Executive Summary
On November 2, 2023, CISA released several advisories addressing the vulnerabilities in various industrial control systems (ICS) software. The advisories provide important information about security issues, vulnerabilities, and exploits in these systems. The vulnerabilities range from remote code execution to improper privilege management and path traversal.
The affected products include Weintek EasyBuilder Pro, Schneider Electric SpaceLogic C-Bus Toolkit, Mitsubishi Electric MELSEC Series, Red Lion Crimson, and Franklin Fueling System TS-550. Exploiting these vulnerabilities could result in remote control of a victim’s computer, system tampering, denial-of-service attacks, and unauthorized access to devices.
To mitigate these risks, it is strongly recommended that organisations carefully review the advisory provided by CISA and the advisory from the relevant vendors, and follow the recommended mitigations.
Please see a brief summary about each CISA advisory for Industrial Control Systems and links to the CISA and vendor advisories below.
CISA Advisory: Weintek EasyBuilder Pro
CISA has issued an advisory regarding a vulnerability in Weintek EasyBuilder Pro that could result in remote control of a victim’s computer as a privileged user.
CVSS Score: 9.8
Affected Products: Weintek EasyBuilder Pro
Mitigations: Users must update to the latest version to mitigate the risk immediately.
Thus, CISA recommends implementing defensive measures such as minimising network exposure and utilising secure remote access methods to prevent exploitation. It is crucial to follow the provided mitigation guidance for this vulnerability.
For more detailed information about the vulnerability and mitigation steps, please refer to the CISA advisory.
CISA Advisory: Schneider Electric SpaceLogic C-Bus Toolkit
This advisory addresses vulnerabilities in Schneider Electric SpaceLogic C-Bus Toolkit, including improper privilege management and path traversal. Successful exploitation could result in remote code execution and tampering of the system.
CVE ID: CVE-2023-5777 (This vulnerability has not been added to NIST NVD at the time of writing this article.)
CVSS Score: 9.8
Affected Products: Schneider Electric SpaceLogic C-Bus Toolkit
Mitigations: Users must update to version 1.16.4 and follow the recommended mitigations provided by Schneider Electric.
However, CISA did not receive known public exploitation targeting this vulnerability at this time.
For more detailed information, please refer to the CISA Advisory and the Schneider Electric advisory.
CISA Advisory: Mitsubishi Electric MELSEC Series
The vulnerability, identified as CWE-345 – Insufficient Verification of Data Authenticity, allows a remote attacker to reset the memory of the affected products to the factory default state, resulting in a denial-of-service condition.
CVE ID: CVE-2023-4699
CVSS Score: 9.1
Affected Products
- Mitsubishi Electric MELSEC-F series programmable controllers, including FX3U, FX3UC, FX3G, FX3GC, FX3GE, FX3GA, FX3S, and FX3SA models.
- Mitsubishi Electric MELSEC iQ-F series CPU modules, including FX5U, FX5UC, FX5UJ, and FX5S models.
Mitigations
Mitsubishi Electric recommends the following mitigation measures:
- Implement firewalls or virtual private networks (VPNs) to prevent unauthorised access when Internet access is required.
- Use the affected products within a LAN and block access from untrusted networks and hosts through firewalls.
- For MELSEC iQ-F Series, utilise the IP filter function to block access from untrusted hosts.
- Restrict physical access to the affected products and the connected LAN.
As of now, no known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.
For more information, please refer to the CISA advisory and the Mitsubishi Electric advisory.
Red Lion Crimson Vulnerability
The Red Lion Crimson vulnerability allows an attacker to truncate passwords configured by the Crimson configuration tool. By doing so, resulting in weaker credentials than intended.
CVE ID: CVE-2023-5719 (This vulnerability has not been added to NIST NVD at the time of writing this article.)
CVSS Score: 8.8
Affected Products: The affected products include FlexEdge Gateway, DA50A, and DA70A running Crimson version 3.2.0053.18 or earlier.
Mitigations: Red Lion recommends updating the Crimson configuration tool to version 3.2.0063 or later to mitigate this vulnerability. Users should not use the percent (%) character in passwords in versions 3.2.0053.18 or below.
So far, it is to be noted that no known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.
For more information, please refer to the CISA advisory and the vendor’s advisory.
CISA Advisory: Franklin Fueling System
This advisory describes a vulnerability in Franklin Fueling System TS-550, which could allow attackers to gain unauthenticated access to the device.
CVE ID: CVE-2023-5846
CVSS Score: 8.3
Affected Products: Franklin Fueling System TS-550
Mitigations: The advice to users is to update to version 1.9.23.8960 and follow the provided mitigation guidance.
For more information, please refer to the CISA advisory.
Mitsubishi Electric MELSEC iQ-F Series CPU Module
This advisory highlights a vulnerability about Improper Restriction of Excessive Authentication Attempts.
CVE ID: CVE-2023-4625
CVSS Score: 5.3
Affected Products: MELSEC iQ-F Series
Mitigations: Mitsubishi Electric recommends using a firewall or virtual private network (VPN) to prevent unauthorised access when Internet access is required. Using an IP filter function will block access from untrusted hosts. It will restrict physical access to the affected products and the connected LAN.
CISA has not received any reports of known public exploitations targeting this vulnerability.
Additionally, please refer to the CISA advisory and Mitsubishi Electric’s security bulletin for more information about this vulnerability.
- US Cancer Center Hit: Ransomware Breaches Patient Data
- [CVSS 7+] Microsoft Zero-Day: Lazarus Exploit Revealed
- FBI Alert: Evolving Ransomware Risks
- [CVSS 9+] Microsoft April 24 Patch Tuesday Highlights
- US Pharmacies Face Delays from Cyberattack Fallout
- Japan Attributes PyPI Supply Chain Cyberattack to North Korea