Category: CISA Alerts

 ​ Microsoft has released security updates to address vulnerabilities in multiple products. A cyber threat actor could exploit some of these vulnerabilities to take control of an affected system.  
Users and administrators are encouraged to review the following advisory and apply the necessary updates:  

Microsoft Security Update Guide for June 

 Microsoft has released security updates to address vulnerabilities in multiple products. A cyber threat actor could exploit some of these vulnerabilities to take control of an affected system.  

Users and administrators are encouraged to review the following advisory and apply the necessary updates:  

Microsoft Security Update Guide for June
 Read More

 ​Fortinet has released security updates to address a vulnerability in FortiOS. A cyber threat actor could exploit this vulnerability to take control of an affected system.   

Users and administrators are encouraged to review the following Fortinet Security Bulletin and apply the necessary updates:  

FG-IR-23-460: Multiple Buffer Overflows in Diag Npu Command 

 Read More

 ​View CSAF
1. EXECUTIVE SUMMARY

CVSS v4 8.3
ATTENTION: Low attack complexity
Vendor: Rockwell Automation
Equipment: ControlLogix, GuardLogix, CompactLogix
Vulnerability: Always-Incorrect Control Flow Implementation

2. RISK EVALUATION
Successful exploitation of this vulnerability could compromise the availability of the device.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
Rockwell Automation reports that the following controllers are affected:

ControlLogix 5580: V34.011
GuardLogix 5580: V34.011
1756-EN4: V4.001
CompactLogix 5380: V34.011
Compact GuardLogix 5380: V34.011
CompactLogix 5380: V34.011
ControlLogix 5580: V34.011
CompactLogix 5480: V34.011

3.2 Vulnerability Overview
3.2.1 Always-Incorrect Control Flow Implementation CWE-670
Rockwell Automation was made aware of a vulnerability that causes all affected controllers on the same network to result in a major nonrecoverable fault (MNRF/Assert). This vulnerability could be exploited by sending abnormal packets to the mDNS port. If exploited, the availability of the device would be compromised.
CVE-2024-5659 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.4 has been calculated; the CVSS vector string is (AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H).
A CVSS v4 score has also been calculated for CVE-2024-5659. A base score of 8.3 has been calculated; the CVSS vector string is (CVSS4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H).
3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER
Rockwell Automation reported this vulnerability to CISA.
4. MITIGATIONS
Rockwell Automation offers users the following solutions:

ControlLogix 5580: corrected in V34.014, V35.013, V36.011 and later
GuardLogix 5580: corrected in V34.014, V35.013, V36.011 and later
1756-EN4: corrected in V6.001 and later
CompactLogix 5380: corrected in V34.014, V35.013, V36.011 and later
Compact GuardLogix 5380: corrected in V34.014, V35.013, V36.011 and later
CompactLogix 5380: corrected in V34.014, V35.013, V36.011 and later
ControlLogix 5580: corrected in V34.014, V35.013, V36.011 and later
CompactLogix 5480: corrected in V34.014, V35.013, V36.011 and later

Rockwell Automation encourages users of the affected software, who are not able to upgrade to one of the corrected versions, to apply the risk mitigations where possible.

Users who do not use Automatic Policy Deployment (APD) should block mDNS port, 5353 to help prevent communication.
Enable CIP Security. CIP Security with Rockwell Automation Products Application Technique
Security Best Practices

For more information, see Rockwell Automation’s security advisory
CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as virtual private networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.
5. UPDATE HISTORY

June 11, 2024: Initial Publication 

View CSAF

1. EXECUTIVE SUMMARY

CVSS v4 8.3
ATTENTION: Low attack complexity
Vendor: Rockwell Automation
Equipment: ControlLogix, GuardLogix, CompactLogix
Vulnerability: Always-Incorrect Control Flow Implementation

2. RISK EVALUATION

Successful exploitation of this vulnerability could compromise the availability of the device.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

Rockwell Automation reports that the following controllers are affected:

ControlLogix 5580: V34.011
GuardLogix 5580: V34.011
1756-EN4: V4.001
CompactLogix 5380: V34.011
Compact GuardLogix 5380: V34.011
CompactLogix 5380: V34.011
ControlLogix 5580: V34.011
CompactLogix 5480: V34.011

3.2 Vulnerability Overview

3.2.1 Always-Incorrect Control Flow Implementation CWE-670

Rockwell Automation was made aware of a vulnerability that causes all affected controllers on the same network to result in a major nonrecoverable fault (MNRF/Assert). This vulnerability could be exploited by sending abnormal packets to the mDNS port. If exploited, the availability of the device would be compromised.

CVE-2024-5659 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.4 has been calculated; the CVSS vector string is (AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H).

A CVSS v4 score has also been calculated for CVE-2024-5659. A base score of 8.3 has been calculated; the CVSS vector string is (CVSS4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER

Rockwell Automation reported this vulnerability to CISA.

4. MITIGATIONS

Rockwell Automation offers users the following solutions:

ControlLogix 5580: corrected in V34.014, V35.013, V36.011 and later
GuardLogix 5580: corrected in V34.014, V35.013, V36.011 and later
1756-EN4: corrected in V6.001 and later
CompactLogix 5380: corrected in V34.014, V35.013, V36.011 and later
Compact GuardLogix 5380: corrected in V34.014, V35.013, V36.011 and later
CompactLogix 5380: corrected in V34.014, V35.013, V36.011 and later
ControlLogix 5580: corrected in V34.014, V35.013, V36.011 and later
CompactLogix 5480: corrected in V34.014, V35.013, V36.011 and later

Rockwell Automation encourages users of the affected software, who are not able to upgrade to one of the corrected versions, to apply the risk mitigations where possible.

Users who do not use Automatic Policy Deployment (APD) should block mDNS port, 5353 to help prevent communication.
Enable CIP Security. CIP Security with Rockwell Automation Products Application Technique
Security Best Practices

For more information, see Rockwell Automation’s security advisory

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as virtual private networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

June 11, 2024: Initial Publication
 Read More

 ​View CSAF
1. EXECUTIVE SUMMARY

CVSS v4 10.0
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Intrado
Equipment: 911 Emergency Gateway (EGW)
Vulnerability: SQL Injection

2. RISK EVALUATION
Successful exploitation of this vulnerability could allow an attacker to execute malicious code, exfiltrate data, or manipulate the database.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following versions of Intrado’s 911 Emergency Gateway are affected:

911 Emergency Gateway (EGW): All versions

3.2 Vulnerability Overview
3.2.1 IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS USED IN AN SQL COMMAND (‘SQL INJECTION’) CWE-89
Intrado 911 Emergency Gateway login form is vulnerable to an unauthenticated blind time-based SQL injection, which may allow an attacker to execute malicious code, exfiltrate data, or manipulate the database.
CVE-2024-1839 has been assigned to this vulnerability. A CVSS v3.1 base score of 10.0 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2024-1839. A base score of 10.0 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:L/S:P/AU:Y/R:U/V:C).
3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Emergency Services
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER
An anonymous individual reported this vulnerability to CISA.
4. MITIGATIONS
Intrado has provided a patch to mitigate the vulnerability. Any EGWs deployed on older revisions will need to be upgraded to the 5.5/5.6 branch to apply the patch. For assistance in obtaining the patch, contact Intrado’s technical support group at 1-888-908-4167 or E911Support@intrado.com.
CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.
5. UPDATE HISTORY

June 11, 2024: Initial Publication 

View CSAF

1. EXECUTIVE SUMMARY

CVSS v4 10.0
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Intrado
Equipment: 911 Emergency Gateway (EGW)
Vulnerability: SQL Injection

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to execute malicious code, exfiltrate data, or manipulate the database.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of Intrado’s 911 Emergency Gateway are affected:

911 Emergency Gateway (EGW): All versions

3.2 Vulnerability Overview

3.2.1 IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS USED IN AN SQL COMMAND (‘SQL INJECTION’) CWE-89

Intrado 911 Emergency Gateway login form is vulnerable to an unauthenticated blind time-based SQL injection, which may allow an attacker to execute malicious code, exfiltrate data, or manipulate the database.

CVE-2024-1839 has been assigned to this vulnerability. A CVSS v3.1 base score of 10.0 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-1839. A base score of 10.0 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:L/S:P/AU:Y/R:U/V:C).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Emergency Services
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER

An anonymous individual reported this vulnerability to CISA.

4. MITIGATIONS

Intrado has provided a patch to mitigate the vulnerability. Any EGWs deployed on older revisions will need to be upgraded to the 5.5/5.6 branch to apply the patch. For assistance in obtaining the patch, contact Intrado’s technical support group at 1-888-908-4167 or E911Support@intrado.com.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

June 11, 2024: Initial Publication
 Read More

 ​View CSAF
1. EXECUTIVE SUMMARY

CVSS v4 8.4
ATTENTION: Exploitable remotely/low attack complexity
Vendor: AVEVA
Equipment: PI Web API
Vulnerability: Deserialization of Untrusted Data

2. RISK EVALUATION
Successful exploitation of this vulnerability could allow an attacker to perform remote code execution.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following versions of AVEVA PI Web API, a RESTful interface to the PI system, are affected:

AVEVA PI Web API: Versions 2023 and prior

3.2 Vulnerability Overview
3.2.1 Deserialization of Untrusted Data CWE-502
There is a vulnerability in AVEVA PI Web API that could allow malicious code to execute on the PI Web API environment under the privileges of an interactive user that was socially engineered to use API XML import functionality with content supplied by an attacker.
CVE-2024-3468 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.6 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:L).
A CVSS v4 score has also been calculated for CVE-2024-3468. A base score of 8.4 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N).
3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: United Kingdom

3.4 RESEARCHER
AVEVA reported this vulnerability to CISA.
4. MITIGATIONS
AVEVA recommends that organizations evaluate the impact of these vulnerabilities based on their operational environment, architecture, and product implementation. Customers using affected products should apply security updates as soon as possible:
From OSI Soft Customer Portal, search for “PI Web API” and select version “2023 SP1” or later.
(Alternative) PI Web API 2021 SP3 can be fixed by upgrading PI AF Client to one of the versions specified in AVEVA Security Bulletin AVEVA-2024-004 / ICSA-24-163-03
AVEVA further recommends users follow general defensive measures:

Set “DisableWrites” configuration setting to true, if this instance of PI Web API is used only for reading data or GET requests.
Uninstall Core Endpoints feature if this instance of PI Web API is used only for data collection from AVEVA Adapters. Keep OMF feature installed.
Limit AF Servers’ Administrators, so that most of the PI Web API user accounts don’t have the permission to change the backend AF servers.

For additional information please refer to AVEVA-2024-003
CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
CISA also recommends users take the following measures to protect themselves from social engineering attacks:

Do not click web links or open attachments in unsolicited email messages.
Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.
5. UPDATE HISTORY

June 11, 2024: Initial Publication 

View CSAF

1. EXECUTIVE SUMMARY

CVSS v4 8.4
ATTENTION: Exploitable remotely/low attack complexity
Vendor: AVEVA
Equipment: PI Web API
Vulnerability: Deserialization of Untrusted Data

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to perform remote code execution.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of AVEVA PI Web API, a RESTful interface to the PI system, are affected:

AVEVA PI Web API: Versions 2023 and prior

3.2 Vulnerability Overview

3.2.1 Deserialization of Untrusted Data CWE-502

There is a vulnerability in AVEVA PI Web API that could allow malicious code to execute on the PI Web API environment under the privileges of an interactive user that was socially engineered to use API XML import functionality with content supplied by an attacker.

CVE-2024-3468 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.6 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:L).

A CVSS v4 score has also been calculated for CVE-2024-3468. A base score of 8.4 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: United Kingdom

3.4 RESEARCHER

AVEVA reported this vulnerability to CISA.

4. MITIGATIONS

AVEVA recommends that organizations evaluate the impact of these vulnerabilities based on their operational environment, architecture, and product implementation. Customers using affected products should apply security updates as soon as possible:

From OSI Soft Customer Portal, search for “PI Web API” and select version “2023 SP1” or later.

(Alternative) PI Web API 2021 SP3 can be fixed by upgrading PI AF Client to one of the versions specified in AVEVA Security Bulletin AVEVA-2024-004 / ICSA-24-163-03

AVEVA further recommends users follow general defensive measures:

Set “DisableWrites” configuration setting to true, if this instance of PI Web API is used only for reading data or GET requests.
Uninstall Core Endpoints feature if this instance of PI Web API is used only for data collection from AVEVA Adapters. Keep OMF feature installed.
Limit AF Servers’ Administrators, so that most of the PI Web API user accounts don’t have the permission to change the backend AF servers.

For additional information please refer to AVEVA-2024-003

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

Do not click web links or open attachments in unsolicited email messages.
Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

June 11, 2024: Initial Publication
 Read More

 ​View CSAF
1. EXECUTIVE SUMMARY

CVSS v4 8.7
ATTENTION: Exploitable remotely/low attack complexity
Vendor: MicroDicom
Equipment: DICOM Viewer
Vulnerabilities: Improper Authorization in Handler for Custom URL Scheme, Stack-based Buffer Overflow

2. RISK EVALUATION
Successful exploitation of these vulnerabilities could allow an attacker to both retrieve and plant medical image files on a victim’s system and cause a stack-based buffer overflow, which could result in sensitive information disclosure and arbitrary code execution.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following versions of MicroDicom DICOM Viewer, a medical image viewer, are affected:

DICOM Viewer: Versions prior to 2024.2

3.2 Vulnerability Overview
3.2.1 IMPROPER AUTHORIZATION IN HANDLER FOR CUSTOM URL SCHEME CWE-939
An attacker could retrieve sensitive files (medical images) as well as plant new medical images or overwrite existing medical images on a victim’s system. User interaction is required to exploit this vulnerability.
CVE-2024-33606 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2024-33606. A base score of 8.6 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).
3.2.2 STACK-BASED BUFFER OVERFLOW CWE-121
The affected product is vulnerable to a stack-based buffer overflow, which may allow an attacker to execute arbitrary code on affected installations of DICOM Viewer. User interaction is required to exploit this vulnerability.
CVE-2024-28877 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2024-28877. A base score of 8.7 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).
3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Healthcare and Public Health
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Bulgaria

3.4 RESEARCHER
Michael Heinzl reported these vulnerabilities to CISA.
4. MITIGATIONS
MicroDicom recommends users upgrade to DICOM Viewer version 2024.2.
CISA recommends users take defensive measures to minimize the risk of exploitation of this these vulnerabilities, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
CISA also recommends users take the following measures to protect themselves from social engineering attacks:

Do not click web links or open attachments in unsolicited email messages.
Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.
5. UPDATE HISTORY

June 11, 2024: Initial Publication 

View CSAF

1. EXECUTIVE SUMMARY

CVSS v4 8.7
ATTENTION: Exploitable remotely/low attack complexity
Vendor: MicroDicom
Equipment: DICOM Viewer
Vulnerabilities: Improper Authorization in Handler for Custom URL Scheme, Stack-based Buffer Overflow

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to both retrieve and plant medical image files on a victim’s system and cause a stack-based buffer overflow, which could result in sensitive information disclosure and arbitrary code execution.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of MicroDicom DICOM Viewer, a medical image viewer, are affected:

DICOM Viewer: Versions prior to 2024.2

3.2 Vulnerability Overview

3.2.1 IMPROPER AUTHORIZATION IN HANDLER FOR CUSTOM URL SCHEME CWE-939

An attacker could retrieve sensitive files (medical images) as well as plant new medical images or overwrite existing medical images on a victim’s system. User interaction is required to exploit this vulnerability.

CVE-2024-33606 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-33606. A base score of 8.6 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.2 STACK-BASED BUFFER OVERFLOW CWE-121

The affected product is vulnerable to a stack-based buffer overflow, which may allow an attacker to execute arbitrary code on affected installations of DICOM Viewer. User interaction is required to exploit this vulnerability.

CVE-2024-28877 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-28877. A base score of 8.7 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Healthcare and Public Health
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Bulgaria

3.4 RESEARCHER

Michael Heinzl reported these vulnerabilities to CISA.

4. MITIGATIONS

MicroDicom recommends users upgrade to DICOM Viewer version 2024.2.

CISA recommends users take defensive measures to minimize the risk of exploitation of this these vulnerabilities, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

Do not click web links or open attachments in unsolicited email messages.
Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY

June 11, 2024: Initial Publication
 Read More

 ​View CSAF
1. EXECUTIVE SUMMARY

CVSS v4 7.0
ATTENTION: Low attack complexity
Vendor: AVEVA
Equipment: PI Asset Framework Client
Vulnerability: Deserialization of Untrusted Data

2. RISK EVALUATION
Successful exploitation of this vulnerability could allow malicious code execution.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following versions of AVEVA PI Asset Framework Client, a tool to model either physical or logical objects, are affected:

PI Asset Framework Client: 2023
PI Asset Framework Client: 2018 SP3 P04 and all prior

3.2 Vulnerability Overview
3.2.1 Deserialization of Untrusted Data CWE-502
There is a vulnerability in AVEVA PI Asset Framework Client that could allow malicious code to execute on the PI System Explorer environment under the privileges of an interactive user that was socially engineered to import XML supplied by an attacker.
CVE-2024-3467 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.3 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2024-3467. A base score of 7.0 has been calculated; the CVSS vector string is (CVSS4.0/AV:L/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).
3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: United Kingdom

3.4 RESEARCHER
AVEVA reported this vulnerability to CISA.
4. MITIGATIONS
AVEVA recommends that organizations evaluate the impact of these vulnerabilities based on their operational environment, architecture, and product implementation. Customers using affected products should apply security updates as soon as possible:

(Recommended) All affected versions can be fixed by upgrading to PI AF Client 2023 Patch 1 or later:From OSI Soft Customer Portal, search for “Asset Framework” and select “PI Asset Framework (AF) Client 2023 Patch 1” or later.
(Alternative) AF Client 2018 SP3 P04 and prior can be fixed by deploying PI AF Client 2018 SP3 Patch 5 or later:From OSI Soft Customer Portal, search for “Asset Framework” and select either “PI Asset Framework (AF) Client 2018 SP3 Patch 5” or later.

AVEVA further recommends users follow general defensive measures:

Run PI System Explorer as a least privilege interactive account when possible.
Establish procedures for verifying the source of XML is trusted before importing into PI System Explorer.

For additional information please refer to AVEVA-2024-004
CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
CISA also recommends users take the following measures to protect themselves from social engineering attacks:

Do not click web links or open attachments in unsolicited email messages.
Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability is not exploitable remotely.
5. UPDATE HISTORY

June 11, 2024: Initial Publication 

View CSAF

1. EXECUTIVE SUMMARY

CVSS v4 7.0
ATTENTION: Low attack complexity
Vendor: AVEVA
Equipment: PI Asset Framework Client
Vulnerability: Deserialization of Untrusted Data

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow malicious code execution.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of AVEVA PI Asset Framework Client, a tool to model either physical or logical objects, are affected:

PI Asset Framework Client: 2023
PI Asset Framework Client: 2018 SP3 P04 and all prior

3.2 Vulnerability Overview

3.2.1 Deserialization of Untrusted Data CWE-502

There is a vulnerability in AVEVA PI Asset Framework Client that could allow malicious code to execute on the PI System Explorer environment under the privileges of an interactive user that was socially engineered to import XML supplied by an attacker.

CVE-2024-3467 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.3 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-3467. A base score of 7.0 has been calculated; the CVSS vector string is (CVSS4.0/AV:L/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: United Kingdom

3.4 RESEARCHER

AVEVA reported this vulnerability to CISA.

4. MITIGATIONS

AVEVA recommends that organizations evaluate the impact of these vulnerabilities based on their operational environment, architecture, and product implementation. Customers using affected products should apply security updates as soon as possible:

(Recommended) All affected versions can be fixed by upgrading to PI AF Client 2023 Patch 1 or later:
From OSI Soft Customer Portal, search for “Asset Framework” and select “PI Asset Framework (AF) Client 2023 Patch 1” or later.
(Alternative) AF Client 2018 SP3 P04 and prior can be fixed by deploying PI AF Client 2018 SP3 Patch 5 or later:
From OSI Soft Customer Portal, search for “Asset Framework” and select either “PI Asset Framework (AF) Client 2018 SP3 Patch 5” or later.

AVEVA further recommends users follow general defensive measures:

Run PI System Explorer as a least privilege interactive account when possible.
Establish procedures for verifying the source of XML is trusted before importing into PI System Explorer.

For additional information please refer to AVEVA-2024-004

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

Do not click web links or open attachments in unsolicited email messages.
Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability is not exploitable remotely.

5. UPDATE HISTORY

June 11, 2024: Initial Publication
 Read More

 ​CISA released six Industrial Control Systems (ICS) advisories on June 11, 2024. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS.

ICSA-24-163-01 Rockwell Automation ControlLogix, GuardLogix, and CompactLogix
ICSA-24-163-02 AVEVA PI Web API
ICSA-24-163-03 AVEVA PI Asset Framework Client
ICSA-24-163-04 Intrado 911 Emergency Gateway
ICSA-23-108-02 Schneider Electric APC Easy UPS Online Monitoring Software (Update A)
ICSMA-24-163-01 MicroDicom DICOM Viewer

CISA encourages users and administrators to review the newly released ICS advisories for technical details and mitigations. 

CISA released six Industrial Control Systems (ICS) advisories on June 11, 2024. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS.

ICSA-24-163-01 Rockwell Automation ControlLogix, GuardLogix, and CompactLogix
ICSA-24-163-02 AVEVA PI Web API
ICSA-24-163-03 AVEVA PI Asset Framework Client
ICSA-24-163-04 Intrado 911 Emergency Gateway
ICSA-23-108-02 Schneider Electric APC Easy UPS Online Monitoring Software (Update A)
ICSMA-24-163-01 MicroDicom DICOM Viewer

CISA encourages users and administrators to review the newly released ICS advisories for technical details and mitigations.

 Read More

 ​View CSAF
1. EXECUTIVE SUMMARY

CVSS v3 9.8
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Emerson
Equipment: Ovation
Vulnerabilities: Missing Authentication for Critical Function, Insufficient Verification of Data Authenticity

CISA is aware of a public report, known as “OT:ICEFALL”, detailing vulnerabilities found in multiple operational technology (OT) vendors. CISA is issuing this advisory to provide notice of the reported vulnerabilities and identify baseline mitigations for reducing risks to these and other cybersecurity attacks.
2. RISK EVALUATION
Successful exploitation of these vulnerabilities could allow remote code execution, loss of sensitive information, denial-of-service, or allow an attacker to modify the controller configuration.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following Emerson products are affected:

Ovation: Version 3.8.0 Feature Pack 1 and prior

3.2 Vulnerability Overview
3.2.1 MISSING AUTHENTICATION FOR CRITICAL FUNCTION CWE-306
The affected product has several protocols that have no authentication, which could allow an attacker to change controller configuration or cause a denial-of-service condition.
CVE-2022-29966 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2022-29966. A base score of 9.3 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).
3.2.2 INSUFFICIENT VERIFICATION OF DATA AUTHENTICITY CWE-345
The affected product was found to have no authentication of firmware signing and relies on an insecure checksum for integrity. This could allow an attacker to push malicious firmware images, cause a denial-of-service condition, or achieve remote code execution.
CVE-2022-30267 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.1 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
A CVSS v4 score has also been calculated for CVE-2022-30267. A base score of 8.7 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N).
3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Energy
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER
Daniel dos Santos and Jos Wetzels from Forescout Technologies reported these vulnerabilities to CISA
4. MITIGATIONS
Emerson recommends the following:

Upgrade to the currently available release of Ovation 3.8.0 Feature Pack 3 for remediation of many of the identified vulnerabilities.
Users are advised to consider the use of OCR3000 controllers, which offer an extra layer of protection that is not available to older controller models.
Deploy and configure Ovation systems and related components as described in the Cybersecurity for Ovation Systems manual (OVREF1000). Ovation Users’ Group Website (User Manuals | Reference Manuals) (login required)
Users with questions or concerns regarding the impact of these vulnerabilities on Ovation should contact theOvation-CERT by email or phone (1-800-445-9723, option 3).

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.
5. UPDATE HISTORY

June 6, 2024: Initial Publication 

View CSAF

1. EXECUTIVE SUMMARY

CVSS v3 9.8
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Emerson
Equipment: Ovation
Vulnerabilities: Missing Authentication for Critical Function, Insufficient Verification of Data Authenticity

CISA is aware of a public report, known as “OT:ICEFALL”, detailing vulnerabilities found in multiple operational technology (OT) vendors. CISA is issuing this advisory to provide notice of the reported vulnerabilities and identify baseline mitigations for reducing risks to these and other cybersecurity attacks.

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow remote code execution, loss of sensitive information, denial-of-service, or allow an attacker to modify the controller configuration.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following Emerson products are affected:

Ovation: Version 3.8.0 Feature Pack 1 and prior

3.2 Vulnerability Overview

3.2.1 MISSING AUTHENTICATION FOR CRITICAL FUNCTION CWE-306

The affected product has several protocols that have no authentication, which could allow an attacker to change controller configuration or cause a denial-of-service condition.

CVE-2022-29966 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2022-29966. A base score of 9.3 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.2 INSUFFICIENT VERIFICATION OF DATA AUTHENTICITY CWE-345

The affected product was found to have no authentication of firmware signing and relies on an insecure checksum for integrity. This could allow an attacker to push malicious firmware images, cause a denial-of-service condition, or achieve remote code execution.

CVE-2022-30267 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.1 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

A CVSS v4 score has also been calculated for CVE-2022-30267. A base score of 8.7 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Energy
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER

Daniel dos Santos and Jos Wetzels from Forescout Technologies reported these vulnerabilities to CISA

4. MITIGATIONS

Emerson recommends the following:

Upgrade to the currently available release of Ovation 3.8.0 Feature Pack 3 for remediation of many of the identified vulnerabilities.
Users are advised to consider the use of OCR3000 controllers, which offer an extra layer of protection that is not available to older controller models.
Deploy and configure Ovation systems and related components as described in the Cybersecurity for Ovation Systems manual (OVREF1000). Ovation Users’ Group Website (User Manuals | Reference Manuals) (login required)
Users with questions or concerns regarding the impact of these vulnerabilities on Ovation should contact the
Ovation-CERT by email or phone (1-800-445-9723, option 3).

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY

June 6, 2024: Initial Publication
 Read More

 ​CISA released four Industrial Control Systems (ICS) advisories on June 6, 2024. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS.

ICSA-24-158-01 Emerson PACSystem and Fanuc
ICSA-24-158-02 Emerson Ovation
ICSA-24-158-03 Mitsubishi Electric CC-Link IE TSN Industrial Managed Switch
ICSA-24-158-04 Johnson Controls Software House iStar Pro Door Controller

CISA encourages users and administrators to review the newly released ICS advisories for technical details and mitigations. 

CISA released four Industrial Control Systems (ICS) advisories on June 6, 2024. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS.

ICSA-24-158-01 Emerson PACSystem and Fanuc
ICSA-24-158-02 Emerson Ovation
ICSA-24-158-03 Mitsubishi Electric CC-Link IE TSN Industrial Managed Switch
ICSA-24-158-04 Johnson Controls Software House iStar Pro Door Controller

CISA encourages users and administrators to review the newly released ICS advisories for technical details and mitigations.

 Read More