The Cybersecurity and Infrastructure Security Agency (CISA) has published three advisories addressing security issues, vulnerabilities, and potential exploits in Industrial Control Systems (ICS). These advisories offer timely information to enhance awareness and preparedness in the ICS domain.
CISA has recommended users and administrators to thoroughly examine the recently issued CISA ICS advisory to gain insight into technical details and effective mitigation strategies.
ICSA-24-004-01 Rockwell Automation FactoryTalk Activation
CISA ICS advisory regarding critical vulnerabilities in Rockwell Automation’s FactoryTalk Activation Manager has a CVSS v3 score of 9.8, are remotely exploitable with low attack complexity. These stem from out-of-bounds write issues, posing a significant threat to the affected systems.
Successful exploitation of these vulnerabilities could lead to a buffer overflow, granting unauthorized access to the entire system. The severity of these risks underscores the importance of prompt mitigation efforts.
Vulnerability Overview
- The affected Wibu-Systems’ products, utilized by Rockwell Automation, are vulnerable to a buffer overflow attack through a SOCKS5 proxy configuration. This could be exploited by a malicious proxy, resulting in a CVSS v3.1 base score of 9.8.
- The Wibu CodeMeter Runtime network service in the same products contains a heap buffer overflow vulnerability, allowing a remote attacker to achieve Remote Code Execution (RCE) and gain full access. This vulnerability has a CVSS v3.1 base score of 7.5.
Mitigations According to CISA ICS Advisory
Users are urged to implement the following mitigations:
- Upgrade to FactoryTalk Activation Manager 5.01, which includes patches.
- Follow Rockwell Automation’s suggested security best practices.
CISA recommends defensive measures such as minimizing network exposure, isolating control system networks, and using secure remote access methods like Virtual Private Networks (VPNs).
In conclusion, organizations are strongly advised to prioritize the implementation of recommended cybersecurity strategies to proactively defend Industrial Control Systems (ICS) assets against potential exploits.
CISA ICS Advisory emphasizes the importance of vigilance against social engineering attacks and encourages reporting any suspicious activity for further analysis and correlation. As of the initial publication, no public exploits targeting these vulnerabilities have been reported.
ICSA-24-004-02 Mitsubishi Electric Factory Automation Products
Mitsubishi Electric has identified critical vulnerabilities in multiple Factory Automation Products, prompting the release of advisories by CISA. With a CVSS v3 score of 7.5, these vulnerabilities are remotely exploitable with low attack complexity.
The affected products, including GT SoftGOT2000, OPC UA Data Collector, MX OPC Server UA, and FX5-OPC, exhibit Observable Timing Discrepancy, Double Free, and Access of Resource Using Incompatible Type (‘Type Confusion’) vulnerabilities.
The successful exploitation of these vulnerabilities could lead to the disclosure of sensitive information within the product or result in a denial-of-service (DoS) condition.
Vulnerability Overview
- Observable Timing Discrepancy CWE-208: An observable timing discrepancy vulnerability in RSA decryption allows attackers to decrypt ciphertext by exploiting a Bleichenbacher style attack. CVE-2022-4304 has been assigned with a CVSS v3.1 base score of 5.9.
- Double Free CWE-415: The products contain a double-free vulnerability when reading a PEM file, potentially leading to a DoS condition. CVE-2022-4450 has been assigned with a CVSS v3.1 base score of 7.5.
- Access of Resource Using Incompatible Type (‘Type Confusion’) CWE-843: A type confusion vulnerability in X.400 address processing allows an attacker to disclose sensitive information or cause DoS by loading a specially crafted certificate revocation list (CRL). CVE-2023-0286 has been assigned with a CVSS v3.1 base score of 7.4.
Mitigation According to CISA ICS Advisory
Mitsubishi Electric recommends users update their products to specified versions and provides detailed mitigation measures for each affected product. Mitigations include applying recommended updates, avoiding loading untrusted certificate revocation lists, and implementing network security measures.
In conclusion, organizations are urged to follow recommended cybersecurity strategies and implement mitigations to safeguard their Industrial Control Systems (ICS) assets against potential exploits.
The CISA ICS Advisory emphasizes the importance of proactive defense, proper impact analysis, and risk assessment. As of the initial publication, no known public exploitation specifically targeting these vulnerabilities has been reported to CISA.
ICSA-23-348-15 Unitronics Vision and Samba Series (Update A)
Unitronics faces a critical security challenge with a CVSS v3 score of 9.8, as described by the CISA ICS Advisory. This vulnerability, categorized as the Initialization of a Resource with an Insecure Default, is characterized by its remote exploitability, low attack complexity, and the existence of known public exploits.
The impacted equipment includes Unitronics’ Vision Series and Samba Series, posing a potential threat to administrative control due to the use of default administrative passwords.
The exploitation of this vulnerability could empower an unauthenticated attacker to seize administrative control over Unitronics Vision and Samba series systems, utilizing default administrative passwords.
Vulnerability Overview
Initialization of a Resource with an Insecure Default CWE-1188: The Vision Series PLCs and HMIs from Unitronics employ default administrative passwords, enabling unauthorized individuals with network access to gain administrative control. CVE-2023-6448 has been assigned to this vulnerability, with a CVSS v3.1 base score of 9.8.
Mitigations According to CISA ICS Advisory
- Unitronics has addressed this vulnerability in VisiLogic version 9.9.00, urging users to promptly update to the latest version. For those unable to do so, organizations are advised to change all default passwords, set passwords on PCOM-enabled sockets, control remote-enabled PCOM operations using SDW10 roles, and disconnect the PLC from the open internet. Implementing firewalls, VPNs, and utilizing secure cellular-based longhaul transport devices are recommended.
- CISA ICS Advisory emphasizes the importance of using an allowlist of IPs for access, backing up logic and configurations for quick recovery, considering alternate TCP ports, and ensuring devices are updated with the latest versions. Collaboration with third-party vendors and the adoption of recommended countermeasures are also encouraged.
In response to this critical vulnerability, water utilities are directed to CISA’s tools and resources for enhanced cybersecurity, with specific guidance available from EPA, WaterISAC, and the American Water Works Association.
Known public exploitations targeting this vulnerability have been reported to CISA, warranting heightened vigilance and the prompt implementation of defensive measures.
Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.