On Tuesday, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued eight Industrial Control Systems (ICS) recommendations highlighting serious vulnerabilities impacting products from Rockwell Automation and Delta Electronics.
This covers 13 security flaws in InfraSuite Device Master, a real-time device monitoring programme from Delta Electronics. The problems exist in all releases prior to 1.0.5.
According to CISA, successful exploitation of these flaws might provide an unauthenticated attacker access to files and credentials, grant them further rights, and allow them to remotely execute arbitrary code.
The most serious weakness on the list is CVE-2023-1133 (CVSS rating: 9.8), which is caused by the fact that InfraSuite Device Master accepts unauthenticated UDP packets and deserializes the data, enabling an unauthenticated remote attacker to execute arbitrary code.
The CISA issued a warning on two further deserialization weaknesses, CVE-2023-1139 (CVSS score: 8.8) and CVE-2023-1145 (CVSS score: 7.8), which might be used as a weapon to acquire remote code execution.
The security researcher who went unnamed and Piotr Bazydlo are credited with finding and alerting CISA to the flaws.
The two path traversal flaws, CVE-2023-28755 (CVSS score: 9.8) and CVE-2023-28756 (CVSS score: 7.5), are the most serious of the problems because they could allow an unauthenticated remote attacker to upload any file to the directory where ThinServer.exe is installed.
Successful exploitation of these flaws might enable an attacker to potentially execute remote code on the target system or device or cause the software to crash, according to CISA.
Updates to versions 11.0.6, 11.1.6, 11.2.7, 12.0.5, 12.1.6, and 13.0.2 are advised for users to mitigate potential hazards. Versions 6.x through 10.x of the ThinManager ThinServer are no longer maintained, so users must upgrade to a supported version.
It is also advised to restrict remote access to known thin clients and ThinManager servers using port 2031/TCP as a solution.
A high-severity buffer overflow vulnerability in Rockwell Automation ThinManager ThinServer (CVE-2022-38742, CVSS score: 8.1) that might allow arbitrary remote code execution has now been publicly disclosed, more than six months after CISA first made the vulnerability known.