18 Advisories and 1 Update Published
Today, CISA’s NCCIC-ICS published 17 control system security advisories for products from 2N, Hitachi Energy, Rockwell (3) and Siemens (12). They also published a medical device security advisory for products from Baxter. Finally, they updated an advisory for products from Elvaco.
2N Advisory
This advisory describes three vulnerabilities in the 2N Access Commander IP access control system. The vulnerabilities were reported by Noam Moshe of Claroty Research - Team82. 2N has a new version that mitigates the vulnerabilities.
The three reported vulnerabilities are:
Path traversal - CVE-2024-47253, and
Insufficient verification of data authenticity (2) - CVE-2024-47254 and CVE-2024-47255
NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerabilities to allow an attacker to escalate their privileges, execute arbitrary code, or gain root access to the system.
Hitachi Energy Advisory
This advisory discusses two vulnerabilities (both with publicly available exploits) in their MSM product web services. These are third-party vulnerabilities. Hitachi Energy has a new version that mitigates the vulnerabilities.
The two reported vulnerabilities are:
Information disclosure - CVE-2024-2398 (exploit), and
Infinite loop - CVE-2019-5097 (exploit)
NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to allow an attacker to impact the confidentiality, integrity or availability of the MSM.
NOTE: I briefly discussed these vulnerabilities on November 2nd, 2024. I mentioned the underlying Hitachi Energy Advisory last Tuesday.
Rockwell Advisory #1
This advisory describes an improper validation of specified quantity in input in the Rockwell Arena Input Analyzer. The vulnerability was reported by Michael Heinzl. Rockwell has a new version that mitigates the vulnerability.
NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized attacker could exploit the vulnerability to allow an attacker to disclose information and execute arbitrary code on the program.
Rockwell Advisory #2
This advisory describes three vulnerabilities in the Rockwell FactoryTalk Updater. These vulnerabilities were self-reported. Rockwell has new versions that mitigate the vulnerabilities.
The three reported vulnerabilities are:
Insecure storage of sensitive information - CVE-2024-10943,
Improper input validation - CVE-2024-10944, and
Improperly implemented security check for standard - CVE-2024-10945
NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerabilities to result in an authentication bypass, remote code execution, and/or a local privilege escalation.
NOTE: I mentioned the underlying Rockwell advisory last Tuesday.
Rockwell Advisory #3
This advisory discusses a prototype pollution vulnerability in the Rockwell Verve Asset Manager. This is a third-party (Kibana) vulnerability. The vulnerability is self-reported. Rockwell provides generic mitigation measures even though Kibana has a new version that mitigates the vulnerability.
NOTE: Rockwell changed the vulnerability description to “Dependency on Vulnerable Third-Party Component CWE-1395” but the referenced CVE description on NVD.NIST.gov provides the description used above. The original description provides more information than the Rockwell revised version.
Mendix Advisory
This advisory describes a race condition vulnerability in the Siemens Mendix Runtime. The vulnerability is self-reported. The Siemens advisory notes that the vulnerability was reported by Lian Aldrich, Robin Roodt, and Christopher Panayi from MWR CyberSec. Siemens has new versions that mitigate the vulnerability.
NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to allow unauthenticated remote attackers to circumvent default account lockout measures.
SIMATIC CP Advisory
This advisory describes an incorrect authorization vulnerability in the Siemens SIMATIC CP1543-1. The vulnerability is self-reported. Siemens has a new version that mitigates the vulnerability.
NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to allow an unauthenticated attacker to gain access to the filesystem.
TeleControl Server Advisory
This advisory describes a deserialization of untrusted data vulnerability in the Siemens TeleControl Server. The vulnerability was reported by Tenable. Siemens has a new version that mitigates the vulnerability.
NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to allow an unauthenticated attacker to execute arbitrary code on the device.
Spectrum Power Advisory
This advisory describes an incorrect privilege assignment vulnerability in the Siemens Spectrum Power 7 product. The vulnerability was reported by Dimitri Lesy and Florens Schneider. Siemens has a new version that mitigates the vulnerability.
NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit the vulnerability to allow an authenticated local attacker to escalate privileges.
SINEC INS Advisory
This advisory discusses 59 vulnerabilities in the Siemens SINEC Infrastructure Network Services (INS) product. All but the last six are third-party vulnerabilities. Siemens has a new version that mitigates the vulnerabilities.
The six Siemens vulnerabilities are:
Path traversal - CVE-2024-46888,
Use of hard-coded encryption key - CVE-2024-46889,
OS command injection - CVE-2024-46890,
Out-of-bounds read - CVE-2024-46891,
Insufficient session expiration - CVE-2024-46892 and
Exposure of sensitive information to unauthorized actor - CVE-2024-46894
NCCIC-ICS reports that a relatively low-skilled attacker could use publicly available code (for one or more of the vulnerabilities) to remotely exploit the vulnerabilities to allow an unauthenticated attacker cause a denial-of-service condition, bypass permissions, access data they shouldn't have access to, or run arbitrary code.
Engineering Platforms Advisory
This advisory describes a deserialization of untrusted data vulnerability in the Siemens Engineering Platforms. The vulnerability was self-reported. Siemens has new versions that mitigate the vulnerability in some of the affected products. The Siemens advisory lists the products for which no fix is planned.
NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit the vulnerability to allow an attacker to cause a type confusion and execute arbitrary code within the affected application.
SCALANCE Advisory
This advisory discusses 16 vulnerabilities in the Siemens SCALANCE M-800 Family. The first ten vulnerabilities listed are third-party vulnerabilities. The Siemens vulnerabilities are self-reported. Siemens has a new version that mitigates the vulnerabilities.
The six Siemens vulnerabilities are:
Improper input validation (2) - CVE-2024-50557 and CVE-2024-50560,
Improper access control - CVE-2024-50558,
Path traversal - CVE-2024-50559,
Cross-site scripting - CVE-2024-50561, and
Injection - CVE-2024-50572
NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to impact the confidentiality, integrity or availability.
SOLID Edge Advisory
This advisory describes three vulnerabilities in the Siemens Solid Edge SE2024. The vulnerabilities were reported by Nafiez from Logix Advisor and Yu Zhou. Siemens has a new version that mitigates the vulnerabilities.
The three reported vulnerabilities are:
Out-of-bounds read (2) - CVE-2024-47940 and CVE-2024-47941, and
Uncontrolled search path element - CVE-2024-47942
NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit the vulnerability to allow an attacker to crash the application or execute arbitrary code.
SINEC NMS Advisory
This advisory discusses 17 vulnerabilities in the SINEC Network Management System (NMS) product. Fifteen of the reported vulnerabilities are third-party vulnerabilities. The Siemens vulnerabilities were self-reported. Siemens has a new version that mitigates the vulnerabilities.
The two Siemens vulnerabilities are:
Incorrect permission assignment for critical function - CVE-2024-47808, and
Out-of-bounds read - CVE-2023-46280
NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerabilities to allow an authenticated medium-privileged attacker to write arbitrary content to any location in the filesystem of the host system.
NOTE: CVE-2023-46280 was previously reported in SINEC NMS Before V3.0 (August 13th, 2024, and in Industrial Products (May 14th, 2024).
OZW672 and OZW772 Web Server Advisory
This advisory describes a cross-site scripting vulnerability in the Siemens OZW672 and OZW772 web servers. The vulnerability was reported by Paulo Mota. Siemens has a new version that mitigates the vulnerability.
NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to allow an authenticated remote attacker to inject arbitrary JavaScript code that is later executed by another authenticated victim user with potential higher privileges than the attacker.
SIPORT Advisory
This advisory describes an incorrect permission vulnerability in the Siemens SIPORT product. The vulnerability is self-reported. Siemens has a new version that mitigates the vulnerability.
NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit the vulnerability to allow a local attacker with an unprivileged account to override or modify the service executable and subsequently gain elevated privileges.
RUGGEDCOM Crossbow Advisory
This advisory discusses two vulnerabilities (both with publicly available exploit code) in the Siemens RUGGEDCOM CROSSBOW Station Access Controller (SAC). The vulnerabilities are self-reported. Siemens has a new version that mitigates the vulnerabilities.
The two reported vulnerabilities are:
Heap-based buffer overflow - CVE-2023-7104 (contains proof-of-concept code),
Use after free - CVE-2024-0232 (contains proof-of-concept code)
NCCIC-ICS reports that a relatively low-skilled attacker on an adjacent network could exploit the vulnerabilities to allow an attacker to execute arbitrary code or to cause a denial-of-service condition.
Baxter Advisory
This advisory describes nine vulnerabilities (one with publicly available exploit code) in the Baxter Life2000 Ventilation System. The vulnerabilities were self-reported. Baxter provides generic mitigation measures pending a fix expected in 2nd quarter 2025.
The nine reported vulnerabilities are:
Clear text transmission of sensitive information - CVE-2024-9834,
Improper restriction of excessive authentication attempts - CVE-2024-9832,
Use of hard-coded credentials - CVE-2024-48971,
Improper physical access controls - CVE-2024-48973,
Download of code without integrity check - CVE-2024-48974,
On-chip debug and test interface with improper access control - CVE-2024-48970,
Incorrect access control (3rd party - STMicroelectronics) - CVE-2020-8004 (exploit),
Missing authentication for critical function - CVE-2024-48966
NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerabilities to lead to information disclosure and/or disruption of the device's function without detection.
Elvaco Update
This update provides additional information on the M-Bus Metering Gateway advisory that was originally published on October 17th, 2024. The new information includes adding mitigation information. The new Mitigation section includes the following highlighted note:
“Elvaco made security enhancements to software version 1.13.3 which is now available for download at [CMe3100 Firmware Download](https://support.elvaco.com/hc/en-us/articles/115005991369-CMe3100-Firmware-Download). This release addresses and mitigates the risk of an attacker bypassing authentication to gain access to a device not hidden on private/closed network (CVE-2024-49397) and unauthorized remote access (CVE-2024-49399).”
NOTE: The original version reported that: “Elvaco has not responded to requests to work with CISA to mitigate these vulnerabilities.” That note has also been removed from the current version.
The Baxter LIfe2000 device, with the software version noted in the advisory, is also part of an FDA recall (https://www.fda.gov/medical-devices/ventilator-correction-baxter-healthcare-updates-use-instructions-life2000-ventilation-system-due)