Cyble’s latest report reveals critical ICS vulnerabilities, including CVE-2023-34873 in MOBOTIX cameras, highlighting urgent security concerns for August 2024.

Key Takeaways

• Cyble highlights five significant vulnerabilities affecting industrial control systems (ICS), as disclosed by the Cybersecurity and Infrastructure Security Agency (CISA).
• Among the critical issues identified, CVE-2023-34873, affecting MOBOTIX cameras, stands out due to its high CVSS v4 score of 8.7 and its potential for remote code execution..
• Major vendors impacted by these vulnerabilities include Rockwell Automation and Avtec. Rockwell Automation’s Emulate3D and 5015 – AENFTXT products, as well as Avtec’s Outpost 0810 and Uploader Utility, have been highlighted for their critical flaws.
• The vulnerabilities have broad implications for critical infrastructure sectors globally, emphasizing the need for immediate action to mitigate risks. For instance, Rockwell Automation’s vulnerabilities affect critical manufacturing sectors worldwide.
• Cyble’s ODIN scanner has identified 202 exposed MOBOTIX cameras, predominantly in Germany, underscoring the extensive attack surface and the need for prompt patching and security assessments.
• The majority of disclosed vulnerabilities are classified as high severity, which highlights their critical nature and the importance of prioritizing patching and security measures.

Overview

Cyble Research and Intelligence Labs (CRIL) has observed multiple vulnerabilities with its Weekly Industrial Control System (ICS) Vulnerability Intelligence Report. This report provides a comprehensive overview of critical vulnerabilities disclosed from August 20, 2024, to August 26, 2024.

In the past week, the Cybersecurity and Infrastructure Security Agency (CISA) issued four critical advisories concerning Industrial Control Systems (ICS). These advisories highlight five significant vulnerabilities in products from various vendors, including Rockwell Automation, Avtec, and MOBOTIX.

Key vulnerabilities include remote code execution and improper input validation issues that could have severe implications for critical infrastructure. Notably, the Improper Input Validation vulnerability (CVE-2023-34873) in MOBOTIX cameras has been identified as a high-priority concern due to its potential for remote code execution.

The Week’s Top ICS Vulnerabilities

1. CVE-2023-34873: Improper Input Validation in MOBOTIX Cameras

On August 22, 2024, MOBOTIX released an alert regarding CVE-2023-34873, a critical vulnerability affecting P3 and Mx6 camera models. This flaw, rated CVSS v4 8.7, stems from improper neutralization of expression/command delimiters. It allows an attacker with authentication to remotely execute code by exploiting the tcpdump functionality of the affected camera versions. Cyble’s ODIN scanner identified 202 exposed MOBOTIX cameras, predominantly in Germany.

Mitigation: Users should review the firmware versions listed in the MOBOTIX advisory and apply necessary patches immediately. Utilize ODIN’s capabilities to determine if devices are exposed and secure them accordingly.

2. CVE-2024-6079: Critical Vulnerability in Rockwell Automation’s Emulate3D

Rockwell Automation’s Emulate3D (version 17.00.00.13276) has been identified with CVE-2024-6079, a critical vulnerability with a CVSS v4 score of 5.4. The flaw involves an externally controlled reference to a resource in another sphere, leading to potential DLL hijacking and remote code execution. This issue impacts critical manufacturing sectors globally.

Mitigation: Rockwell Automation recommends updating to version 17.00.00.13348. Additionally, users should implement security best practices, such as reducing network exposure with firewalls and securing remote access via VPNs.

3. CVE-2024-6089: Input Validation Flaw in Rockwell Automation’s 5015 – AENFTXT

CVE-2024-6089, found in Rockwell Automation’s 5015 – AENFTXT (version 2.011), is a critical vulnerability with a CVSS v4 score of 8.7. This flaw involves improper input validation that can cause a denial-of-service condition, requiring a power cycle to recover. It affects FLEXHA 5000 I/O Modules used in critical manufacturing sectors.

Mitigation: Update to firmware version 2.012 to address this vulnerability. Follow security best practices and consider the Stakeholder-Specific Vulnerability Categorization for prioritization.

4. CVE-2024-39776: Insecure Data Storage in Avtec’s Outpost 0810

Avtec’s Outpost 0810 and Uploader Utility have been flagged with CVE-2024-39776, a vulnerability involving insecure storage of sensitive data, and CVE-2024-42418, related to the use of a hard-coded cryptographic key. Both vulnerabilities are rated CVSS v4 8.7 and could allow remote attackers to gain administrative access.

Mitigation: Avtec recommends updating to version 5.0.0 and implementing measures such as securing web interfaces and reviewing associated Scout firmware. CISA advises minimizing network exposure and employing secure remote access methods.

Conclusion

The vulnerability severity distribution for ICS vulnerabilities shows a predominance of high-severity issues. This distribution highlights the critical nature of addressing these vulnerabilities promptly to mitigate potential impacts on industrial control systems. The majority of affected products come from vendors like Rockwell Automation and MOBOTIX, emphasizing the importance of proactive security measures and timely updates.

Organizations must prioritize patching these vulnerabilities, implement robust security measures, and follow recommended best practices to protect their ICS environments from potential threats. Regular updates, security monitoring, and proactive risk management are essential for maintaining the integrity and security of critical infrastructure.

Recommendations for Mitigation

• Implement network segmentation to separate ICS networks from corporate and internet networks. Use firewalls and demilitarized zones (DMZs) to control traffic and limit exposure.
• Apply multi-factor authentication for ICS system access. Limit user permissions based on the principle of least privilege to minimize potential damage.
• Keep all ICS hardware and software updated with the latest patches to protect against known vulnerabilities. Regular patching is crucial for maintaining system security.
• Deploy comprehensive security monitoring tools to detect and alert suspicious activities. Maintain detailed logs for forensic investigations and incident response.
• Develop a robust incident response plan tailored to ICS environments. Regularly test and update the plan to ensure effective response to security incidents.
• Train personnel on ICS-specific security risks and best practices. Awareness of potential threats and social engineering attacks is essential for maintaining security.
• Use secure remote access methods such as VPNs and strong encryption. Minimize direct remote access and monitor remote sessions for potential threats.
• Continuously review and update security policies to adapt to evolving threats and changes in the ICS environment. Ensure alignment with industry best practices and regulatory requirements.
• Conduct vulnerability assessments and penetration testing to identify and address weaknesses in ICS systems. Regular assessments are vital for proactive security management.

Related