Category: CISA Alerts

 ​View CSAF
1. EXECUTIVE SUMMARY

CVSS v4 5.1
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Mitsubishi Electric
Equipment: CC-Link IE TSN Industrial Managed Switch
Vulnerability: Allocation of Resources Without Limits or Throttling

2. RISK EVALUATION
Successful exploitation of this vulnerability could allow an attacker to cause a temporary denial-of service (DoS) condition in the web service on the product.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following versions of CC-Link IE TSN Industrial Managed Switch are affected:

NZ2MHG-TSNT8F2: Versions 05 and prior
NZ2MHG-TSNT4: Versions 05 and prior

3.2 Vulnerability Overview
3.2.1 Allocation of Resources Without Limits or Throttling CWE-770
Mitsubishi Electric CC-Link IE TSN Industrial Managed Switch has an OpenSSL vulnerability that allows an attacker to cause a temporary denial-of service (DoS) condition on the web service of the product by getting a legitimate administrator user to import specially crafted certificate that makes the product experience notable to very long delays.
CVE-2023-2650 has been assigned to this vulnerability. A CVSS v3.1 base score of 2.7 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L).
A CVSS v4 score has also been calculated forCVE-2023-2650. A base score of 5.1 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N).
3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Japan

3.4 RESEARCHER
Mitsubishi Electric reported this vulnerability to CISA.
4. MITIGATIONS
Mitsubishi Electric recommends users to update to the fixed versions by following the steps below.
[Fixed versions]

CC-Link IE TSN Industrial Managed Switch NZ2MHG-TSNT8F2: Version “06” or later
CC-Link IE TSN Industrial Managed Switch NZ2MHG-TSNT4: Version “06” or later

[Update steps]

Contact your local Mitsubishi Electric representative to obtain the fixed firmware version file for CC-Link IE TSN Industrial Managed Switch.
After logging into NZ2MHG-TSNT8F2 or NZ2MHG-TSNT4 through the web interface, update the firmware to the fixed firmware version file mentioned in the above (1) by the function of [System] -> [System Management] -> [Firmware Upgrade] from Function menu. For the detailed procedures, please refer to “CC-Link IE TSN Industrial Managed Switch User’s Manual (SH-082449ENG)”.

Mitsubishi Electric recommends that customers take the following mitigations to minimize the risk of exploiting this vulnerability:

When internet access is required, use a virtual private network (VPN) or other means to prevent unauthorized access.
Use the products within a LAN and block access from untrusted networks and hosts.
Restrict physical access to the product and your computer and network equipment on the same network.
After you log into NZ2MHG-TSNT8F2 or NZ2MHG-TSNT4 through the web interface, change user name and password from default setting at [Account Management] displayed on the function menu. Also, set the proper access permissions for the users.

For additional information see Mitsubishi Electric advisory 2024-002
CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
CISA also recommends users take the following measures to protect themselves from social engineering attacks:

Do not click web links or open attachments in unsolicited email messages.
Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.
5. UPDATE HISTORY

June 6, 2024: Initial Publication 

View CSAF

1. EXECUTIVE SUMMARY

CVSS v4 5.1
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Mitsubishi Electric
Equipment: CC-Link IE TSN Industrial Managed Switch
Vulnerability: Allocation of Resources Without Limits or Throttling

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to cause a temporary denial-of service (DoS) condition in the web service on the product.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of CC-Link IE TSN Industrial Managed Switch are affected:

NZ2MHG-TSNT8F2: Versions 05 and prior
NZ2MHG-TSNT4: Versions 05 and prior

3.2 Vulnerability Overview

3.2.1 Allocation of Resources Without Limits or Throttling CWE-770

Mitsubishi Electric CC-Link IE TSN Industrial Managed Switch has an OpenSSL vulnerability that allows an attacker to cause a temporary denial-of service (DoS) condition on the web service of the product by getting a legitimate administrator user to import specially crafted certificate that makes the product experience notable to very long delays.

CVE-2023-2650 has been assigned to this vulnerability. A CVSS v3.1 base score of 2.7 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L).

A CVSS v4 score has also been calculated forCVE-2023-2650. A base score of 5.1 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Japan

3.4 RESEARCHER

Mitsubishi Electric reported this vulnerability to CISA.

4. MITIGATIONS

Mitsubishi Electric recommends users to update to the fixed versions by following the steps below.

[Fixed versions]

CC-Link IE TSN Industrial Managed Switch NZ2MHG-TSNT8F2: Version “06” or later
CC-Link IE TSN Industrial Managed Switch NZ2MHG-TSNT4: Version “06” or later

[Update steps]

Contact your local Mitsubishi Electric representative to obtain the fixed firmware version file for CC-Link IE TSN Industrial Managed Switch.
After logging into NZ2MHG-TSNT8F2 or NZ2MHG-TSNT4 through the web interface, update the firmware to the fixed firmware version file mentioned in the above (1) by the function of [System] -> [System Management] -> [Firmware Upgrade] from Function menu. For the detailed procedures, please refer to “CC-Link IE TSN Industrial Managed Switch User’s Manual (SH-082449ENG)”.

Mitsubishi Electric recommends that customers take the following mitigations to minimize the risk of exploiting this vulnerability:

When internet access is required, use a virtual private network (VPN) or other means to prevent unauthorized access.
Use the products within a LAN and block access from untrusted networks and hosts.
Restrict physical access to the product and your computer and network equipment on the same network.
After you log into NZ2MHG-TSNT8F2 or NZ2MHG-TSNT4 through the web interface, change user name and password from default setting at [Account Management] displayed on the function menu. Also, set the proper access permissions for the users.

For additional information see Mitsubishi Electric advisory 2024-002

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

Do not click web links or open attachments in unsolicited email messages.
Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

June 6, 2024: Initial Publication
 Read More

 ​View CSAF
1. EXECUTIVE SUMMARY

CVSS v4 5.6
ATTENTION: Low attack complexity
Vendor: Emerson
Equipment: PACSystem, Fanuc
Vulnerabilities: Cleartext Transmission of Sensitive Information, Insufficient Verification of Data Authenticity Insufficiently Protected Credentials, Download of Code Without Integrity Check

CISA is aware of a public report, known as “OT:ICEFALL”, detailing vulnerabilities found in multiple operational technology (OT) vendors. CISA is issuing this advisory to provide notice of the reported vulnerabilities and identify baseline mitigations for reducing risks to these and other cybersecurity attacks.
2. RISK EVALUATION
Successful exploitation of these vulnerabilities could allow remote code execution, loss of sensitive information, or a denial-of-service condition.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following Emerson products are affected:

PAC Machine Edition: All versions (CVE-2022-30263, CVE-2022-30265)
PACSystem RXi: All versions (CVE-2022-30263, CVE-2022-30268, CVE-2022-30266)
PACSystem RX3i: All versions (CVE-2022-30263, CVE-2022-30268, CVE-2022-30265)
PACSystem RSTi-EP: All versions (CVE-2022-30263, CVE-2022-30268, CVE-2022-30266, CVE-2022-30265)
PACSystem VersaMax: All versions (CVE-2022-30263, CVE-2022-30265)
Fanuc VersaMax: All versions (CVE-2022-30263, CVE-2022-30268, CVE-2022-30266)

3.2 Vulnerability Overview
3.2.1 CLEARTEXT TRANSMISSION OF SENSITIVE INFORMATION CWE-319
The affected product utilizes a protocol that allows cleartext transmission of credentials. This could allow an attacker to retrieve these over the network and gain control of the PLC, but cryptographically secure authentication using the SRP-6a protocol is supported and recommended. Enabling authentication on the PLC prevents replay attacks, and requires the attacker to intercept and modify an active connection. Implementation of a non-routing control network also requires compromise of the network topology before SRTP packets can be intercepted.
CVE-2022-30263 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.9 has been calculated; the CVSS vector string is (AV:P/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2022-30263. A base score of 4.4 has been calculated; the CVSS vector string is (CVSS4.0/AV:P/AC:L/AT:P/PR:N/UI:A/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N)
3.2.2 INSUFFICIENT VERIFICATION OF DATA AUTHENTICITY CWE-345
The affected products use the Winloader utility to manage firmware updates by serial port or a serial-over-Ethernet link that were found to not use authentication. This could allow an attacker to push malicious firmware images to the controller and cause a denial-of-service condition or allow remote code execution. This vulnerability only effects version of the CPE302, 205, and 310 that were produced before the “-Bxxx” hardware revisions.
CVE-2022-30268 has been assigned to this vulnerability. A CVSS v3.1 base score of 4.9 has been calculated; the CVSS vector string is (AV:P/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L).
A CVSS v4 score has also been calculated for CVE-2022-30268. A base score of 5.2 has been calculated; the CVSS vector string is (CVSS4.0/AV:P/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N)
3.2.3 INSUFFICIENTLY PROTECTED CREDENTIALS CWE-522
The affected product uses a simple hashing scheme by client-side JavaScript. This could allow an attacker to intercept the hashes and strip the hashing scheme to obtain the credentials in plaintext. These credentials are only valid for 5 minutes due to the TLS protocol used, and also requires physical presence to press a button on the device, limiting this attack to being physically present and in a very short window. If this is accomplished, this only allows the attacker to upgrade or downgrade the firmware version. Due to this threat of Man-in-the-Middle attack, documentation recommends limiting physical access to networking equipment, and disabling IP routing on control networks. This vulnerability does not apply to older PLCs without a network-based update process.
CVE-2022-30266 has been assigned to this vulnerability. A CVSS v3.1 base score of 4.0 has been calculated; the CVSS vector string is (AV:P/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N).
A CVSS v4 score has also been calculated for CVE-2022-30266. A base score of 4.1 has been calculated; the CVSS vector string is (CVSS4.0/AV:P/AC:H/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N)
3.2.4 DOWNLOAD OF CODE WITHOUT INTEGRITY CHECK CWE-494
Control logic downloaded to the PLC, which can be either written in one of the IEC 61131-3 languages or written in C and supplied as an ELF binary block, is not cryptographically authenticated.
CVE-2022-30265 has been assigned to this vulnerability. A CVSS v3.1 base score of 4.4 has been calculated; the CVSS vector string is AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N).
A CVSS v4 score has also been calculated for CVE-2022-30265. A base score of 5.6 has been calculated; the CVSS vector string is (CVSS4.0/AV:L/AC:L/AT:P/PR:H/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N)
3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Energy
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER
Daniel dos Santos and Jos Wetzels from Forescout Technologies reported these vulnerabilities to CISA.
4. MITIGATIONS
Emerson recommends the following:

For CVE-2022-30263, see the following sections of PACSystems RXi, RX3i and RSTi-EP Secure Deployment Guide (GFK-2830Y):

2.4 General Recommendations
4.3.3 Secure Login
4.3.4 Recommendations, Paragraph 2
If SRP6-a is not being used to secure authentication, see Section 2.4 General Recommendations and Section 6.1 Reference Architecture
5.2.1.1 Disabling Ethernet Services

For CVE-2022-30268, see the following sections of PACSystems RXi, RX3i and RSTi-EP Secure Deployment Guide (GFK-2830Y):

4.3 Authentication
4.3.4 Recommendations, Paragraph 3
4.3.4.1 Personnel Security Protection
4.3.4.2 Physical Security Perimeter Protection

Emerson has updated the Fanuc VersaMax Secure Deployment Guide (GFK-2955D) to include the above recommendations for CVE-2022-30268.

For CVE-2022-30266, see the following sections of PACSystems RXi, RX3i and RSTi-EP Secure Deployment Guide (GFK-2830Y):

2.4 General Recommendations
5.2.1.1 Disabling Ethernet Services
6.1 Reference Architecture

For CVE-2022-30265, see the following sections of the PACSystems RXi, RX3i and RSTi-EP Secure Deployment Guide (GFK-2830Y):

4.3.4.1 Personnel Security Protection
4.3.4.2 Physical Security Perimeter Protection

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
CISA also recommends users take the following measures to protect themselves from social engineering attacks:

Do not click web links or open attachments in unsolicited email messages.
Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.
5. UPDATE HISTORY

June 6, 2024: Initial Publication 

View CSAF

1. EXECUTIVE SUMMARY

CVSS v4 5.6
ATTENTION: Low attack complexity
Vendor: Emerson
Equipment: PACSystem, Fanuc
Vulnerabilities: Cleartext Transmission of Sensitive Information, Insufficient Verification of Data Authenticity Insufficiently Protected Credentials, Download of Code Without Integrity Check

CISA is aware of a public report, known as “OT:ICEFALL”, detailing vulnerabilities found in multiple operational technology (OT) vendors. CISA is issuing this advisory to provide notice of the reported vulnerabilities and identify baseline mitigations for reducing risks to these and other cybersecurity attacks.

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow remote code execution, loss of sensitive information, or a denial-of-service condition.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following Emerson products are affected:

PAC Machine Edition: All versions (CVE-2022-30263, CVE-2022-30265)
PACSystem RXi: All versions (CVE-2022-30263, CVE-2022-30268, CVE-2022-30266)
PACSystem RX3i: All versions (CVE-2022-30263, CVE-2022-30268, CVE-2022-30265)
PACSystem RSTi-EP: All versions (CVE-2022-30263, CVE-2022-30268, CVE-2022-30266, CVE-2022-30265)
PACSystem VersaMax: All versions (CVE-2022-30263, CVE-2022-30265)
Fanuc VersaMax: All versions (CVE-2022-30263, CVE-2022-30268, CVE-2022-30266)

3.2 Vulnerability Overview

3.2.1 CLEARTEXT TRANSMISSION OF SENSITIVE INFORMATION CWE-319

The affected product utilizes a protocol that allows cleartext transmission of credentials. This could allow an attacker to retrieve these over the network and gain control of the PLC, but cryptographically secure authentication using the SRP-6a protocol is supported and recommended. Enabling authentication on the PLC prevents replay attacks, and requires the attacker to intercept and modify an active connection. Implementation of a non-routing control network also requires compromise of the network topology before SRTP packets can be intercepted.

CVE-2022-30263 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.9 has been calculated; the CVSS vector string is (AV:P/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2022-30263. A base score of 4.4 has been calculated; the CVSS vector string is (CVSS4.0/AV:P/AC:L/AT:P/PR:N/UI:A/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N)

3.2.2 INSUFFICIENT VERIFICATION OF DATA AUTHENTICITY CWE-345

The affected products use the Winloader utility to manage firmware updates by serial port or a serial-over-Ethernet link that were found to not use authentication. This could allow an attacker to push malicious firmware images to the controller and cause a denial-of-service condition or allow remote code execution. This vulnerability only effects version of the CPE302, 205, and 310 that were produced before the “-Bxxx” hardware revisions.

CVE-2022-30268 has been assigned to this vulnerability. A CVSS v3.1 base score of 4.9 has been calculated; the CVSS vector string is (AV:P/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L).

A CVSS v4 score has also been calculated for CVE-2022-30268. A base score of 5.2 has been calculated; the CVSS vector string is (CVSS4.0/AV:P/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N)

3.2.3 INSUFFICIENTLY PROTECTED CREDENTIALS CWE-522

The affected product uses a simple hashing scheme by client-side JavaScript. This could allow an attacker to intercept the hashes and strip the hashing scheme to obtain the credentials in plaintext. These credentials are only valid for 5 minutes due to the TLS protocol used, and also requires physical presence to press a button on the device, limiting this attack to being physically present and in a very short window. If this is accomplished, this only allows the attacker to upgrade or downgrade the firmware version. Due to this threat of Man-in-the-Middle attack, documentation recommends limiting physical access to networking equipment, and disabling IP routing on control networks. This vulnerability does not apply to older PLCs without a network-based update process.

CVE-2022-30266 has been assigned to this vulnerability. A CVSS v3.1 base score of 4.0 has been calculated; the CVSS vector string is (AV:P/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2022-30266. A base score of 4.1 has been calculated; the CVSS vector string is (CVSS4.0/AV:P/AC:H/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N)

3.2.4 DOWNLOAD OF CODE WITHOUT INTEGRITY CHECK CWE-494

Control logic downloaded to the PLC, which can be either written in one of the IEC 61131-3 languages or written in C and supplied as an ELF binary block, is not cryptographically authenticated.

CVE-2022-30265 has been assigned to this vulnerability. A CVSS v3.1 base score of 4.4 has been calculated; the CVSS vector string is AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N).

A CVSS v4 score has also been calculated for CVE-2022-30265. A base score of 5.6 has been calculated; the CVSS vector string is (CVSS4.0/AV:L/AC:L/AT:P/PR:H/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N)

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Energy
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER

Daniel dos Santos and Jos Wetzels from Forescout Technologies reported these vulnerabilities to CISA.

4. MITIGATIONS

Emerson recommends the following:

For CVE-2022-30263, see the following sections of PACSystems RXi, RX3i and RSTi-EP Secure Deployment Guide (GFK-2830Y):

2.4 General Recommendations
4.3.3 Secure Login
4.3.4 Recommendations, Paragraph 2
If SRP6-a is not being used to secure authentication, see Section 2.4 General Recommendations and Section 6.1 Reference Architecture
5.2.1.1 Disabling Ethernet Services

For CVE-2022-30268, see the following sections of PACSystems RXi, RX3i and RSTi-EP Secure Deployment Guide (GFK-2830Y):

4.3 Authentication
4.3.4 Recommendations, Paragraph 3
4.3.4.1 Personnel Security Protection
4.3.4.2 Physical Security Perimeter Protection

Emerson has updated the Fanuc VersaMax Secure Deployment Guide (GFK-2955D) to include the above recommendations for CVE-2022-30268.

For CVE-2022-30266, see the following sections of PACSystems RXi, RX3i and RSTi-EP Secure Deployment Guide (GFK-2830Y):

2.4 General Recommendations
5.2.1.1 Disabling Ethernet Services
6.1 Reference Architecture

For CVE-2022-30265, see the following sections of the PACSystems RXi, RX3i and RSTi-EP Secure Deployment Guide (GFK-2830Y):

4.3.4.1 Personnel Security Protection
4.3.4.2 Physical Security Perimeter Protection

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

Do not click web links or open attachments in unsolicited email messages.
Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY

June 6, 2024: Initial Publication
 Read More

 ​View CSAF
1. EXECUTIVE SUMMARY

CVSS v3 9.1
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Johnson Controls Inc.
Equipment: Software House iStar Pro Door Controller, ICU
Vulnerability: Missing Authentication for Critical Function

2. RISK EVALUATION
Successful exploitation of this vulnerability may allow an attacker to perform a machine-in-the-middle attack to inject commands which change configuration or initiate manual door control commands.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
Johnson Controls reports that the following products are affected:

Software House iStar Pro Door Controller: All versions
ICU: version 6.9.2.25888 and prior

3.2 Vulnerability Overview
3.2.1 Missing Authentication for Critical Function CWE-306
Under certain circumstances, communication between the ICU tool and an iStar Pro door controller is susceptible to machine-in-the-middle attacks which could impact door control and configuration.
CVE-2024-32752 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.1 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2024-32752. A base score of 8.8 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N).
3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Ireland

3.4 RESEARCHER
Reid Wightman of Dragos reported this vulnerability to Johnson Controls, Inc.
4. MITIGATIONS
The iSTAR Pro controller has reached its end-of-support period and no further firmware updates will be provided. However, the iSTAR Pro has a physical dip switch located on its GCM board, labeled S4, that can be configured to block out communications to the ICU tool. Please consult the iSTAR Pro Installation and Configuration Guide for more details on how to set the dip switch to mitigate this vulnerability.
For more detailed mitigation instructions, please see Johnson Controls Product Security Advisory JCI-PSA-2024-06 v1
Aligning with CISA recommendations, Johnson Controls recommends taking steps to minimize risks to all building automation systems.
CISA provides a section for control systems security recommended practices on the ICS web page on us-cert.gov. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with defense-in-depth strategies.
Further ICS security notices and product security guidance are located at Johnson Controls product security websiteOrganizations observing any suspected malicious activity should follow their established internal procedures and report their findings to CISA for tracking and correlation against other incidents.
CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.
5. UPDATE HISTORY

June 6, 2024: Initial Publication 

View CSAF

1. EXECUTIVE SUMMARY

CVSS v3 9.1
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Johnson Controls Inc.
Equipment: Software House iStar Pro Door Controller, ICU
Vulnerability: Missing Authentication for Critical Function

2. RISK EVALUATION

Successful exploitation of this vulnerability may allow an attacker to perform a machine-in-the-middle attack to inject commands which change configuration or initiate manual door control commands.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

Johnson Controls reports that the following products are affected:

Software House iStar Pro Door Controller: All versions
ICU: version 6.9.2.25888 and prior

3.2 Vulnerability Overview

3.2.1 Missing Authentication for Critical Function CWE-306

Under certain circumstances, communication between the ICU tool and an iStar Pro door controller is susceptible to machine-in-the-middle attacks which could impact door control and configuration.

CVE-2024-32752 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.1 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-32752. A base score of 8.8 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Ireland

3.4 RESEARCHER

Reid Wightman of Dragos reported this vulnerability to Johnson Controls, Inc.

4. MITIGATIONS

The iSTAR Pro controller has reached its end-of-support period and no further firmware updates will be provided. However, the iSTAR Pro has a physical dip switch located on its GCM board, labeled S4, that can be configured to block out communications to the ICU tool. Please consult the iSTAR Pro Installation and Configuration Guide for more details on how to set the dip switch to mitigate this vulnerability.

For more detailed mitigation instructions, please see Johnson Controls Product Security Advisory JCI-PSA-2024-06 v1

Aligning with CISA recommendations, Johnson Controls recommends taking steps to minimize risks to all building automation systems.

CISA provides a section for control systems security recommended practices on the ICS web page on us-cert.gov. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with defense-in-depth strategies.

Further ICS security notices and product security guidance are located at Johnson Controls product security website
Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to CISA for tracking and correlation against other incidents.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

June 6, 2024: Initial Publication
 Read More

 ​CISA released four Industrial Control Systems (ICS) advisories on June 4, 2024. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS.

ICSA-24-156-01 Uniview NVR301-04S2-P4
ICSA-23-278-03 Mitsubishi Electric CC-Link IE TSN Industrial Managed Switch (Update A)
ICSA-22-172-01 Mitsubishi Electric MELSEC iQ-R, Q, L Series and MELIPC Series (Update C)
ICSA-24-151-02 Fuji Electric Monitouch V-SFT (Update A)

CISA encourages users and administrators to review the newly released ICS advisories for technical details and mitigations. 

CISA released four Industrial Control Systems (ICS) advisories on June 4, 2024. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS.

ICSA-24-156-01 Uniview NVR301-04S2-P4
ICSA-23-278-03 Mitsubishi Electric CC-Link IE TSN Industrial Managed Switch (Update A)
ICSA-22-172-01 Mitsubishi Electric MELSEC iQ-R, Q, L Series and MELIPC Series (Update C)
ICSA-24-151-02 Fuji Electric Monitouch V-SFT (Update A)

CISA encourages users and administrators to review the newly released ICS advisories for technical details and mitigations.

 Read More

 ​View CSAF
1. EXECUTIVE SUMMARY

CVSS v4 4.8
ATTENTION: Exploitable remotely/low attack complexity/public exploits available
Vendor: Uniview
Equipment: NVR301-04S2-P4
Vulnerability: Cross-site Scripting

2. RISK EVALUATION
An attacker could send a user a URL that if clicked on could execute malicious JavaScript in their browser.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following version of Uniview NVR, a network video recorder, is affected:

NVR301-04S2-P4: Versions prior to NVR-B3801.20.17.240507

3.2 Vulnerability Overview
3.2.1 Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) CWE-79
The affected product is vulnerable to reflected cross-site scripting attack (XSS). An attacker could send a user a URL that if clicked on could execute malicious JavaScript in their browser. This vulnerability also requires authentication before it can be exploited, so the scope and severity is limited. Also, even if JavaScript is executed, no additional benefits are obtained.
CVE-2024-3850 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.4 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N).
A CVSS v4 score has also been calculated for CVE-2024-3850. A base score of 4.8 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N).
3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Commercial Facilities
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: China

3.4 RESEARCHER
CISA discovered a public Proof of Concept (PoC) as authored by Bleron Rrustemi and reported it to Uniview.
4. MITIGATIONS
Uniview encourages users to obtain the fixed version, Uniview NVR-B3801.20.17.240507, and update. You may contact your local dealer, Uniview Service Hotline, or regional technical support for assistance.
CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the Internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
5. UPDATE HISTORY

June 4, 2024: Initial Publication 

View CSAF

1. EXECUTIVE SUMMARY

CVSS v4 4.8
ATTENTION: Exploitable remotely/low attack complexity/public exploits available
Vendor: Uniview
Equipment: NVR301-04S2-P4
Vulnerability: Cross-site Scripting

2. RISK EVALUATION

An attacker could send a user a URL that if clicked on could execute malicious JavaScript in their browser.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following version of Uniview NVR, a network video recorder, is affected:

NVR301-04S2-P4: Versions prior to NVR-B3801.20.17.240507

3.2 Vulnerability Overview

3.2.1 Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) CWE-79

The affected product is vulnerable to reflected cross-site scripting attack (XSS). An attacker could send a user a URL that if clicked on could execute malicious JavaScript in their browser. This vulnerability also requires authentication before it can be exploited, so the scope and severity is limited. Also, even if JavaScript is executed, no additional benefits are obtained.

CVE-2024-3850 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.4 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N).

A CVSS v4 score has also been calculated for CVE-2024-3850. A base score of 4.8 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Commercial Facilities
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: China

3.4 RESEARCHER

CISA discovered a public Proof of Concept (PoC) as authored by Bleron Rrustemi and reported it to Uniview.

4. MITIGATIONS

Uniview encourages users to obtain the fixed version, Uniview NVR-B3801.20.17.240507, and update. You may contact your local dealer, Uniview Service Hotline, or regional technical support for assistance.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the Internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.
CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

5. UPDATE HISTORY

June 4, 2024: Initial Publication
 Read More

 ​On June 2, Snowflake indicated a recent increase in cyber threat activity targeting customer accounts on its cloud data platform. Snowflake issued a recommendation for users to query for unusual activity and conduct further analysis to prevent unauthorized user access. Users and administrators are encouraged to hunt for any malicious activity, report positive findings to CISA, and review the following Snowflake notice for additional information:•    Detecting and Preventing Unauthorized User Access: Instructions  

On June 2, Snowflake indicated a recent increase in cyber threat activity targeting customer accounts on its cloud data platform. Snowflake issued a recommendation for users to query for unusual activity and conduct further analysis to prevent unauthorized user access.
 
Users and administrators are encouraged to hunt for any malicious activity, report positive findings to CISA, and review the following Snowflake notice for additional information:
•    Detecting and Preventing Unauthorized User Access: Instructions
 

 Read More

 ​CISA has added one new vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.

CVE-2017-3506 Oracle WebLogic Server OS Command Injection Vulnerability

These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.
Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information.
Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria. 

CISA has added one new vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.

CVE-2017-3506 Oracle WebLogic Server OS Command Injection Vulnerability

These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.

Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information.

Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.

 Read More

 ​CISA has added one new vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.

CVE-2024-24919 Check Point Quantum Security Gateways Information Disclosure Vulnerability
CVE-2024-1086 Linux Kernel Use-After-Free Vulnerability

These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.
Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information.
Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria. 

CISA has added one new vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.

CVE-2024-24919 Check Point Quantum Security Gateways Information Disclosure Vulnerability
CVE-2024-1086 Linux Kernel Use-After-Free Vulnerability

These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.

Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information.

Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.

 Read More

 ​CISA released seven Industrial Control Systems (ICS) advisories on May 30, 2024. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS.

ICSA-24-151-01 LenelS2 NetBox
ICSA-24-151-02 Fuji Electric Monitouch V-SFT
ICSA-24-151-03 Inosoft VisiWin
ICSA-24-151-04 Westermo EDW-100 
ICSA-22-356-03 Mitsubishi Electric MELSEC iQ-R, iQ-L Series and MELIPC Series (Update C) 
ICSMA-24-151-01 Baxter Welch Allyn Configuration Tool
ICSMA-24-151-02 Baxter Welch Allyn Connex Spot Monitor

CISA encourages users and administrators to review the newly released ICS advisories for technical details and mitigations. 

CISA released seven Industrial Control Systems (ICS) advisories on May 30, 2024. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS.

ICSA-24-151-01 LenelS2 NetBox
ICSA-24-151-02 Fuji Electric Monitouch V-SFT
ICSA-24-151-03 Inosoft VisiWin
ICSA-24-151-04 Westermo EDW-100
 
ICSA-22-356-03 Mitsubishi Electric MELSEC iQ-R, iQ-L Series and MELIPC Series (Update C)
 
ICSMA-24-151-01 Baxter Welch Allyn Configuration Tool
ICSMA-24-151-02 Baxter Welch Allyn Connex Spot Monitor

CISA encourages users and administrators to review the newly released ICS advisories for technical details and mitigations.

 Read More

 ​View CSAF
1. EXECUTIVE SUMMARY

CVSS v4 8.5
ATTENTION: Low attack complexity
Vendor: Fuji Electric
Equipment: Monitouch V-SFT
Vulnerabilities: Out-of-Bounds Write, Stack-Based Buffer Overflow

2. RISK EVALUATION
Successful exploitation of these vulnerabilities could allow an attacker to execute arbitrary code.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following versions of Fuji Electric’s Monitouch V-SFT, a screen configuration software, are affected:

Monitouch V-SFT: Versions prior to 6.2.3.0

3.2 Vulnerability Overview
3.2.1 OUT-OF-BOUNDS WRITE CWE-787
The affected product is vulnerable to an out-of-bounds write because of a type confusion, which could result in arbitrary code execution.
CVE-2024-5271 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2024-5271. A base score of 8.5 has been calculated; the CVSS vector string is (CVSS4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).
3.2.2 STACK-BASED BUFFER OVERFLOW CWE-121
The affected product is vulnerable to a stack-based buffer overflow, which could allow an attacker to execute arbitrary code.
CVE-2024-34171 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2024-34171. A base score of 8.5 has been calculated; the CVSS vector string is (CVSS4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).
3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing, Energy
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Japan

3.4 RESEARCHER
kimiy, working with Trend Micro Zero Day Initiative, reported these vulnerabilities to CISA.
4. MITIGATIONS
Fuji Electric recommends users update the product to Monitouch V-SFT v6.2.3.0.
CISA recommends users take defensive measures to minimize the risk of exploitation of this these vulnerabilities, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time. These vulnerabilities are not exploitable remotely.
5. UPDATE HISTORY

May 30, 2024: Initial Publication 

View CSAF

1. EXECUTIVE SUMMARY

CVSS v4 8.5
ATTENTION: Low attack complexity
Vendor: Fuji Electric
Equipment: Monitouch V-SFT
Vulnerabilities: Out-of-Bounds Write, Stack-Based Buffer Overflow

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to execute arbitrary code.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of Fuji Electric’s Monitouch V-SFT, a screen configuration software, are affected:

Monitouch V-SFT: Versions prior to 6.2.3.0

3.2 Vulnerability Overview

3.2.1 OUT-OF-BOUNDS WRITE CWE-787

The affected product is vulnerable to an out-of-bounds write because of a type confusion, which could result in arbitrary code execution.

CVE-2024-5271 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-5271. A base score of 8.5 has been calculated; the CVSS vector string is (CVSS4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.2 STACK-BASED BUFFER OVERFLOW CWE-121

The affected product is vulnerable to a stack-based buffer overflow, which could allow an attacker to execute arbitrary code.

CVE-2024-34171 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-34171. A base score of 8.5 has been calculated; the CVSS vector string is (CVSS4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing, Energy
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Japan

3.4 RESEARCHER

kimiy, working with Trend Micro Zero Day Initiative, reported these vulnerabilities to CISA.

4. MITIGATIONS

Fuji Electric recommends users update the product to Monitouch V-SFT v6.2.3.0.

CISA recommends users take defensive measures to minimize the risk of exploitation of this these vulnerabilities, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time. These vulnerabilities are not exploitable remotely.

5. UPDATE HISTORY

May 30, 2024: Initial Publication
 Read More