CISA Alerts on Critical Security Vulnerabilities in Industrial Control Systems


On Tuesday, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued eight alerts regarding Industrial Control Systems (ICS), cautioning about significant vulnerabilities in equipment produced by Delta Electronics and Rockwell Automation.

Thirteen security vulnerabilities have been identified in Delta Electronics' InfraSuite Device Master software, which is designed to monitor real-time device activity. These issues affect all versions of the software that were released before 1.0.5.

According to CISA, if these vulnerabilities are effectively taken advantage of, it may permit an unauthorized individual to gain access to records and important information, surpass authorized permissions and run any code remotely.

At the top of the list is CVE-2023-1133, with a CVSS score of 9.8, which is a serious issue caused by InfraSuite Device Master accepting unverified UDP packets and then deserializing their contents. This flaw permits an unauthorized attacker to remotely execute any code.

CISA has warned that two additional vulnerabilities in deserialization, namely CVE-2023-1139 (CVSS score 8.8) and CVE-2023-1145 (CVSS score 7.8), have the potential to be exploited to gain remote code execution.

CISA has acknowledged Piotr Bazydlo and an unidentified security expert for identifying and alerting them to the deficiencies.

There is another group of security weaknesses that pertain to Rockwell Automation's ThinManager ThinServer. The specific thin client and remote desktop protocol (RDP) server management software versions that are impacted are:

  • 6.x – 10.x
  • 11.0.0 – 11.0.5
  • 11.1.0 – 11.1.5
  • 11.2.0 – 11.2.6
  • 12.0.0 – 12.0.4
  • 12.1.0 – 12.1.5, and
  • 13.0.0 – 13.0.1

The two most critical problems are identified as CVE-2023-28755 (with a CVSS score of 9.8) and CVE-2023-28756 (with a CVSS score of 7.5). These path traversal flaws could enable an unauthorized remote attacker to upload any files to the directory in which ThinServer.exe is located.

What's even more concerning is that the opponent can utilize CVE-2023-28755 as a weapon to replace present executable files with corrupted versions. This could likely result in remote code execution.

According to CISA, if an attacker were able to exploit these vulnerabilities, they could possibly execute code from a remote location on the targeted device/system or cause the software to malfunction and shut down.

It is recommended that users update their software to versions 11.0.6, 11.1.6, 11.2.7, 12.0.5, 12.1.6 and 13.0.2 in order to minimize any possible risks or dangers that may occur with their current version of software being used. Additionally, ThinManager ThinServer versions between 6.x-10.x are no longer available or supported and must be upgraded to a new and active version of the software for proper use moving forward.

To address the issue, it is advisable to restrict remote access of port 2031/TCP only to recognized thin clients and ThinManager servers.

More than six months after being informed by CISA of a significant buffer overflow flaw in Rockwell Automation ThinManager ThinServer (CVE-2022-38742 CVSS score: 8.1) that could lead to unauthorized remote code execution, the revelation has been made.

Post a Comment

Previous Post Next Post