Category: Security Feeds

 ​View CSAF
1. EXECUTIVE SUMMARY

CVSS v3 7.8
ATTENTION: Low attack complexity
Vendor: ICONICS, Mitsubishi Electric
Equipment: ICONICS Product Suite, Mitsubishi Electric MC Works64
Vulnerability: Incorrect Default Permissions

2. RISK EVALUATION
Successful exploitation of this vulnerability could result in disclosure of confidential information, data tampering, or a denial-of-service condition.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
ICONICS reports that the following versions of ICONICS and Mitsubishi Electric Products are affected:

ICONICS Suite including GENESIS64, Hyper Historian, AnalytiX, and MobileHMI: Version 10.97.3 and prior
Mitsubishi Electric MC Works64: all versions

3.2 Vulnerability Overview
3.2.1 Incorrect Default Permissions CWE-276
There is an incorrect default permissions vulnerability in ICONICS and Mitsubishi Electric products which may allow a disclosure of confidential information, data tampering, or a denial of service condition due to incorrect default permissions.
CVE-2024-7587 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: ICONICS is headquartered in the United States. Mitsubishi Electric is headquartered in Japan.

3.4 RESEARCHER
Asher Davila and Malav Vyas of Palo Alto Networks reported this vulnerability to ICONICS.
4. MITIGATIONS
Version 10.97.3 CFR1 and later is not vulnerable to this issue. ICONICS recommends that users of its products take the following mitigation steps:

For new systems, use the 10.97.3 CFR1 or later version of the ICONICS products.
If planning to use GENESIS64 v10.97.3 or earlier on a new freshly installed system, do not install the included GenBroker32. Instead, download the latest GenBroker32 from ICONICS and install this version if needed.
For systems that already have v10.97.3 or an earlier version, or MC Works64 installed, verify the permissions on the c:ProgramDataICONICS folder do not include “Everyone”. If this folder is set to provide access to “Everyone”, remove this access by performing the following steps:

Right click C:ProgramDataICONICS folder and open the Properties display
Open the Security tab
Click Advanced
Click Change Permissions
Select “Everyone” and check the “Replace all object permissions entries with inheritable permission entries from this project” checkbox
Click Remove

ICONICS and Mitsubishi Electric recommends users update the ICONICS Suite with the latest security patches as they become available. ICONICS Suite security patches may be found here(login required).
ICONICS and Mitsubishi Electric is releasing security updates as critical fixes/rollup releases. Refer to the [ICONICS Whitepaper on Security Vulnerabilities])https://iconics.com/About/Security/CERT), and to the for information on the availability of the security updates.
CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability is not exploitable remotely.
5. UPDATE HISTORY

October 22, 2024: Initial Publication 

View CSAF

1. EXECUTIVE SUMMARY

CVSS v3 7.8
ATTENTION: Low attack complexity
Vendor: ICONICS, Mitsubishi Electric
Equipment: ICONICS Product Suite, Mitsubishi Electric MC Works64
Vulnerability: Incorrect Default Permissions

2. RISK EVALUATION

Successful exploitation of this vulnerability could result in disclosure of confidential information, data tampering, or a denial-of-service condition.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

ICONICS reports that the following versions of ICONICS and Mitsubishi Electric Products are affected:

ICONICS Suite including GENESIS64, Hyper Historian, AnalytiX, and MobileHMI: Version 10.97.3 and prior
Mitsubishi Electric MC Works64: all versions

3.2 Vulnerability Overview

3.2.1 Incorrect Default Permissions CWE-276

There is an incorrect default permissions vulnerability in ICONICS and Mitsubishi Electric products which may allow a disclosure of confidential information, data tampering, or a denial of service condition due to incorrect default permissions.

CVE-2024-7587 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: ICONICS is headquartered in the United States. Mitsubishi Electric is headquartered in Japan.

3.4 RESEARCHER

Asher Davila and Malav Vyas of Palo Alto Networks reported this vulnerability to ICONICS.

4. MITIGATIONS

Version 10.97.3 CFR1 and later is not vulnerable to this issue. ICONICS recommends that users of its products take the following mitigation steps:

For new systems, use the 10.97.3 CFR1 or later version of the ICONICS products.
If planning to use GENESIS64 v10.97.3 or earlier on a new freshly installed system, do not install the included GenBroker32. Instead, download the latest GenBroker32 from ICONICS and install this version if needed.
For systems that already have v10.97.3 or an earlier version, or MC Works64 installed, verify the permissions on the c:ProgramDataICONICS folder do not include “Everyone”. If this folder is set to provide access to “Everyone”, remove this access by performing the following steps:

Right click C:ProgramDataICONICS folder and open the Properties display
Open the Security tab
Click Advanced
Click Change Permissions
Select “Everyone” and check the “Replace all object permissions entries with inheritable permission entries from this project” checkbox
Click Remove

ICONICS and Mitsubishi Electric recommends users update the ICONICS Suite with the latest security patches as they become available. ICONICS Suite security patches may be found here(login required).

ICONICS and Mitsubishi Electric is releasing security updates as critical fixes/rollup releases. Refer to the [ICONICS Whitepaper on Security Vulnerabilities])https://iconics.com/About/Security/CERT), and to the for information on the availability of the security updates.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability is not exploitable remotely.

5. UPDATE HISTORY

October 22, 2024: Initial Publication
 Read More

 ​CISA released one Industrial Control Systems (ICS) advisory on October 22, 2024. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS.

ICSA-24-296-01 ICONICS and Mitsubishi Electric Products

CISA encourages users and administrators to review newly released ICS advisories for technical details and mitigations. 

CISA released one Industrial Control Systems (ICS) advisory on October 22, 2024. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS.

ICSA-24-296-01 ICONICS and Mitsubishi Electric Products

CISA encourages users and administrators to review newly released ICS advisories for technical details and mitigations.

 Read More

 ​CISA has added one new vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.

CVE-2024-38094 Microsoft SharePoint Deserialization Vulnerability

These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.
Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information.
Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria. 

CISA has added one new vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.

CVE-2024-38094 Microsoft SharePoint Deserialization Vulnerability

These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.

Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information.

Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.

 Read More

 ​CISA has added one new vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.

CVE-2024-9537 ScienceLogic SL1 Unspecified Vulnerability

These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.
Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information.
Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria. 

CISA has added one new vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.

CVE-2024-9537 ScienceLogic SL1 Unspecified Vulnerability

These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.

Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information.

Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.

 Read More

​Brazilian authorities reportedly have arrested a 33-year-old man on suspicion of being “USDoD,” a prolific cybercriminal who rose to infamy in 2022 after infiltrating the FBI’s InfraGard program and leaking contact information for 80,000 members. More recently, USDoD was behind a breach at the consumer data broker National Public Data that led to the leak of Social Security numbers and other personal information for a significant portion of the U.S. population. 

Brazilian authorities reportedly have arrested a 33-year-old man on suspicion of being “USDoD,” a prolific cybercriminal who rose to infamy in 2022 after infiltrating the FBI’s InfraGard program and leaking contact information for 80,000 members. More recently, USDoD was behind a breach at the consumer data broker National Public Data that led to the leak of Social Security numbers and other personal information for a significant portion of the U.S. population.

The Brazilian news outlet TV Globo first reported the news of USDoD’s arrest, saying the Federal Police arrested a 33-year-old man from Belo Horizonte. According to TV Globo, USDoD is wanted domestically in connection with the theft of data on Brazilian Federal Police officers.

USDoD was known to use the hacker handles “Equation Corp” and “NetSec,” and according to the cyber intelligence platform Intel 471 NetSec posted a thread on the now-defunct cybercrime community RaidForums on Feb. 22, 2022, in which they offered the email address and password for 659 members of the Brazilian Federal Police.

TV Globo didn’t name the man arrested, but the Portuguese tech news outlet Tecmundo published a report in August 2024 that named USDoD as 33-year-old Luan BG from Minas Gerais, Brazil. Techmundo said it learned the hacker’s real identity after being given a draft of a detailed, non-public report produced by the security firm CrowdStrike.

CrowdStrike did not respond to a request for comment. But a week after Techmundo’s piece, the tech news publication hackread.com published a story in which USDoD reportedly admitted that CrowdStrike was accurate in identifying him. Hackread said USDoD shared a statement, which was partially addressed to CrowdStrike:

In August 2024, a cybercriminal began selling Social Security numbers and other personal information stolen from National Public Data, a private data broker in Florida that collected and sold SSNs and contact data for a significant slice of the American population.

Additional reporting revealed National Public Data had inadvertently published its own passwords on the Internet. The company is now the target of multiple class-action lawsuits, and recently declared bankruptcy. In an interview with KrebsOnSecurity, USDoD acknowledged stealing the NPD data earlier this year, but claimed he was not involved in leaking or selling it.

In December 2022, KrebsOnSecurity broke the news that USDoD had social-engineered his way into the FBI’s InfraGard program, an FBI initiative designed to build informal information sharing partnerships with vetted professionals in the private sector concerning cyber and physical threats to critical U.S. national infrastructure.

USDoD applied for InfraGard membership using the identity of the CEO of a major U.S. financial company. Even though USDoD listed the real mobile phone number of the CEO, the FBI apparently never reached the CEO to validate his application, because the request was granted just a few weeks later. After that, USDoD said he used a simple program to collect all of the contact information shared by more than 80,000 InfraGard members.

The FBI declined to comment on reports about USDoD’s arrest.

In a lengthy September 2023 interview with databreaches.net, USDoD told the publication he was a man in his mid-30s who was born in South America and who holds dual citizenship in Brazil and Portugal. Toward the end of that interview, USDoD said they were planning to launch a platform for acquiring military intelligence from the United States.

Databreaches.net told KrebsOnSecurity USDoD has been a regular correspondent since that 2023 interview, and that after being doxed USDoD made inquiries with a local attorney to learn if there were any open investigations or charges against him.

“From what the lawyer found out from the federal police, they had no open cases or charges against him at that time,” Databreaches.net said. “From his writing to me and the conversations we had, my sense is he had absolutely no idea he was in imminent danger of being arrested.”

When KrebsOnSecurity last communicated with USDoD via Telegram on Aug. 15, 2024, they claimed they were “planning to retire and move on from this,” referring to multiple media reports that blamed USDoD for leaking nearly three billion consumer records from National Public Data.

Less than four days later, however, USDoD was back on his normal haunt at BreachForums, posting custom exploit code he claimed to have written to attack recently patched vulnerabilities in a popular theme made for WordPress websites.

 

​Read More

 ​CISA released seven Industrial Control Systems (ICS) advisories on October 17, 2024. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS.

ICSA-24-291-01 Elvaco M-Bus Metering Gateway CMe3100
ICSA-24-291-02 LCDS LAquis SCADA
ICSA-24-291-03 Mitsubishi Electric CNC Series
ICSA-24-291-04 HMS Networks EWON FLEXY 202
ICSA-24-291-05 Kieback&Peter DDC4000 Series
ICSA-24-270-04 goTenna Pro X and Pro X2 (Update A)
ICSA-24-270-05 goTenna Pro ATAK Plugin (Update A)

CISA encourages users and administrators to review newly released ICS advisories for technical details and mitigations. 

CISA released seven Industrial Control Systems (ICS) advisories on October 17, 2024. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS.

ICSA-24-291-01 Elvaco M-Bus Metering Gateway CMe3100
ICSA-24-291-02 LCDS LAquis SCADA
ICSA-24-291-03 Mitsubishi Electric CNC Series
ICSA-24-291-04 HMS Networks EWON FLEXY 202
ICSA-24-291-05 Kieback&Peter DDC4000 Series
ICSA-24-270-04 goTenna Pro X and Pro X2 (Update A)
ICSA-24-270-05 goTenna Pro ATAK Plugin (Update A)

CISA encourages users and administrators to review newly released ICS advisories for technical details and mitigations.

 Read More

 ​Oracle released its quarterly Critical Patch Update Advisory for October 2024 to address vulnerabilities in multiple products. A cyber threat actor could exploit some of these vulnerabilities to take control of an affected system. 
CISA encourages users and administrators to review the following Oracle Critical Patch Update Advisory and apply the necessary updates: 

Oracle Critical Patch Update Advisory – October 2024 

Oracle released its quarterly Critical Patch Update Advisory for October 2024 to address vulnerabilities in multiple products. A cyber threat actor could exploit some of these vulnerabilities to take control of an affected system. 

CISA encourages users and administrators to review the following Oracle Critical Patch Update Advisory and apply the necessary updates: 

Oracle Critical Patch Update Advisory – October 2024
 Read More

​The U.S. government on Wednesday announced the arrest and charging of two Sudanese brothers accused of running Anonymous Sudan (a.k.a. AnonSudan), a cybercrime business known for launching powerful distributed denial-of-service (DDoS) attacks against a range of targets, including dozens of hospitals, news websites and cloud providers. One of the brothers is facing life in prison for allegedly seeking to kill people with his attacks. 

The U.S. government on Wednesday announced the arrest and charging of two Sudanese brothers accused of running Anonymous Sudan (a.k.a. AnonSudan), a cybercrime business known for launching powerful distributed denial-of-service (DDoS) attacks against a range of targets, including dozens of hospitals, news websites and cloud providers. The younger brother is facing charges that could land him life in prison for allegedly seeking to kill people with his attacks.

Active since at least January 2023, AnonSudan has been described in media reports as a “hacktivist” group motivated by ideological causes. But in a criminal complaint, the FBI said those high-profile cyberattacks were effectively commercials for the hackers’ DDoS-for-hire service, which they sold to paying customers for as little as $150 a day — with up to 100 attacks allowed per day — or $700 for an entire week.

The complaint says despite reports suggesting Anonymous Sudan might be state-sponsored Russian actors pretending to be Sudanese hackers with Islamist motivations, AnonSudan was led by two brothers in Sudan — Ahmed Salah Yousif Omer, 22, and Alaa Salah Yusuuf Omer, 27.

AnonSudan claimed credit for successful DDoS attacks on numerous U.S. companies, causing a multi-day outage for Microsoft’s cloud services in June 2023. The group hit PayPal the following month, followed by Twitter/X (Aug. 2023), and OpenAI (Nov. 2023). An indictment in the Central District of California notes the duo even swamped the websites of the FBI and the Department of State.

Prosecutors say Anonymous Sudan offered a “Limited Internet Shutdown Package,” which would enable customers to shut down internet service providers in specified countries for $500 (USD) an hour. The two men also allegedly extorted some of their victims for money in exchange for calling off DDoS attacks.

The government isn’t saying where the Omed brothers are being held, only that they were arrested in March 2024 and have been in custody since. A statement by the U.S. Department of Justice says the government also seized control of AnonSudan’s DDoS infrastructure and servers after the two were arrested in March.

AnonSudan accepted orders over the instant messaging service Telegram, and marketed its DDoS service by several names, including “Skynet,” “InfraShutdown,” and the “Godzilla botnet.” However, the DDoS machine the Omer brothers allegedly built was not made up of hacked devices — as is typical with DDoS botnets.

Instead, the government alleges Skynet was more like a “distributed cloud attack tool,” with a command and control (C2) server, and an entire fleet of cloud-based servers that forwards C2 instructions to an array of open proxy resolvers run by unaffiliated third parties, which then transmit the DDoS attack data to the victims.

Amazon was among many companies credited with helping the government in the investigation, and said AnonSudan launched its attacks by finding hosting companies that would rent them small armies of servers.

“Where their potential impact becomes really significant is when they then acquire access to thousands of other machines — typically misconfigured web servers — through which almost anyone can funnel attack traffic,” Amazon explained in a blog post. “This extra layer of machines usually hides the true source of an attack from the targets.”

The security firm CrowdStrike said the success of AnonSudan’s DDoS attacks stemmed from a combination of factors, including sophisticated techniques for bypassing DDoS mitigation services. Also, AnonSudan typically launched so-called “Layer 7” attacks that sought to overwhelm targeted “API endpoints” — the back end systems responsible for handling website requests — with bogus requests for data, leaving the target unable to serve legitimate visitors.

The Omer brothers were both charged with one count of conspiracy to damage protected computers. The younger brother — Ahmed Salah — was also charged with three counts of damaging protected computers.

If extradited to the United States, tried and convicted in a court of law, the older brother Alaa Salah would be facing a maximum of five years in prison. But prosecutors say Ahmed Salah could face life in prison for allegedly launching attacks that sought to kill people.

As Hamas fighters broke through the border fence and attacked Israel on Oct. 7, 2023, a wave of rockets was launched into Israel. At the same time, AnonSudan announced it was attacking the APIs that power Israel’s widely-used “red alert” mobile apps that warn residents about any incoming rocket attacks in their area.

In February 2024, AnonSudan launched a digital assault on the Cedars-Sinai Hospital in the Los Angeles area, an attack that caused emergency services and patients to be temporarily redirected to different hospitals.

The complaint alleges that in September 2023, AnonSudan began a week-long DDoS attack against the Internet infrastructure of Kenya, knocking offline government services, banks, universities and at least seven hospitals.

 

​Read More

 ​View CSAF
1. EXECUTIVE SUMMARY

CVSS v4 7.0
ATTENTION: Exploitable remotely/low attack complexity
Vendor: LCDS – Leão Consultoria e Desenvolvimento de Sistemas Ltda ME
Equipment: LAquis SCADA
Vulnerability: Cross-site Scripting

2. RISK EVALUATION
Successful exploitation of this vulnerability could allow an attacker to steal cookies, inject arbitrary code, or perform unauthorized actions.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following versions of LAquis SCADA, an HMI program, are affected:

LAquis SCADA: Version 4.7.1.511

3.2 Vulnerability Overview
3.2.1 IMPROPER NEUTRALIZATION OF INPUT DURING WEB PAGE GENERATION (‘CROSS-SITE SCRIPTING’) CWE-79
In LAquis SCADA version 4.7.1.511, a cross-site scripting vulnerability could allow an attacker to inject arbitrary code into a web page. This could allow an attacker to steal cookies, redirect users, or perform unauthorized actions.
CVE-2024-9414 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.1 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N).
A CVSS v4 score has also been calculated for CVE-2024-9414. A base score of 7.0 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N).
3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Chemical, Commercial Facilities, Energy, Food and Agriculture, Transportation Systems, Water and Wastewater Systems
COUNTRIES/AREAS DEPLOYED: South America
COMPANY HEADQUARTERS LOCATION: Brazil

3.4 RESEARCHER
Mounir Aarab reported this vulnerability to CISA.
4. MITIGATIONS
LCDS recommends users update to version 4.7.1.611 or newer versions of LAquis SCADA.
CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
CISA also recommends users take the following measures to protect themselves from social engineering attacks:

Do not click web links or open attachments in unsolicited email messages.
Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.
5. UPDATE HISTORY

October 17, 2024: Initial Publication 

View CSAF

1. EXECUTIVE SUMMARY

CVSS v4 7.0
ATTENTION: Exploitable remotely/low attack complexity
Vendor: LCDS – Leão Consultoria e Desenvolvimento de Sistemas Ltda ME
Equipment: LAquis SCADA
Vulnerability: Cross-site Scripting

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to steal cookies, inject arbitrary code, or perform unauthorized actions.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of LAquis SCADA, an HMI program, are affected:

LAquis SCADA: Version 4.7.1.511

3.2 Vulnerability Overview

3.2.1 IMPROPER NEUTRALIZATION OF INPUT DURING WEB PAGE GENERATION (‘CROSS-SITE SCRIPTING’) CWE-79

In LAquis SCADA version 4.7.1.511, a cross-site scripting vulnerability could allow an attacker to inject arbitrary code into a web page. This could allow an attacker to steal cookies, redirect users, or perform unauthorized actions.

CVE-2024-9414 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.1 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N).

A CVSS v4 score has also been calculated for CVE-2024-9414. A base score of 7.0 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Chemical, Commercial Facilities, Energy, Food and Agriculture, Transportation Systems, Water and Wastewater Systems
COUNTRIES/AREAS DEPLOYED: South America
COMPANY HEADQUARTERS LOCATION: Brazil

3.4 RESEARCHER

Mounir Aarab reported this vulnerability to CISA.

4. MITIGATIONS

LCDS recommends users update to version 4.7.1.611 or newer versions of LAquis SCADA.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

Do not click web links or open attachments in unsolicited email messages.
Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

October 17, 2024: Initial Publication
 Read More

 ​View CSAF
1. EXECUTIVE SUMMARY

CVSS v4 9.3
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Kieback&Peter
Equipment: DDC4000 Series
Vulnerabilities: Path Traversal, Insufficiently Protected Credentials, Use of Weak Credentials

2. RISK EVALUATION
Successful exploitation of these vulnerabilities could allow an unauthenticated attacker to gain full administrator rights on the system.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following Kieback&Peter DDC4000 series products are affected:

DDC4002 : Versions 1.12.14 and prior
DDC4100 : Versions 1.7.4 and prior
DDC4200 : Versions 1.12.14 and prior
DDC4200-L : Versions 1.12.14 and prior
DDC4400 : Versions 1.12.14 and prior
DDC4002e : Versions 1.17.6 and prior
DDC4200e : Versions 1.17.6 and prior
DDC4400e : Versions 1.17.6 and prior
DDC4020e : Versions 1.17.6 and prior
DDC4040e : Versions 1.17.6 and prior

3.2 Vulnerability Overview
3.2.1 IMPROPER LIMITATION OF A PATHNAME TO A RESTRICTED DIRECTORY (‘PATH TRAVERSAL’) CWE-22
The affected product is vulnerable to a path traversal vulnerability, which may allow an unauthenticated attacker to read files on the system.
CVE-2024-41717 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2024-41717. A base score of 9.3 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).
3.2.2 INSUFFICIENTLY PROTECTED CREDENTIALS CWE-522
The affected product has an insufficiently protected credentials vulnerability, which may allow an unauthenticated attacker with access to /etc/passwd to read the password hashes of all users on the system.
CVE-2024-43812 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.4 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2024-43812. A base score of 8.6 has been calculated; the CVSS vector string is (CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).
3.2.3 USE OF WEAK CREDENTIALS CWE-1391
The affected product uses weak credentials, which may allow an unauthenticated attacker to get full admin rights on the system.
CVE-2024-43698 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2024-43698. A base score of 9.3 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).
3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing Sector, Commercial Facilities Sector, Communications Sector, Financial Services Sector, Food and Agriculture Sector, Government Services and Facilities Sector, Healthcare and Public Health Sector, Information Technology Sector
COUNTRIES/AREAS DEPLOYED: Europe, the Middle East and Asia.
COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER
Raphael Ruf of terreActive AG reported these vulnerabilities to CISA.
4. MITIGATIONS
Kieback&Peter DDC4002, DDC4100, DDC4200, DDC4200-L and DDC4400 controllers are considered End-of-Life (EOL) and are no longer supported. Users operating these controllers should ensure they are operated in a strictly separate OT environment and consider updating to a supported controller.
Kieback&Peter recommends users update to DDC4002e, DDC4200e, DDC4400e, DDC4020e and DDC4040e controllers.
Kieback&Peter recommends all affected users contact their local Kieback&Peter office to update the firmware of the supported DDC systems to v1.21.0 or later.
CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
CISA also recommends users take the following measures to protect themselves from social engineering attacks:

Do not click web links or open attachments in unsolicited email messages.
Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.
5. UPDATE HISTORY

October 17, 2024: Initial Publication 

View CSAF

1. EXECUTIVE SUMMARY

CVSS v4 9.3
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Kieback&Peter
Equipment: DDC4000 Series
Vulnerabilities: Path Traversal, Insufficiently Protected Credentials, Use of Weak Credentials

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an unauthenticated attacker to gain full administrator rights on the system.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following Kieback&Peter DDC4000 series products are affected:

DDC4002 : Versions 1.12.14 and prior
DDC4100 : Versions 1.7.4 and prior
DDC4200 : Versions 1.12.14 and prior
DDC4200-L : Versions 1.12.14 and prior
DDC4400 : Versions 1.12.14 and prior
DDC4002e : Versions 1.17.6 and prior
DDC4200e : Versions 1.17.6 and prior
DDC4400e : Versions 1.17.6 and prior
DDC4020e : Versions 1.17.6 and prior
DDC4040e : Versions 1.17.6 and prior

3.2 Vulnerability Overview

3.2.1 IMPROPER LIMITATION OF A PATHNAME TO A RESTRICTED DIRECTORY (‘PATH TRAVERSAL’) CWE-22

The affected product is vulnerable to a path traversal vulnerability, which may allow an unauthenticated attacker to read files on the system.

CVE-2024-41717 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-41717. A base score of 9.3 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.2 INSUFFICIENTLY PROTECTED CREDENTIALS CWE-522

The affected product has an insufficiently protected credentials vulnerability, which may allow an unauthenticated attacker with access to /etc/passwd to read the password hashes of all users on the system.

CVE-2024-43812 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.4 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-43812. A base score of 8.6 has been calculated; the CVSS vector string is (CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.3 USE OF WEAK CREDENTIALS CWE-1391

The affected product uses weak credentials, which may allow an unauthenticated attacker to get full admin rights on the system.

CVE-2024-43698 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-43698. A base score of 9.3 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing Sector, Commercial Facilities Sector, Communications Sector, Financial Services Sector, Food and Agriculture Sector, Government Services and Facilities Sector, Healthcare and Public Health Sector, Information Technology Sector
COUNTRIES/AREAS DEPLOYED: Europe, the Middle East and Asia.
COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

Raphael Ruf of terreActive AG reported these vulnerabilities to CISA.

4. MITIGATIONS

Kieback&Peter DDC4002, DDC4100, DDC4200, DDC4200-L and DDC4400 controllers are considered End-of-Life (EOL) and are no longer supported. Users operating these controllers should ensure they are operated in a strictly separate OT environment and consider updating to a supported controller.

Kieback&Peter recommends users update to DDC4002e, DDC4200e, DDC4400e, DDC4020e and DDC4040e controllers.

Kieback&Peter recommends all affected users contact their local Kieback&Peter office to update the firmware of the supported DDC systems to v1.21.0 or later.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

Do not click web links or open attachments in unsolicited email messages.
Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY

October 17, 2024: Initial Publication
 Read More