CISA Urges Administrators To Review Released Six ICS Advisories


The Cybersecurity and Infrastructure Security Agency (CISA) has issued a call to action for administrators and security professionals to review six newly released Industrial Control Systems (ICS) advisories.

These advisories, released on June 11, 2024, provide critical information on current security issues, vulnerabilities, and exploits affecting ICS.

CISA advisories cover a range of products from major vendors, highlighting the importance of timely updates and vigilance in cybersecurity practices.

Below are the six newly released Industrial Control Systems (ICS) advisories:

1. Rockwell Automation ControlLogix, GuardLogix, and CompactLogix

Rockwell Automation’s ControlLogix, GuardLogix, and CompactLogix controllers have been identified as having a critical vulnerability (CVSS v4 score: 8.3).

The vulnerability, characterized by an always-incorrect control flow implementation, has a low attack complexity and could compromise the availability of the affected devices.

Affected Products

Rockwell Automation reports the following controllers are affected:

  • ControlLogix 5580: V34.011
  • GuardLogix 5580: V34.011
  • 1756-EN4: V4.001
  • CompactLogix 5380: V34.011
  • Compact GuardLogix 5380: V34.011
  • CompactLogix 5480: V34.011

Always-Incorrect Control Flow Implementation (CWE-670) – This vulnerability, CVE-2024-5659, can be exploited by sending abnormal packets to the mDNS port, leading to a major nonrecoverable fault in all affected controllers on the same network.

The CVSS v3.1 base score is 7.4, and the CVSS v4 base score is 8.3.

2. AVEVA PI Web API

AVEVA’s PI Web API has been identified as having a critical vulnerability (CVSS v4 score: 8.4).

This vulnerability, which is exploitable remotely with low attack complexity, involves the deserialization of untrusted data and could allow an attacker to execute code remotely.

Analyze any MaliciousURL, Files & Emails & Configuration With ANY RUN Start your Analysis

Affected Products

The following versions of AVEVA PI Web API, a RESTful interface to the PI system, are affected:

  • AVEVA PI Web API: Versions 2023 and prior

Deserialization of Untrusted Data (CWE-502) – This vulnerability, identified as CVE-2024-3468, allows malicious code execution on the PI Web API environment under the privileges of an interactive user who has been socially engineered to use the API XML import functionality with attacker-supplied content.

The CVSS v3.1 base score is 7.6, and the CVSS v4 base score is 8.4.

3. AVEVA PI Asset Framework Client

A critical vulnerability (CVSS v4 score: 7.0) has been identified in AVEVA’s PI Asset Framework Client.

This vulnerability, which has a low attack complexity, involves the deserialization of untrusted data and could allow malicious code execution.

Affected Products

The following versions of AVEVA PI Asset Framework Client, a tool to model either physical or logical objects, are affected:

  • PI Asset Framework Client: 2023
  • PI Asset Framework Client: 2018 SP3 P04 and prior

Deserialization of Untrusted Data (CWE-502) – This vulnerability, identified as CVE-2024-3467, allows malicious code execution on the PI System Explorer environment under the privileges of an interactive user who has been socially engineered to import attacker-supplied XML.

The CVSS v3.1 base score is 7.3, and the CVSS v4 base score is 7.0.

4. Intrado 911 Emergency Gateway

A critical vulnerability (CVSS v4 score: 10.0) has been identified in Intrado’s 911 Emergency Gateway (EGW).

This vulnerability, exploitable remotely with low attack complexity, involves SQL injection and could allow an attacker to execute malicious code, exfiltrate data, or manipulate the database.

Affected Products

The following versions of Intra do’s 911 Emergency Gateway are affected:

  • 911 Emergency Gateway (EGW): All versions

Improper Neutralization of Special Elements Used in an SQL Command (‘SQL Injection’) (CWE-89) – This vulnerability, identified as CVE-2024-1839, affects the login form of Intrado’s 911 Emergency Gateway.

It is vulnerable to an unauthenticated blind time-based SQL injection, which may allow an attacker to execute malicious code, exfiltrate data, or manipulate the database.

The CVSS v3.1 and v4 base scores are both 10.0.

5. Schneider Electric APC Easy UPS Online Monitoring Software (Update A)

A critical vulnerability (CVSS v3 score: 9.8) has been identified in Schneider Electric’s APC Easy UPS Online Monitoring Software.

This vulnerability, exploitable remotely with low attack complexity, involves OS command injection and missing authentication for critical functions. Public exploits are available.

Affected Products

The following versions of Easy UPS Online Monitoring Software for Windows 10, 11, Windows Server 2016, 2019, 2022 are affected:

  • APC Easy UPS Online Monitoring Software: v2.5-GA-01-22261 and prior
  • Schneider Electric Easy UPS Online Monitoring Software: Version V2.5-GA-01-22320 and prior

Vulnerability Overview

Missing Authentication for Critical Function (CWE-306)

A vulnerability exists that could allow changes to administrative credentials, leading to potential remote code execution without requiring prior authentication on the Java RMI interface.

  • CVE-2023-29411: CVSS v3 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’) (CWE-78)

Prior versions of Schneider Electric APC Easy UPS Online contain an OS Command Injection vulnerability that could cause remote code execution when manipulating internal methods through the Java RMI interface.

  • CVE-2023-29412: CVSS v3 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Missing Authentication for Critical Function (CWE-306)

A vulnerability exists that could cause a denial-of-service condition when accessed by an unauthenticated user on the Schneider UPS Monitor service.

  • CVE-2023-29413: CVSS v3 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

A critical vulnerability (CVSS v4 score: 8.7) has been identified in MicroDicom’s DICOM Viewer.

This vulnerability, exploitable remotely with low attack complexity, involves improper authorization in the handler for a custom URL scheme and a stack-based buffer overflow.

Affected Products

The following versions of MicroDicom DICOM Viewer, a medical image viewer, are affected:

  • DICOM Viewer: Versions before 2024.2

Vulnerability Overview

Improper Authorization in Handler for Custom URL Scheme (CWE-939) – An attacker could retrieve sensitive files (medical images), plant new medical images, or overwrite existing medical images on a victim’s system.

User interaction is required to exploit this vulnerability.

  • CVE-2024-33606: CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)
  • CVSS v4 score: 8.6 (CVSS4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N)

Stack-Based Buffer Overflow (CWE-121) – The affected product is vulnerable to a stack-based buffer overflow, which may allow an attacker to execute arbitrary code on affected DICOM Viewer installations. User interaction is required to exploit this vulnerability.

  • CVE-2024-28877: CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)
  • CVSS v4 score: 8.7 (CVSS4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N)

CISA’s Call to Action

CISA urges all administrators and security professionals to review these advisories and take appropriate actions to mitigate the identified risks.

This includes applying patches, updating software, and implementing recommended security measures.

The agency emphasizes staying informed about the latest security threats and maintaining robust cybersecurity practices to protect critical infrastructure.

Looking for Full Data Breach Protection? Try Cynet's All-in-One Cybersecurity Platform for MSPs: Try Free Demo



Source link