CISA has released four advisories regarding vulnerabilities in various industrial control systems (ICS) software. Here is a high-level summary of each advisory:
- Delta Electronics InfraSuite Device Master: This advisory highlights vulnerabilities in Delta Electronics’ InfraSuite Device Master, which could allow remote code execution and unauthorised access to plaintext credentials. Users are advised to update the software to version 1.0.10 or later.
- Franklin Electric Fueling Systems Colibri: The Colibri vulnerability affects all versions of the discontinued FFS Colibri fuel inventory monitoring system. Exploiting this vulnerability could lead to unauthorised access to system files. A firmware update is available to address this issue.
- Mitsubishi Electric GX Works2: This advisory highlights vulnerabilities in Mitsubishi Electric’s GX Works2 software, including improper input validation and the potential for denial of service attacks. Users are advised to follow the mitigation recommendations provided by Mitsubishi Electric.
- BD FACSChorus: The vulnerabilities in BD FACSChorus could allow unauthorised access to system components, compromising configurations and sensitive information. Physical access is required to exploit these vulnerabilities. Mitigation measures recommended by BD and CISA include implementing physical access controls and following industry-standard network security policies.
Please refer to the information below for more details about each advisory.
Delta Electronics InfraSuite Device Master
Risk Evaluation
Exploiting vulnerabilities in Delta Electronics’ InfraSuite Device Master (Versions 1.0.7 and prior) poses a significant risk. With a CVSS score of 9.8, attackers could remotely execute arbitrary code and access plaintext credentials.
Affected Products
- InfraSuite Device Master: Versions 1.0.7 and prior
Vulnerability Overview
Path Traversal CWE-35: The vulnerability identified as CVE-2023-46690 enables attackers to write to any file, potentially resulting in remote code execution. It has a CVSS score of 8.8.
Deserialisation of Untrusted Data CWE-502: The vulnerability identified as CVE-2023-47207 permits unauthenticated execution with local administrator privileges. It has a CVSS score of 9.8.
Exposed Dangerous Method or Function CWE-749: The vulnerability identified as CVE-2023-39226 enables unauthenticated code execution via a single UDP packet. It has a CVSS score of 9.8.
Path Traversal CWE-35: The vulnerability identified as CVE-2023-47279 allows an unauthenticated attacker to disclose user information, obtain plaintext credentials, or perform NTLM relaying. It has a CVSS score of 7.5.
Mitigations
Delta Electronics recommends updating the InfraSuite Device Master software to v1.0.10 or later.
Additional CISA advice:
- Minimise network exposure: Ensure control system devices are not accessible from the internet.
- Firewall protection: Locate control system networks behind firewalls, isolating them from business networks.
- Secure remote access: When required, use Virtual Private Networks (VPNs), keeping them updated.
No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.
Franklin Electric Fueling Systems Colibri
Risk Evaluation
Exploiting the Colibri vulnerability poses a moderate risk with a CVSS score of 6.5. Attackers can exploit it remotely with low complexity, and public exploits are available.
Affected Products
The vulnerability impacts all versions of the discontinued FFS Colibri, a fuel inventory monitoring system by Franklin Electric Fueling Systems.
Vulnerability Overview
Path Traversal CWE-35: The vulnerability identified as CVE-2023-5885 allows remote access to system files, compromising user login credentials. It has a CVSS score of 6.5.
Mitigations
Franklin Electric Fueling Systems addressed the issue with a firmware update for Colibri, available here.
CISA recommends:
- Minimizing network exposure for control system devices.
- Locating control system networks behind firewalls.
- Using secure remote access methods like virtual private networks (VPNs).
- Exercising principles of least privilege.
Mitsubishi Electric GX Works2
Risk Evaluation
Exploiting this locally exploitable vulnerability in Mitsubishi Electric’s GX Works2 poses a low risk with a CVSS score of 2.5.
Affected Products
- GX Works2: all versions
Vulnerability Overview
Improper Input Validation CWE-20: An attacker could cause a DoS condition by sending crafted packets, limited to the same personal computer utilising this vulnerability identified as CVE-2023-5274. It has a CVSS score of 2.5.
Improper Input Validation CWE-20: The vulnerability identified as CVE-2023-5275 has a similar DoS risk, requiring crafted packets from the same personal computer. It has a CVSS score of 2.5.
Mitigations
Mitsubishi Electric recommends the following:
- Install antivirus software on the personal computer.
- Use the personal computer within the LAN, blocking remote login from untrusted networks.
- When connecting to the Internet, use a firewall, VPN, etc., to prevent unauthorized access.
- Avoid opening untrusted files or clicking untrusted links.
Please refer to the Mitsubishi security advisory for detailed information.
No known public exploitation targeting these vulnerabilities has been reported to CISA. These vulnerabilities are not exploitable remotely and have a high attack complexity.
BD FACSChorus
Risk Evaluation
Exploiting these vulnerabilities could allow an attacker with physical access to modify configurations, access sensitive information, or compromise system components.
Affected Products
Affected BD Products:
- BD FACSChorus (HP Z2 G9 workstation, shipped with FACSDiscover S8 Cell Sorter): v5.0 and v5.1
- BD FACSChorus (HP Z2 G5 workstation, shipped with FACSMelody Cell Sorter): v3.0 and v3.1
Exploiting these vulnerabilities could allow an attacker with physical access to modify configurations, access sensitive information, or compromise system components.
Vulnerability Overview
Missing Protection Mechanism for Alternate Hardware Interface CWE-1299: The vulnerability identified as CVE-2023-29060 has a CVSS score of 5.4. Workstation USB ports lack restrictions, allowing a threat actor with physical access to gain system information.
Missing Authentication for Critical Function CWE-306: The vulnerability identified as CVE-2023-29061 has a CVSS score of 5.2. Lack of BIOS password enables unauthorised access to BIOS configuration and boot order.
Improper Authentication CWE-287: The vulnerability identified as CVE-2023-29062 has a CVSS score of 3.8. Hashed user credentials transmitted without proper validation, susceptible to brute force attacks.
Missing Protection Mechanism for Alternate Hardware Interface CWE-1299: The vulnerability identified as CVE-2023-29063 has a CVSS score of 2.4. Lack of protection in PCIe slots allows threat actors to capture sensitive information during startup.
Use of Hard-Coded Credentials CWE-798: The vulnerability identified as CVE-2023-29064 poses a risk to administrative accounts since the software contains plaintext hardcoded secrets. It has a CVSS score of 4.1.
Insecure Inherited Permissions CWE-277: The vulnerability identified as CVE-2023-29065 leads to direct access to the software database with the privileges of the logged-in user, posing a threat to data integrity. Its CVSS score is 4.1.
Incorrect Privilege Assignment CWE-266: The vulnerability identified as CVE-2023-29066 leads to improper data access privilege assignment for OS user accounts. Its CVSS score is 3.2.
Mitigations
BD recommends:
- Ensure physical access controls, restricting access to authorized users.
- Follow industry-standard network security policies if connected to the local network.
- Strictly control administrative access following local IT security policy.
Please refer to the BD Security Bulletin for detailed information.
CISA advises:
- Minimise network exposure, ensuring devices are not accessible from the internet.
- Isolate control system networks and remote devices behind firewalls.
- Use secure remote access methods like Virtual Private Networks (VPNs).
No known public exploitation targeting these vulnerabilities has been reported.
Closing Comments
Organisations that use affected industrial control systems should study the advisories and apply the suggested security measures. We recommend that organisations prioritise mitigations using a risk-based approach.
- [CVSS 9+] Critical Vulnerabilities Expose AI Models to Attacks
- Integris Health’s Massive Data Breach Notice in US
- LastPass Data Breach Leads To Phishing Scams
- CISA & FBI Share How to Secure Water Systems
- Equifax Fined for 2017 Data Breach in the UK
- Microsoft Windows Server Security Patch Acknowledges Memory Leak