Generic filters
Exact matches only
Search in title
Search in content
Filter by Custom Post Type
Posts
Filter by Categories







[CVSS 9+] CISA Releases Four Industrial Control Systems Advisories

CISA has released four advisories regarding vulnerabilities in various industrial control systems (ICS) software. Here is a high-level summary of each advisory:

  1. Delta Electronics InfraSuite Device Master: This advisory highlights vulnerabilities in Delta Electronics’ InfraSuite Device Master, which could allow remote code execution and unauthorised access to plaintext credentials. Users are advised to update the software to version 1.0.10 or later.
  2. Franklin Electric Fueling Systems Colibri: The Colibri vulnerability affects all versions of the discontinued FFS Colibri fuel inventory monitoring system. Exploiting this vulnerability could lead to unauthorised access to system files. A firmware update is available to address this issue.
  3. Mitsubishi Electric GX Works2: This advisory highlights vulnerabilities in Mitsubishi Electric’s GX Works2 software, including improper input validation and the potential for denial of service attacks. Users are advised to follow the mitigation recommendations provided by Mitsubishi Electric.
  4. BD FACSChorus: The vulnerabilities in BD FACSChorus could allow unauthorised access to system components, compromising configurations and sensitive information. Physical access is required to exploit these vulnerabilities. Mitigation measures recommended by BD and CISA include implementing physical access controls and following industry-standard network security policies.

Please refer to the information below for more details about each advisory.

Delta Electronics InfraSuite Device Master
Risk Evaluation

Exploiting vulnerabilities in Delta Electronics’ InfraSuite Device Master (Versions 1.0.7 and prior) poses a significant risk. With a CVSS score of 9.8, attackers could remotely execute arbitrary code and access plaintext credentials.

Affected Products
  • InfraSuite Device Master: Versions 1.0.7 and prior
Vulnerability Overview

Path Traversal CWE-35: The vulnerability identified as CVE-2023-46690 enables attackers to write to any file, potentially resulting in remote code execution. It has a CVSS score of 8.8.

Deserialisation of Untrusted Data CWE-502: The vulnerability identified as CVE-2023-47207 permits unauthenticated execution with local administrator privileges. It has a CVSS score of 9.8.

Exposed Dangerous Method or Function CWE-749: The vulnerability identified as CVE-2023-39226 enables unauthenticated code execution via a single UDP packet. It has a CVSS score of 9.8.

Path Traversal CWE-35: The vulnerability identified as CVE-2023-47279 allows an unauthenticated attacker to disclose user information, obtain plaintext credentials, or perform NTLM relaying. It has a CVSS score of 7.5.

Mitigations

Delta Electronics recommends updating the InfraSuite Device Master software to v1.0.10 or later.

Additional CISA advice:

  • Minimise network exposure: Ensure control system devices are not accessible from the internet.
  • Firewall protection: Locate control system networks behind firewalls, isolating them from business networks.
  • Secure remote access: When required, use Virtual Private Networks (VPNs), keeping them updated.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

Franklin Electric Fueling Systems Colibri
Risk Evaluation

Exploiting the Colibri vulnerability poses a moderate risk with a CVSS score of 6.5. Attackers can exploit it remotely with low complexity, and public exploits are available.

Affected Products

The vulnerability impacts all versions of the discontinued FFS Colibri, a fuel inventory monitoring system by Franklin Electric Fueling Systems.

Vulnerability Overview

Path Traversal CWE-35: The vulnerability identified as CVE-2023-5885 allows remote access to system files, compromising user login credentials. It has a CVSS score of 6.5.

Mitigations

Franklin Electric Fueling Systems addressed the issue with a firmware update for Colibri, available here.

CISA recommends:

  • Minimizing network exposure for control system devices.
  • Locating control system networks behind firewalls.
  • Using secure remote access methods like virtual private networks (VPNs).
  • Exercising principles of least privilege.
Mitsubishi Electric GX Works2
Risk Evaluation

Exploiting this locally exploitable vulnerability in Mitsubishi Electric’s GX Works2 poses a low risk with a CVSS score of 2.5.

Affected Products
  • GX Works2: all versions
Vulnerability Overview

Improper Input Validation CWE-20: An attacker could cause a DoS condition by sending crafted packets, limited to the same personal computer utilising this vulnerability identified as CVE-2023-5274. It has a CVSS score of 2.5.

Improper Input Validation CWE-20: The vulnerability identified as CVE-2023-5275 has a similar DoS risk, requiring crafted packets from the same personal computer. It has a CVSS score of 2.5.

Mitigations

Mitsubishi Electric recommends the following:

  • Install antivirus software on the personal computer.
  • Use the personal computer within the LAN, blocking remote login from untrusted networks.
  • When connecting to the Internet, use a firewall, VPN, etc., to prevent unauthorized access.
  • Avoid opening untrusted files or clicking untrusted links.

Please refer to the Mitsubishi security advisory for detailed information.

No known public exploitation targeting these vulnerabilities has been reported to CISA. These vulnerabilities are not exploitable remotely and have a high attack complexity.

BD FACSChorus
Risk Evaluation

Exploiting these vulnerabilities could allow an attacker with physical access to modify configurations, access sensitive information, or compromise system components.

Affected Products

Affected BD Products:

  • BD FACSChorus (HP Z2 G9 workstation, shipped with FACSDiscover S8 Cell Sorter): v5.0 and v5.1
  • BD FACSChorus (HP Z2 G5 workstation, shipped with FACSMelody Cell Sorter): v3.0 and v3.1

Exploiting these vulnerabilities could allow an attacker with physical access to modify configurations, access sensitive information, or compromise system components.

Vulnerability Overview

Missing Protection Mechanism for Alternate Hardware Interface CWE-1299: The vulnerability identified as CVE-2023-29060 has a CVSS score of 5.4. Workstation USB ports lack restrictions, allowing a threat actor with physical access to gain system information.

Missing Authentication for Critical Function CWE-306: The vulnerability identified as CVE-2023-29061 has a CVSS score of 5.2. Lack of BIOS password enables unauthorised access to BIOS configuration and boot order.

Improper Authentication CWE-287: The vulnerability identified as CVE-2023-29062 has a CVSS score of 3.8. Hashed user credentials transmitted without proper validation, susceptible to brute force attacks.

Missing Protection Mechanism for Alternate Hardware Interface CWE-1299: The vulnerability identified as CVE-2023-29063 has a CVSS score of 2.4. Lack of protection in PCIe slots allows threat actors to capture sensitive information during startup.

Use of Hard-Coded Credentials CWE-798: The vulnerability identified as CVE-2023-29064 poses a risk to administrative accounts since the software contains plaintext hardcoded secrets. It has a CVSS score of 4.1.

Insecure Inherited Permissions CWE-277: The vulnerability identified as CVE-2023-29065 leads to direct access to the software database with the privileges of the logged-in user, posing a threat to data integrity. Its CVSS score is 4.1.

Incorrect Privilege Assignment CWE-266: The vulnerability identified as CVE-2023-29066 leads to improper data access privilege assignment for OS user accounts. Its CVSS score is 3.2.

Mitigations

BD recommends:

  • Ensure physical access controls, restricting access to authorized users.
  • Follow industry-standard network security policies if connected to the local network.
  • Strictly control administrative access following local IT security policy.

Please refer to the BD Security Bulletin for detailed information.

CISA advises:

  • Minimise network exposure, ensuring devices are not accessible from the internet.
  • Isolate control system networks and remote devices behind firewalls.
  • Use secure remote access methods like Virtual Private Networks (VPNs).

No known public exploitation targeting these vulnerabilities has been reported.

Closing Comments

Organisations that use affected industrial control systems should study the advisories and apply the suggested security measures. We recommend that organisations prioritise mitigations using a risk-based approach.

RECENT BLOG POSTS

PODCASTS

Cubic Lighthouse is a cybersecurity publication dedicated to demystifying security, making news actionable, providing deeper thinking about the fundamentals of security, and providing decision-makers and the community at large with the right information to make the right decisions. We will also feature more technical articles and provide personal/family security advice.

©2024 Cubic Consulting, a Smart Security Company for your Business – All Rights Reserved.