Generic filters
Exact matches only
Search in title
Search in content
Filter by Custom Post Type
Posts
Filter by Categories







[CVSS 9+] CISA Releases Six Advisories for Industrial Control Systems

Executive Summary

On November 2, 2023, CISA released several advisories addressing the vulnerabilities in various industrial control systems (ICS) software. The advisories provide important information about security issues, vulnerabilities, and exploits in these systems. The vulnerabilities range from remote code execution to improper privilege management and path traversal.

The affected products include Weintek EasyBuilder Pro, Schneider Electric SpaceLogic C-Bus Toolkit, Mitsubishi Electric MELSEC Series, Red Lion Crimson, and Franklin Fueling System TS-550. Exploiting these vulnerabilities could result in remote control of a victim’s computer, system tampering, denial-of-service attacks, and unauthorized access to devices.

To mitigate these risks, it is strongly recommended that organisations carefully review the advisory provided by CISA and the advisory from the relevant vendors, and follow the recommended mitigations.

Please see a brief summary about each CISA advisory for Industrial Control Systems and links to the CISA and vendor advisories below.

CISA Advisory: Weintek EasyBuilder Pro

CISA has issued an advisory regarding a vulnerability in Weintek EasyBuilder Pro that could result in remote control of a victim’s computer as a privileged user.

CVSS Score: 9.8

Affected Products: Weintek EasyBuilder Pro

Mitigations: Users must update to the latest version to mitigate the risk immediately.

Thus, CISA recommends implementing defensive measures such as minimising network exposure and utilising secure remote access methods to prevent exploitation. It is crucial to follow the provided mitigation guidance for this vulnerability.

For more detailed information about the vulnerability and mitigation steps, please refer to the CISA advisory.

CISA Advisory: Schneider Electric SpaceLogic C-Bus Toolkit

This advisory addresses vulnerabilities in Schneider Electric SpaceLogic C-Bus Toolkit, including improper privilege management and path traversal. Successful exploitation could result in remote code execution and tampering of the system.

CVE ID: CVE-2023-5777 (This vulnerability has not been added to NIST NVD at the time of writing this article.)

CVSS Score: 9.8

Affected Products: Schneider Electric SpaceLogic C-Bus Toolkit

Mitigations: Users must update to version 1.16.4 and follow the recommended mitigations provided by Schneider Electric.

However, CISA did not receive known public exploitation targeting this vulnerability at this time.

For more detailed information, please refer to the CISA Advisory and the Schneider Electric advisory.

CISA Advisory: Mitsubishi Electric MELSEC Series

The vulnerability, identified as CWE-345 – Insufficient Verification of Data Authenticity, allows a remote attacker to reset the memory of the affected products to the factory default state, resulting in a denial-of-service condition.

CVE ID: CVE-2023-4699

CVSS Score: 9.1

Affected Products

  • Mitsubishi Electric MELSEC-F series programmable controllers, including FX3U, FX3UC, FX3G, FX3GC, FX3GE, FX3GA, FX3S, and FX3SA models.
  • Mitsubishi Electric MELSEC iQ-F series CPU modules, including FX5U, FX5UC, FX5UJ, and FX5S models.

Mitigations

Mitsubishi Electric recommends the following mitigation measures:

  • Implement firewalls or virtual private networks (VPNs) to prevent unauthorised access when Internet access is required.
  • Use the affected products within a LAN and block access from untrusted networks and hosts through firewalls.
  • For MELSEC iQ-F Series, utilise the IP filter function to block access from untrusted hosts.
  • Restrict physical access to the affected products and the connected LAN.

As of now, no known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

For more information, please refer to the CISA advisory and the Mitsubishi Electric advisory.

Red Lion Crimson Vulnerability

The Red Lion Crimson vulnerability allows an attacker to truncate passwords configured by the Crimson configuration tool. By doing so, resulting in weaker credentials than intended.

CVE ID: CVE-2023-5719 (This vulnerability has not been added to NIST NVD at the time of writing this article.)

CVSS Score: 8.8

Affected Products: The affected products include FlexEdge Gateway, DA50A, and DA70A running Crimson version 3.2.0053.18 or earlier.

Mitigations: Red Lion recommends updating the Crimson configuration tool to version 3.2.0063 or later to mitigate this vulnerability. Users should not use the percent (%) character in passwords in versions 3.2.0053.18 or below.

So far, it is to be noted that no known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

For more information, please refer to the CISA advisory and the vendor’s advisory.

CISA Advisory: Franklin Fueling System

This advisory describes a vulnerability in Franklin Fueling System TS-550, which could allow attackers to gain unauthenticated access to the device.

CVE ID: CVE-2023-5846

CVSS Score: 8.3

Affected Products: Franklin Fueling System TS-550

Mitigations: The advice to users is to update to version 1.9.23.8960 and follow the provided mitigation guidance.

For more information, please refer to the CISA advisory.

Mitsubishi Electric MELSEC iQ-F Series CPU Module

This advisory highlights a vulnerability about Improper Restriction of Excessive Authentication Attempts.

CVE ID: CVE-2023-4625

CVSS Score: 5.3

Affected Products: MELSEC iQ-F Series

Mitigations: Mitsubishi Electric recommends using a firewall or virtual private network (VPN) to prevent unauthorised access when Internet access is required. Using an IP filter function will block access from untrusted hosts. It will restrict physical access to the affected products and the connected LAN.

CISA has not received any reports of known public exploitations targeting this vulnerability.

Additionally, please refer to the CISA advisory and Mitsubishi Electric’s security bulletin for more information about this vulnerability.

RECENT BLOG POSTS

PODCASTS

Cubic Lighthouse is a cybersecurity publication dedicated to demystifying security, making news actionable, providing deeper thinking about the fundamentals of security, and providing decision-makers and the community at large with the right information to make the right decisions. We will also feature more technical articles and provide personal/family security advice.

©2024 Cubic Consulting, a Smart Security Company for your Business – All Rights Reserved.