CISA Releases Six Industrial Control Systems Advisories
How are Vulnerabilities Rated?
This week’s CISA advisories report focuses on Six Industrial Control Systems that affect critical infrastructure, including 911 Emergency Call Centers, Healthcare, and Manufacturing.
These vulnerabilities are based on the Common Vulnerabilities and Exposures (CVE) vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores:
- High: vulnerabilities with a CVSS base score of 7.0–10.0
- Medium: vulnerabilities with a CVSS base score of 4.0–6.9
- Low: vulnerabilities with a CVSS base score of 0.0–3.9
This week’s CISA advisories report focuses on Six Industrial Control Systems that affect critical infrastructure, including 911 Emergency Call Centers, Healthcare, and Manufacturing.
Vendor/Product: Rockwell Automation
- ControlLogix 5580: V34.011
- GuardLogix 5580: V34.011
- 1756-EN4: V4.001
- CompactLogix 5380: V34.011
- Compact GuardLogix 5380: V34.011
- CompactLogix 5380: V34.011
- ControlLogix 5580: V34.011
- CompactLogix 5480: V34.011
Description:
Always-Incorrect Control Flow Implementation CWE-670
Rockwell Automation was made aware of a vulnerability that causes all affected controllers on the same network to result in a major nonrecoverable fault (MNRF/Assert). This vulnerability could be exploited by sending abnormal packets to the mDNS port.
Impact:
If exploited, the availability of the device would be compromised allowing unauthorized users access to the contents of the page or perform a DoS attack on the server being queried. Also, note that this code is vulnerable to an IP address spoofing attack.
Source: CVE-2024-5659
Max Severity: High
CVSS Score: 8.3
Critical Infrastructure Sectors: Critical Manufacturing
Mitigation:
Rockwell Automation offers users the following solutions:
- ControlLogix 5580: corrected in V34.014, V35.013, V36.011 and later
- GuardLogix 5580: corrected in V34.014, V35.013, V36.011 and later
- 1756-EN4: corrected in V6.001 and later
- CompactLogix 5380: corrected in V34.014, V35.013, V36.011 and later
- Compact GuardLogix 5380: corrected in V34.014, V35.013, V36.011 and later
- CompactLogix 5380: corrected in V34.014, V35.013, V36.011 and later
- ControlLogix 5580: corrected in V34.014, V35.013, V36.011 and later
- CompactLogix 5480: corrected in V34.014, V35.013, V36.011 and later
Rockwell Automation encourages users of the affected software, who are not able to upgrade to one of the corrected versions, to apply the risk mitigations where possible.
- Users who do not use Automatic Policy Deployment (APD) should block mDNS port, 5353 to help prevent communication.
- Enable CIP Security. CIP Security with Rockwell Automation Products Application Technique
- Security Best Practices
For more information, see Rockwell Automation’s security advisory
Vendor/Product: AVEVA PI Web API (v2023 and prior), a RESTful interface to the PI system
Description:
Deserialization of Untrusted Data
There is a vulnerability in AVEVA PI Web API that could allow malicious code to execute on the PI Web API environment under the privileges of an interactive user that was socially engineered to use API XML import functionality with content supplied by an attacker.
Impact:
Successful exploitation of this vulnerability could allow an attacker to perform remote code execution.
Source: CVE-2024-3468
Max Severity: High
CVSS Score: 8.4
Critical Infrastructure Sectors: Critical Manufacturing
Mitigation:
AVEVA recommends that organizations evaluate the impact of these vulnerabilities based on their operational environment, architecture, and product implementation. Customers using affected products should apply security updates as soon as possible:
From OSI Soft Customer Portal, search for “PI Web API” and select version “2023 SP1” or later.
(Alternative) PI Web API 2021 SP3 can be fixed by upgrading PI AF Client to one of the versions specified in AVEVA Security Bulletin AVEVA-2024-004 / ICSA-24-163-03
AVEVA further recommends users follow general defensive measures:
Set “DisableWrites” configuration setting to true, if this instance of PI Web API is used only for reading data or GET requests.
Uninstall Core Endpoints feature if this instance of PI Web API is used only for data collection from AVEVA Adapters. Keep OMF feature installed.
Limit AF Servers’ Administrators, so that most of the PI Web API user accounts don’t have the permission to change the backend AF servers.
For additional information please refer to AVEVA-2024-003
CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:
Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.
Vendor/Product: AVEVA PI Asset Framework Client
The following versions of AVEVA PI Asset Framework Client, a tool to model either physical or logical objects, are affected:
- PI Asset Framework Client: 2023
- PI Asset Framework Client: 2018 SP3 P04 and prior
Description:
Deserialization of Untrusted Data
There is a vulnerability in AVEVA PI Asset Framework Client that could allow malicious code to execute on the PI System Explorer environment under the privileges of an interactive user that was socially engineered to import XML supplied by an attacker.
Impact:
Successful exploitation of this vulnerability could allow malicious code execution.
Source: CVE-2024-3467
Max Severity: High
CVSS Score: 7.0
Critical Infrastructure Sectors: Critical Manufacturing
Mitigation:
AVEVA recommends that organizations evaluate the impact of these vulnerabilities based on their operational environment, architecture, and product implementation. Customers using affected products should apply security updates as soon as possible:
- (Recommended) All affected versions can be fixed by upgrading to PI AF Client 2023 Patch 1 or later:
- From OSI Soft Customer Portal, search for “Asset Framework” and select “PI Asset Framework (AF) Client 2023 Patch 1” or later.
- (Alternative) AF Client 2018 SP3 P04 and prior can be fixed by deploying PI AF Client 2018 SP3 Patch 5 or later:
- From OSI Soft Customer Portal, search for “Asset Framework” and select either “PI Asset Framework (AF) Client 2018 SP3 Patch 5” or later.
AVEVA further recommends users follow general defensive measures:
- Run PI System Explorer as a least privilege interactive account when possible.
- Establish procedures for verifying the source of XML is trusted before importing into PI System Explorer.
For additional information please refer to AVEVA-2024-004
Vendor/Product: Intrado 911 Emergency Gateway
Description:
Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)
Intrado 911 Emergency Gateway login form is vulnerable to an unauthenticated blind time-based SQL injection, which may allow an attacker to execute malicious code, exfiltrate data, or manipulate the database.
Impact:
SQL injection has become a common issue with database-driven web sites. The flaw is easily detected, and easily exploited, and as such, any site or product package with even a minimal user base is likely to be subject to an attempted attack of this kind. Since SQL databases generally hold sensitive data, loss of confidentiality is a frequent problem with SQL injection vulnerabilities.
Source: CVE-2024-1839
Max Severity: Critical
CVSS Score: 10
Critical Infrastructure Sectors: Emergency Services
Mitigation:
Intrado has provided a patch to mitigate the vulnerability. Any EGWs deployed on older revisions will need to be upgraded to the 5.5/5.6 branch to apply the patch. For assistance in obtaining the patch, contact Intrado’s technical support group at 1-888-908-4167 or E911Support@intrado.com
Vendor/Product: Schneider Electric APC Easy UPS Online Monitoring Software (Update A)
- APC Easy UPS Online Monitoring Software: v2.5-GA-01-22261 and prior
- Schneider Electric Easy UPS Online Monitoring Software: Version V2.5-GA-01-22320 and prior
1. Description: Missing Authentication for Critical Function
A vulnerability exists that could allow changes to administrative credentials, leading to potential remote code execution without requiring prior authentication on the Java RMI interface.
Impact:
Exposing critical functionality essentially provides an attacker with the privilege level of that functionality. The consequences will depend on the associated functionality, but they can range from reading or modifying sensitive data, access to administrative or other privileged functionality, or possibly even execution of arbitrary code.
Source: CVE-2024-29411
Max Severity: Critical
CVSS Score: 9.8
Critical Infrastructure Sectors: Critical Manufacturing
———————–
2. Description: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
Prior versions of Schneider Electric APC Easy UPS Online contain an OS Command Injection vulnerability that could cause remote code execution when manipulating internal methods through Java RMI interface.
Impact:
This could allow attackers to execute unexpected, dangerous commands directly on the operating system. This weakness can lead to a vulnerability in environments in which the attacker does not have direct access to the operating system, such as in web applications. Alternately, if the weakness occurs in a privileged program, it could allow the attacker to specify commands that normally would not be accessible, or to call alternate commands with privileges that the attacker does not have. The problem is exacerbated if the compromised process does not follow the principle of least privilege, because the attacker-controlled commands may run with special system privileges that increases the amount of damage.
Source: CVE-2024-29412
Max Severity: Critical
CVSS Score: 9.8
Critical Infrastructure Sectors: Critical Manufacturing
————-
3. Description: Missing Authentication for Critical Function
A vulnerability exists that could cause a denial-of-service condition when accessed by an unauthenticated user on the Schneider UPS Monitor service.
Impact:
As data is migrated to the cloud, if access does not require authentication, it can be easier for attackers to access the data from anywhere on the Internet.
Source: CVE-2024-29413
Max Severity: High
CVSS Score: 7.5
Critical Infrastructure Sectors: Critical Manufacturing
Mitigation: Schneider Electric became aware of a public PoC detailing an exploit for prior versions of the APC Easy UPS Online Monitoring Software, and strongly recommends all users take the defensive actions listed in this advisory.
The affected software is being discontinued with the discontinuation of the Easy UPS Online SNMP Cards (APV9601, APVS9601) managed by this software. Fixed versions notwithstanding, Schneider Electric recommends users to migrate to the PowerChute series of software, including PowerChute Serial Shutdown and PowerChute Network Shutdown. For more information, please see the following sites:
- PowerChute Serial Shutdown
- PowerChute Network Shutdown
Schneider Electric recommends users update their affected devices to the following versions or later:
- APC Easy UPS Online Monitoring Software: Version 2.6-GA or later
- Schneider Electric Easy UPS Online Monitoring Software: Version 2.6-GS or later
Schneider Electric recommends that users use appropriate patching methodologies when applying these patches to their systems and impact evaluate these patches in a test, development, or offline infrastructure environment. Schneider Electric strongly recommends the use of backups.
Users can contact Schneider Electric’s Customer Care Center for additional assistance.
Schneider Electric strongly recommends users follow cybersecurity industry best practices, including:
- Locating control and safety system networks and remote devices behind firewalls and isolating them from the business network.
- Installing physical controls to help prevent unauthorized users from accessing industrial control and safety systems, components, peripheral equipment, and networks.
- Placing all controllers in locked cabinets, and do not leave them in the “Program” mode.
- Only connecting programming software to the network intended for that device.
- Scanning all methods of mobile data exchange with the isolated network before use in the terminals or nodes connected to these networks.
- Properly sanitizing mobile devices that have connected to another network before connecting to the intended network.
- Minimizing network exposure for all control system devices and systems and ensure that they are not accessible from the internet.
- Using secure methods, such as virtual private networks (VPNs), when remote access is required.
For more information, refer to the Schneider Electric Recommended Cybersecurity Best Practices document.
For more information, see Schneider Electric security notification SEVD-2023-101-04
Vendor/Product: MicroDicom DICOM Viewer (versions prior to 2024.2)
1. Description: Improper Authorization in Handler for Custom URL Scheme
The product uses a handler for a custom URL scheme, but it does not properly restrict which actors can invoke the handler using the scheme. Mobile platforms and other architectures allow the use of custom URL schemes to facilitate communication between applications. In the case of iOS, this is the only method to do inter-application communication.
Impact:
An attacker could retrieve sensitive files (medical images) as well as plant new medical images or overwrite existing medical images on a victim’s system. User interaction is required to exploit this vulnerability.
Source: CVE-2024-33606
Max Severity: High
CVSS Score: 8.6
——————-
2. Description: Stack-based Buffer Overflowme
The affected product is vulnerable to a stack-based buffer overflow, which may allow an attacker to execute arbitrary code on affected installations of DICOM Viewer. User interaction is required to exploit this vulnerability.
Impact:
Buffer overflows generally lead to crashes. Other attacks leading to lack of availability are possible, including putting the program into an infinite loop. Buffer overflows often can be used to execute arbitrary code, which is usually outside the scope of a program’s implicit security policy.
Source: CVE-2024-28877
Max Severity: High
CVSS Score: 8.7
Critical Infrastructure Sectors: Healthcare and Public Health
Mitigation:
MicroDicom recommends users upgrade to DICOM Viewer version 2024.2.
