVSS v3 7.8
ATTENTION: Low attack complexity
Vendor: Siemens
Equipment: COMOS
Vulnerabilities: Out-of-bounds Write, Use After Free

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to execute arbitrary code.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of Siemens COMOS, a unified data platform, are affected:

COMOS: All versions prior to V10.5

3.2 Vulnerability Overview

3.2.1 OUT-OF-BOUNDS WRITE CWE-787

An issue was discovered in Open Design Alliance Drawings SDK before 2024.12. A corrupted value of number of sectors used by the Fat structure in a crafted DGN file leads to an out-of-bounds write. An attacker can leverage this vulnerability to execute code in the context of the current process.

CVE-2023-5180 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

3.2.2 USE AFTER FREE CWE-416

Open Design Alliance Drawings SDK (versions before 2024.1) contains a use-after-free vulnerability that could be triggered while parsing specially crafted DWG file. An attacker could leverage this in conjunction with other vulnerabilities to execute arbitrary code.

CVE-2023-26495 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

Siemens reported these vulnerabilities to CISA.

4. MITIGATIONS

Siemens recommends users update to the latest version:

Update to V10.5 or later version

Siemens has identified the following specific workarounds and mitigations that users can apply to reduce the risk:

CVE-2023-5180, CVE-2023-26495: Ensure all files imported into the affected product originate from a trusted source and are transmitted over secure channels

Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage.

For more information see the associated Siemens security advisory SSA-659443 in HTML and CSAF.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the Internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

Do not click web links or open attachments in unsolicited email messages.
Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time. These vulnerabilities are not exploitable remotely.

5. UPDATE HISTORY

August 15, 2024: Initial Publication
 Read More

 ​View CSAF
1. EXECUTIVE SUMMARY

CVSS v4 5.9
ATTENTION: Exploitable from adjacent network.
Vendor: PTC
Equipment: Kepware ThingWorx Kepware Server
Vulnerability: Allocation of Resources Without Limits or Throttling

2. RISK EVALUATION
Successful exploitation of this vulnerability could crash the target device.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
PTC reports that the following products and versions are affected:

PTC Kepware ThingWorx Kepware Server: V6
PTC Kepware KEPServerEX: V6
Software Toolbox TOP Server: V6
GE IGS: V7.6x

3.2 Vulnerability Overview
3.2.1 Allocation of Resources Without Limits or Throttling CWE-770
When performing an online tag generation to devices which communicate using the ControlLogix protocol, a machine-in-the-middle, or a device that is not configured correctly, could deliver a response leading to unrestricted or unregulated resource allocation. This could cause a denial-of-service condition and crash the Kepware application. By default, these functions are turned off, yet they remain accessible for users who recognize and require their advantages.
CVE-2024-6098 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.3 has been calculated; the CVSS vector string is (CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H).
A CVSS v4 score has also been calculated for CVE-2024-6098. A base score of 5.9 has been calculated; the CVSS vector string is (CVSS4.0/AV:A/AC:H/AT:P/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N).
3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER
Sharon Brizinov and Vera Mens of Claroty Research – Team82 reported this vulnerability to PTC.
4. MITIGATIONS
PTC recommends users take a defense-in-depth stance with regards to their manufacturing networks ensuring proper access control is maintained. Additionally, proper adherence to the Kepware Secure Deployment Guide will minimize this threat through accurate configuration and use of the product.
Please refer to this article (login required) for specific information on how this risk may be mitigated in your environment.
If additional questions remain, contact PTC Technical Support.
CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as virtual private networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.
5. UPDATE HISTORY

August 15, 2024: Initial Publication 

View CSAF

1. EXECUTIVE SUMMARY

CVSS v4 5.9
ATTENTION: Exploitable from adjacent network.
Vendor: PTC
Equipment: Kepware ThingWorx Kepware Server
Vulnerability: Allocation of Resources Without Limits or Throttling

2. RISK EVALUATION

Successful exploitation of this vulnerability could crash the target device.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

PTC reports that the following products and versions are affected:

PTC Kepware ThingWorx Kepware Server: V6
PTC Kepware KEPServerEX: V6
Software Toolbox TOP Server: V6
GE IGS: V7.6x

3.2 Vulnerability Overview

3.2.1 Allocation of Resources Without Limits or Throttling CWE-770

When performing an online tag generation to devices which communicate using the ControlLogix protocol, a machine-in-the-middle, or a device that is not configured correctly, could deliver a response leading to unrestricted or unregulated resource allocation. This could cause a denial-of-service condition and crash the Kepware application. By default, these functions are turned off, yet they remain accessible for users who recognize and require their advantages.

CVE-2024-6098 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.3 has been calculated; the CVSS vector string is (CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H).

A CVSS v4 score has also been calculated for CVE-2024-6098. A base score of 5.9 has been calculated; the CVSS vector string is (CVSS4.0/AV:A/AC:H/AT:P/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER

Sharon Brizinov and Vera Mens of Claroty Research – Team82 reported this vulnerability to PTC.

4. MITIGATIONS

PTC recommends users take a defense-in-depth stance with regards to their manufacturing networks ensuring proper access control is maintained. Additionally, proper adherence to the Kepware Secure Deployment Guide will minimize this threat through accurate configuration and use of the product.

Please refer to this article (login required) for specific information on how this risk may be mitigated in your environment.

If additional questions remain, contact PTC Technical Support.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as virtual private networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

August 15, 2024: Initial Publication
 Read More

 ​As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens’ ProductCERT Security Advisories (CERT Services | Services | Siemens Global). View CSAF
1. EXECUTIVE SUMMARY

CVSS v4 8.7
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Siemens
Equipment: SINEC Traffic Analyzer
Vulnerabilities: Improper Privilege Management, Improper Restriction of Excessive Authentication Attempts, Improper Access Control, Use of Cache Containing Sensitive Information, Improperly Implemented Security Check for Standard

2. RISK EVALUATION
Successful exploitation of these vulnerabilities could allow an attacker to alter the container’s filesystem leading to unauthorized modifications and data corruption, conduct brute force attacks against legitimate user credentials or keys, get access to sensitive information, read and modify data stored in the local cache, or make the servers more prone to clickjacking attack.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following products of Siemens, are affected:

Siemens SINEC Traffic Analyzer (6GK8822-1BG01-0BA0): versions prior to V2.0

3.2 Vulnerability Overview
3.2.1 IMPROPER PRIVILEGE MANAGEMENT CWE-269
The affected application mounts the container’s root filesystem with read and write privileges. This could allow an attacker to alter the container’s filesystem leading to unauthorized modifications and data corruption.
CVE-2024-41903 has been assigned to this vulnerability. A CVSS v3 base score of 6.6 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2024-41903. A base score of 7.5 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).
3.2.2 IMPROPER RESTRICTION OF EXCESSIVE AUTHENTICATION ATTEMPTS CWE-307
The affected application does not properly enforce restriction of excessive authentication attempts. This could allow an unauthenticated attacker to conduct brute force attacks against legitimate user credentials or keys.
CVE-2024-41904 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).
A CVSS v4 score has also been calculated for CVE-2024-41904. A base score of 8.7 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N).
3.2.3 IMPROPER ACCESS CONTROL CWE-284
The affected application does not have access control for accessing the files. This could allow an authenticated attacker with low privileges to get access to sensitive information.
CVE-2024-41905 has been assigned to this vulnerability. A CVSS v3 base score of 6.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N).
A CVSS v4 score has also been calculated for CVE-2024-41905. A base score of 7.6 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N).
3.2.4 USE OF CACHE CONTAINING SENSITIVE INFORMATION CWE-524
The affected application does not properly handle cacheable HTTP responses in the web service. This could allow an attacker to read and modify data stored in the local cache.
CVE-2024-41906 has been assigned to this vulnerability. A CVSS v3 base score of 4.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N).
A CVSS v4 score has also been calculated for CVE-2024-41906. A base score of 6.3 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N).
3.2.5 IMPROPERLY IMPLEMENTED SECURITY CHECK FOR STANDARD CWE-358
The affected application is missing general HTTP security headers in the web server. This could allow an attacker to make the servers more prone to clickjacking attacks.
CVE-2024-41907 has been assigned to this vulnerability. A CVSS v3 base score of 4.2 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N).
A CVSS v4 score has also been calculated for CVE-2024-41907. A base score of 2.1 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N).
3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Energy
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER
Siemens reported these vulnerabilities to CISA.
4. MITIGATIONS
Siemens has released a [new version (V2.0 or later version)](https://support.industry.siemens.com/cs/ww/en/view/109972409/ for SINEC Traffic Analyzer and recommends users update to the latest version.
As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens’ operational guidelines for industrial security and following recommendations in the product manuals.
Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage
For more information see the associated Siemens security advisory SSA-716317 in HTML and CSAF.
CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as virtual private networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
CISA also recommends users take the following measures to protect themselves from social engineering attacks:

Do not click web links or open attachments in unsolicited email messages.
Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.
5. UPDATE HISTORY

August 15, 2024: Initial Publication 

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens’ ProductCERT Security Advisories (CERT Services | Services | Siemens Global). 

View CSAF

1. EXECUTIVE SUMMARY

CVSS v4 8.7
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Siemens
Equipment: SINEC Traffic Analyzer
Vulnerabilities: Improper Privilege Management, Improper Restriction of Excessive Authentication Attempts, Improper Access Control, Use of Cache Containing Sensitive Information, Improperly Implemented Security Check for Standard

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to alter the container’s filesystem leading to unauthorized modifications and data corruption, conduct brute force attacks against legitimate user credentials or keys, get access to sensitive information, read and modify data stored in the local cache, or make the servers more prone to clickjacking attack.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following products of Siemens, are affected:

Siemens SINEC Traffic Analyzer (6GK8822-1BG01-0BA0): versions prior to V2.0

3.2 Vulnerability Overview

3.2.1 IMPROPER PRIVILEGE MANAGEMENT CWE-269

The affected application mounts the container’s root filesystem with read and write privileges. This could allow an attacker to alter the container’s filesystem leading to unauthorized modifications and data corruption.

CVE-2024-41903 has been assigned to this vulnerability. A CVSS v3 base score of 6.6 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-41903. A base score of 7.5 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.2 IMPROPER RESTRICTION OF EXCESSIVE AUTHENTICATION ATTEMPTS CWE-307

The affected application does not properly enforce restriction of excessive authentication attempts. This could allow an unauthenticated attacker to conduct brute force attacks against legitimate user credentials or keys.

CVE-2024-41904 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2024-41904. A base score of 8.7 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N).

3.2.3 IMPROPER ACCESS CONTROL CWE-284

The affected application does not have access control for accessing the files. This could allow an authenticated attacker with low privileges to get access to sensitive information.

CVE-2024-41905 has been assigned to this vulnerability. A CVSS v3 base score of 6.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N).

A CVSS v4 score has also been calculated for CVE-2024-41905. A base score of 7.6 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N).

3.2.4 USE OF CACHE CONTAINING SENSITIVE INFORMATION CWE-524

The affected application does not properly handle cacheable HTTP responses in the web service. This could allow an attacker to read and modify data stored in the local cache.

CVE-2024-41906 has been assigned to this vulnerability. A CVSS v3 base score of 4.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N).

A CVSS v4 score has also been calculated for CVE-2024-41906. A base score of 6.3 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N).

3.2.5 IMPROPERLY IMPLEMENTED SECURITY CHECK FOR STANDARD CWE-358

The affected application is missing general HTTP security headers in the web server. This could allow an attacker to make the servers more prone to clickjacking attacks.

CVE-2024-41907 has been assigned to this vulnerability. A CVSS v3 base score of 4.2 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N).

A CVSS v4 score has also been calculated for CVE-2024-41907. A base score of 2.1 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Energy
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

Siemens reported these vulnerabilities to CISA.

4. MITIGATIONS

Siemens has released a [new version (V2.0 or later version)](https://support.industry.siemens.com/cs/ww/en/view/109972409/ for SINEC Traffic Analyzer and recommends users update to the latest version.

As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens’ operational guidelines for industrial security and following recommendations in the product manuals.

Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage

For more information see the associated Siemens security advisory SSA-716317 in HTML and CSAF.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as virtual private networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

Do not click web links or open attachments in unsolicited email messages.
Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY

August 15, 2024: Initial Publication
 Read More

 ​As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens’ ProductCERT Security Advisories (CERT Services | Services | Siemens Global). View CSAF
1. EXECUTIVE SUMMARY

CVSS v4 6.9
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Siemens
Equipment: Location Intelligence
Vulnerabilities: Inadequate Encryption Strength, Improper Restriction of Excessive Authentication Attempts, Weak Password Requirements

2. RISK EVALUATION
Successful exploitation of these vulnerabilities could allow an attacker to read and modify data passed over the connection between legitimate clients and the affected product or brute force user passwords.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following versions of Siemens Location Intelligence, a web-based application software, are affected:

Location Intelligence: All versions prior to V4.4

3.2 Vulnerability Overview
3.2.1 INADEQUATE ENCRYPTION STRENGTH CWE-326
The web server of affected products is configured to support weak ciphers by default. This could allow an unauthenticated attacker in an on-path position to to read and modify any data passed over the connection between legitimate clients and the affected device.
CVE-2024-41681 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.7 has been calculated; the CVSS vector string is (AV:A/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2024-41681. A base score of 6.0 has been calculated; the CVSS vector string is (CVSS4.0/AV:A/AC:H/AT:P/PR:N/UI:P/VC:L/VI:H/VA:H/SC:N/SI:N/SA:N).
3.2.2 IMPROPER RESTRICTION OF EXCESSIVE AUTHENTICATION ATTEMPTS CWE-307
Affected products do not properly enforce restriction of excessive authentication attempts. This could allow an unauthenticated remote attacker to conduct brute force attacks against legitimate user passwords.
CVE-2024-41682 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.3 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).
A CVSS v4 score has also been calculated for CVE-2024-41682. A base score of 6.9 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N).
3.2.3 WEAK PASSWORD REQUIREMENTS CWE-521
Affected products do not properly enforce a strong user password policy. This could facilitate a brute force attack against legitimate user passwords.
CVE-2024-41683 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.3 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).
A CVSS v4 score has also been calculated for CVE-2024-41683. A base score of 6.9 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N).
3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER
Siemens reported these vulnerabilities to CISA.
4. MITIGATIONS
Siemens recommends users update to the latest version:

Update to V4.4 or later version

Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage.
For more information see the associated Siemens security advisory SSA-720392 in HTML and CSAF.
CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the Internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
CISA also recommends users take the following measures to protect themselves from social engineering attacks:

Do not click web links or open attachments in unsolicited email messages.
Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.
5. UPDATE HISTORY

August 15, 2024: Initial Publication 

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens’ ProductCERT Security Advisories (CERT Services | Services | Siemens Global). 

View CSAF

1. EXECUTIVE SUMMARY

CVSS v4 6.9
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Siemens
Equipment: Location Intelligence
Vulnerabilities: Inadequate Encryption Strength, Improper Restriction of Excessive Authentication Attempts, Weak Password Requirements

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to read and modify data passed over the connection between legitimate clients and the affected product or brute force user passwords.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of Siemens Location Intelligence, a web-based application software, are affected:

Location Intelligence: All versions prior to V4.4

3.2 Vulnerability Overview

3.2.1 INADEQUATE ENCRYPTION STRENGTH CWE-326

The web server of affected products is configured to support weak ciphers by default. This could allow an unauthenticated attacker in an on-path position to to read and modify any data passed over the connection between legitimate clients and the affected device.

CVE-2024-41681 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.7 has been calculated; the CVSS vector string is (AV:A/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-41681. A base score of 6.0 has been calculated; the CVSS vector string is (CVSS4.0/AV:A/AC:H/AT:P/PR:N/UI:P/VC:L/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.2 IMPROPER RESTRICTION OF EXCESSIVE AUTHENTICATION ATTEMPTS CWE-307

Affected products do not properly enforce restriction of excessive authentication attempts. This could allow an unauthenticated remote attacker to conduct brute force attacks against legitimate user passwords.

CVE-2024-41682 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.3 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2024-41682. A base score of 6.9 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N).

3.2.3 WEAK PASSWORD REQUIREMENTS CWE-521

Affected products do not properly enforce a strong user password policy. This could facilitate a brute force attack against legitimate user passwords.

CVE-2024-41683 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.3 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2024-41683. A base score of 6.9 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

Siemens reported these vulnerabilities to CISA.

4. MITIGATIONS

Siemens recommends users update to the latest version:

Update to V4.4 or later version

Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage.

For more information see the associated Siemens security advisory SSA-720392 in HTML and CSAF.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the Internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

Do not click web links or open attachments in unsolicited email messages.
Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY

August 15, 2024: Initial Publication
 Read More