Cyble Research and Intelligence Labs (CRIL) has observed multiple vulnerabilities in its Weekly Industrial Control System (ICS) Vulnerability Intelligence Report. This report provides a comprehensive overview of critical vulnerabilities disclosed from September 10 to September 16.
The Cybersecurity and Infrastructure Security Agency (CISA) issued 29 security advisories concerning Industrial Control Systems (ICS) in the past week. These advisories highlight eight significant vulnerabilities in products from various vendors, including Rockwell Automation, Siemens, and Viessmann Climate Solutions.
Key vulnerabilities include command injection and heap-based overflow issues that could severely affect critical infrastructure.
1. CVE-2024-45824: Command injection – Rockwell Automation
CVE-2024-45824 is a critical vulnerability found in Rockwell Automation FactoryTalk View Site Edition up to version 14.0. The vulnerability involves an unspecified functionality with a CVSS score of 9.8, indicating its severity. Exploiting this vulnerability requires network conditions but does not require any permissions or user interaction and is considered to have low difficulty of exploitation.
Mitigation: Upgrading the affected software eliminates the vulnerability. Utilize ODIN’s capabilities to determine if devices are exposed and secure them accordingly.
2. CVE-2024-35783: Execution with Unnecessary Privileges – Siemens
A critical vulnerability with a CVSS score of 9.1 has been identified in Siemens SIMATIC BATCH, SIMATIC Information Server (2020, 2022), SIMATIC PCS 7, SIMATIC Process Historian (2020, 2022), and SIMATIC WinCC (Runtime Professional, SCADA Software). This flaw, found in the DB Server component, allows for exploitation under network conditions with low difficulty but requires high privileges.
Mitigation: Upgrading the affected software eliminates the vulnerability.
3. CVE-2023-44373: Improper Neutralization of Special Elements – Siemens
CVE-2023-44373 refers to a vulnerability in Siemens devices where input fields are not properly sanitized, allowing an authenticated remote attacker with administrative privileges to inject code or gain root shell access by exploiting improper neutralization of special elements, essentially enabling a command injection attack due to missing server-side input validation. The affected devices include Siemens RUGGEDCOM and SCALANCE M-800/S615 family.
Mitigation: Update to the latest firmware version, specifically version 3.0.2 or higher.
4. CVE-2024-45032: Authorization Bypass – Siemens Industrial Edge Management
Siemens Industrial Edge Management Pro and Industrial Edge Management Virtual have identified a critical vulnerability in the Device Token Handler component. This flaw allows attackers to bypass authorization. The vulnerability has a CVSS score of 10.0, indicating its severity. Exploitation is feasible over a network with low difficulty, requiring no permissions or user interaction.
Mitigation: Upgrading the affected systems is necessary to mitigate this issue.
5. CVE-2023-46850: Use after free – Siemens
This vulnerability in OpenVPN (versions 2.6.0 to 2.6.6) is a use-after-free issue, potentially leading to undefined behavior, memory leaks, or remote code execution when network buffers are sent to a remote peer. The CVSS score is 9.8, indicating a critical severity. Exploitation requires network access but no special permissions or user interactions.
Mitigation: The most effective way to mitigate CVE-2023-46850 is to install the latest software updates from Siemens, containing the necessary fixes.
6. CVE-2024-33698: Heap-based Buffer Overflow – Siemens User Management Components
CVE-2024-33698 is a critical vulnerability in several Siemens products, including SIMATIC Information Server 2022 and 2024, SIMATIC PCS neo, SINEC NMS, and Totally Integrated Automation Portal. The issue resides in the User Management Components (UMC) and is classified as a heap-based buffer overflow. This vulnerability has a CVSS score of 9.8, indicating its high severity. Exploiting this vulnerability requires network access but no special permissions or user interaction.
Mitigation and Workaround: Siemens has identified the following specific workarounds and mitigations that customers can apply to reduce the risk:
Product-specific remediations or mitigations can be found in the section Affected Products and Solution.
7. CVE-2023-45852: Command Injection – Viessmann Climate Solutions SE
CVE-2023-45852 is a command injection vulnerability in the Viessmann Vitogate 300 firmware (version 2.1.3.0). An unauthenticated attacker can exploit this vulnerability by injecting shell metacharacters into the ipaddr parameter in the JSON data for the put method in the /cgi-bin/vitogate.cgi endpoint. This allows the attacker to bypass authentication and execute arbitrary commands, potentially compromising the system. The vulnerability has a CVSS score of 9.8, indicating a critical severity level. No user interaction or specific permissions are required to exploit this flaw, and it can be exploited over a network with low difficulty.
Mitigation: Update to the latest version to fix the issue.
8. CVE-2023-5222: Use of Hardcoded Credentials – Viessmann Climate Solutions SE
A critical vulnerability (CVSS score: 9.8) exists in Viessmann Vitogate 300 firmware up to version 2.1.3.0, specifically in the isValidUser function of the /cgi-bin/vitogate.cgi component within the Web Management Interface. This vulnerability is due to use of hard-coded password, making it exploitable over the network with low difficulty and no user interaction or permissions required. Public exploit details are available. The vendor has not responded to disclosure attempts.
The vulnerability severity distribution for ICS vulnerabilities shows a predominance of critical and high-severity issues in products belonging to known ICS vendors. The majority of affected products come from vendors like Siemens and Rockwell Automation. This calls for a prompt response to mitigate potential impacts on industrial control systems.
Organizations must prioritize patching these vulnerabilities, implement robust security measures, and follow recommended best practices to protect their ICS environments from potential threats. Regular updates, security monitoring, and proactive risk management are essential for maintaining the integrity and security of critical infrastructure.