CISA Alerts: May 30, 2024 – CISA Releases Seven Industrial Control Systems Advisories: PART ONE

Expressway showcases importance of road traffic as critical infrastructure in megalopolis.

CISA Releases Seven Industrial Control Systems Advisories:  PART ONE

How are Vulnerabilities Rated?

This advisories report focuses on Seven Industrial Control Systems that can affect critical infrastructure, including Energy, Water and Wastewater Systems, Transportation, Healthcare, and Manufacturing. (NIST) National Vulnerability Database (NVD). 

These vulnerabilities are based on the Common Vulnerabilities and Exposures (CVE) vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores:

  • High: vulnerabilities with a CVSS base score of 7.0–10.0
  • Medium: vulnerabilities with a CVSS base score of 4.0–6.9
  • Low: vulnerabilities with a CVSS base score of 0.0–3.9

These latest advisories focuse on Seven Industrial Control Systems that can affect critical infrastructure, including Energy, Water and Wastewater Systems, Transportation, Healthcare, and Manufacturing.

Vendor/Product:  LenelS2 Net Box (a Carrier Brand)

NetBox™ is a full-featured, browser-based access control and event monitoring system.

Description: 

Use of Hard-Coded Password

LenelS2 NetBox access control and event monitoring system was discovered to contain Hardcoded Credentials in versions prior to and including 5.6.1 which allows an attacker to bypass authentication requirements.

Impact:

Use of Hard-Coded Password vulnerability exists which could allow an attacker to bypass authentication requirements.

Published Date:  05/30/2024

Source: CVE-2024-2420

Max Severity:  High

CVSS Score: 8.8

Critical Infrastructure Sectors:  Commercial Facilities

Mitigation:  These vulnerabilities have been mitigated in NetBox™ release 5.6.2. It is strongly recommended that customers upgrade to NetBox™ release 5.6.2 by contacting their authorized installer. Users should follow recommended deployment guidelines found in the NetBox hardening guide found in the NetBox built-in help menu. https://www.corporate.carrier.com/product-security/

Vendor/Product:  LenelS2 Net Box (a Carrier Brand)

NetBox™ is a full-featured, browser-based access control and event monitoring system.

Description: 

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

LenelS2 NetBox access control and event monitoring system was discovered to contain an unauthenticated remote code execution in versions prior to and including 5.6.1, which allows an attacker to execute malicious commands with elevated permissions.

Impact:

Successful exploitation of these vulnerabilities could allow an attacker to bypass authentication and execute malicious commands with elevated permissions.

Published Date:  05/30/2024

Source: CVE-2024-2421

Max Severity:  Critical

CVSS Score: 9.3

Critical Infrastructure Sectors:  Commercial Facilities

Mitigation:  These vulnerabilities have been mitigated in NetBox™ release 5.6.2. It is strongly recommended that customers upgrade to NetBox™ release 5.6.2 by contacting their authorized installer. Users should follow recommended deployment guidelines found in the NetBox hardening guide found in the NetBox built-in help menu. https://www.corporate.carrier.com/product-security/

Vendor/Product:  LenelS2 Net Box (a Carrier Brand)

NetBox™ is a full-featured, browser-based access control and event monitoring system.

Description: 

Improper Neutralization of Argument Delimiters In A Command (‘Argument Injection’)

LenelS2 NetBox access control and event monitoring system was discovered to contain an authenticated RCE in versions prior to and including 5.6.1, which allows an attacker to execute malicious commands.

Impact: 

Improper Neutralization of Argument Delimiters In A Command (‘Argument Injection’) authenticated remote code execution exists which could allow an attacker to execute malicious commands.

Source: CVE-2024-2422

Max Severity:  Critical

CVSS Score: 9.3

Critical Infrastructure Sectors:  Commercial Facilities

Mitigation:  These vulnerabilities have been mitigated in NetBox™ release 5.6.2. It is strongly recommended that customers upgrade to NetBox™ release 5.6.2 by contacting their authorized installer. Users should follow recommended deployment guidelines found in the NetBox hardening guide found in the NetBox built-in help menu. https://www.corporate.carrier.com/product-security/

Vendor/Product:  LenelS2 Net Box (a Carrier Brand)

NetBox™ is a full-featured, browser-based access control and event monitoring system.

Description: 

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

LenelS2 NetBox access control and event monitoring system was discovered to contain an unauthenticated remote code execution in versions prior to and including 5.6.1, which allows an attacker to execute malicious commands with elevated permissions.

Impact:

Successful exploitation of these vulnerabilities could allow an attacker to bypass authentication and execute malicious commands with elevated permissions.

Published Date:  05/30/2024

Source: CVE-2024-2421

Max Severity:  Critical

CVSS Score: 9.3

Critical Infrastructure Sectors:  Commercial Facilities

Mitigation:

These vulnerabilities have been mitigated in NetBox™ release 5.6.2. It is strongly recommended that customers upgrade to NetBox™ release 5.6.2 by contacting their authorized installer. Users should follow recommended deployment guidelines found in the NetBox hardening guide found in the NetBox built-in help menu. https://www.corporate.carrier.com/product-security/

Vendor/Product:  Fuji Electric Monitouch V-SFT
Description:  Out-of-Bounds Write
Impact: 

Fuji Electric Monitouch V-SFT is vulnerable to an out-of-bounds write because of a type confusion, which could result in arbitrary code execution.

Source: CVE-2024-5271

Max Severity:  Critical

CVSS Score: 8.5

Critical Infrastructure Sectors:  Critical Manufacturing, Energy

Mitigation:

Fuji Electric recommends users update the product to Monitouch V-SFT v6.2.3.0.

CISA recommends users take defensive measures to minimize the risk of exploitation of this these vulnerabilities, such as:

  • Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
  • Locate control system networks and remote devices behind firewalls and isolating them from business networks.
  • When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.
Vendor/Product:  Fuji Electric Monitouch V-SFT
Description:  Stack-based Buffer Overflow

The affected product is vulnerable to a stack-based buffer overflow, which could allow an attacker to execute arbitrary code.

Impact: 

Buffer overflows often can be used to execute arbitrary code, which is usually outside the scope of a program's implicit security policy. Other attacks leading to lack of availability are possible, including putting the program into an infinite loop.

Source: CVE-2024-34171

Max Severity:  High

CVSS Score: 8.5

Critical Infrastructure Sectors:  Critical Manufacturing, Energy

Mitigation:  Fuji Electric recommends users update the product to Monitouch V-SFT v6.2.3.0.

Vendor/Product:  Inosoft VisisWin
Description:  Incorrect Default Permissions

VisiWin creates a directory with insufficient permissions, allowing a low-level user the ability to add and modify certain files that hold SYSTEM privileges, which could lead to privilege escalation.

Impact: 

An issue was discovered in Inosoft VisiWin 7 through 2022-2.1 (Runtime RT7.3 RC3 20221209.5). The "%PROGRAMFILES(X86)%\INOSOFT GmbH" folder has weak permissions for Everyone, allowing an attacker to insert a Trojan horse file that runs as SYSTEM.

Source: CVE-2024-34168

Max Severity:  High

CVSS Score: 8.5

Critical Infrastructure Sectors:  Critical manufacturing

Mitigation:  Inosoft recommends users to update to VisiWin version 2024-1. For more information, please visit VisiWin's support page.

Vendor/Product:  Westermo EDW-100 (a Serial to Ethernet converter, all versions)
Description:  Insufficiently Protected Credentials

Westermo EDW-100 allows an unauthenticated GET request that can download the configuration-file that contains the configuration, username, and passwords in clear-text.

Impact: 
  • Hidden root user with hardcoded password: EDW-100 has a hidden root user account with a hardcoded password that cannot be changed, making EDW-100 vulnerable to unauthorized access (CWE-259: Use of Hard-coded Password, CWE-256: Plaintext Storage of a Password)
  • Unauthenticated user can read config containing password: (CWE-522: Insufficiently

Protected Credentials, CWE-256: Plaintext Storage of a Password)

Source: CVE-2024-36081

Max Severity:  Critical

CVSS Score: 9.3

Critical Infrastructure Sectors:  Energy, Water and Wastewater Systems, Transportation Systems

Mitigation:  To mitigate the risks associated with these vulnerabilities, Westermo recommends network segregation, perimeter protection, network to network protection, and physical security measures. Westermo also recommends replacing EDW-100 with Lynx DSS L105-S1. For further reference see 5-Port Managed Industrial Device Server Switch  L105-S1.

Vendor/Product:  Baxter Welch Allyn Configuration Tool v1.9.4.1 and prior
Description:  Insufficiently Protected Credentials

Any credentials that were used for authentication or input while using the Welch Allyn Configuration Tool have the potential to be compromised and should be changed immediately.

Impact: 

An attacker could gain access to user accounts and access sensitive data used by the user accounts. Source: CVE-2024-5176

Max Severity:  Critical

CVSS Score: 10

Critical Infrastructure Sectors:  Healthcare and Public Health

Mitigation:  Baxter has found no evidence to date of any compromise of personal or health data. Baxter will release a software update for all impacted software to address this vulnerability. A new version of the product that mitigates the vulnerability will be available as follows:

  • Welch Allyn Product Configuration Tool versions 1.9.4.2: Available Q3 2024
  • No user action will be required once the update is released.

Baxter recommends the following workarounds to help reduce risk:  Apply proper network and physical security controls.

The Welch Allyn Configuration Tool is no longer publicly accessible. Customers needing to create configuration files should reach out to Baxter Technical Support or their Baxter Project Manager for assistance. Baxter Technical Support is available at (800)535-6663, option 2.

Stay tuned for CISA Releases Seven Industrial Control Systems Advisories:  PART TWO – Firmware Edition!

If you suspect you may have a vulnerability that you need help to mitigate, the cybersecurity team Spry Squared is standing by.