CISA Finds Critical Vulnerabilities in ICS

  • 23 March 2023
  • 3 replies
  • 49 views

  • Anonymous
  • 0 replies

On Tuesday, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued eight Industrial Control Systems (ICS) recommendations highlighting serious vulnerabilities impacting products from Rockwell Automation and Delta Electronics.

This covers 13 security flaws in InfraSuite Device Master, a real-time device monitoring programme from Delta Electronics. The problems exist in all releases prior to 1.0.5.

According to CISA, successful exploitation of these flaws might provide an unauthenticated attacker access to files and credentials, grant them further rights, and allow them to remotely execute arbitrary code.

The most serious weakness on the list is CVE-2023-1133 (CVSS rating: 9.8), which is caused by the fact that InfraSuite Device Master accepts unauthenticated UDP packets and deserializes the data, enabling an unauthenticated remote attacker to execute arbitrary code.

The CISA issued a warning on two further deserialization weaknesses, CVE-2023-1139 (CVSS score: 8.8) and CVE-2023-1145 (CVSS score: 7.8), which might be used as a weapon to acquire remote code execution.

The security researcher who went unnamed and Piotr Bazydlo are credited with finding and alerting CISA to the flaws.

The two path traversal flaws, CVE-2023-28755 (CVSS score: 9.8) and CVE-2023-28756 (CVSS score: 7.5), are the most serious of the problems because they could allow an unauthenticated remote attacker to upload any file to the directory where ThinServer.exe is installed.

Successful exploitation of these flaws might enable an attacker to potentially execute remote code on the target system or device or cause the software to crash, according to CISA.

Updates to versions 11.0.6, 11.1.6, 11.2.7, 12.0.5, 12.1.6, and 13.0.2 are advised for users to mitigate potential hazards. Versions 6.x through 10.x of the ThinManager ThinServer are no longer maintained, so users must upgrade to a supported version.

It is also advised to restrict remote access to known thin clients and ThinManager servers using port 2031/TCP as a solution.

A high-severity buffer overflow vulnerability in Rockwell Automation ThinManager ThinServer (CVE-2022-38742, CVSS score: 8.1) that might allow arbitrary remote code execution has now been publicly disclosed, more than six months after CISA first made the vulnerability known.


3 replies

Userlevel 6
Badge +2

On Tuesday, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued eight Industrial Control Systems (ICS) recommendations highlighting serious vulnerabilities impacting products from Rockwell Automation and Delta Electronics.

This covers 13 security flaws in InfraSuite Device Master, a real-time device monitoring programme from Delta Electronics. The problems exist in all releases prior to 1.0.5.

According to CISA, successful exploitation of these flaws might provide an unauthenticated attacker access to files and credentials, grant them further rights, and allow them to remotely execute arbitrary code.

The most serious weakness on the list is CVE-2023-1133 (CVSS rating: 9.8), which is caused by the fact that InfraSuite Device Master accepts unauthenticated UDP packets and deserializes the data, enabling an unauthenticated remote attacker to execute arbitrary code.

The CISA issued a warning on two further deserialization weaknesses, CVE-2023-1139 (CVSS score: 8.8) and CVE-2023-1145 (CVSS score: 7.8), which might be used as a weapon to acquire remote code execution.

The security researcher who went unnamed and Piotr Bazydlo are credited with finding and alerting CISA to the flaws.

The two path traversal flaws, CVE-2023-28755 (CVSS score: 9.8) and CVE-2023-28756 (CVSS score: 7.5), are the most serious of the problems because they could allow an unauthenticated remote attacker to upload any file to the directory where ThinServer.exe is installed.

Successful exploitation of these flaws might enable an attacker to potentially execute remote code on the target system or device or cause the software to crash, according to CISA.

Updates to versions 11.0.6, 11.1.6, 11.2.7, 12.0.5, 12.1.6, and 13.0.2 are advised for users to mitigate potential hazards. Versions 6.x through 10.x of the ThinManager ThinServer are no longer maintained, so users must upgrade to a supported version.

It is also advised to restrict remote access to known thin clients and ThinManager servers using port 2031/TCP as a solution.

A high-severity buffer overflow vulnerability in Rockwell Automation ThinManager ThinServer (CVE-2022-38742, CVSS score: 8.1) that might allow arbitrary remote code execution has now been publicly disclosed, more than six months after CISA first made the vulnerability known.

Cybercriminals and other hostile actors may use these vulnerabilities to compromise vital infrastructure or steal valuable data. Such attacks might have disastrous effects, including massive power outages, disruptions to transportation networks, or threats to the safety of industrial workers.


I read an article that explained why it is important for CISOs to validate security controls and how Red Team exercises are becoming one of the best ways to identify vulnerabilities.

https://wesecureapp.com/blog/how-do-red-team-exercises-help-ciso-to-validate-the-security-controls-effectively/#:~:text=Red%20Team%20Exercises%20are%20one,up%20against%20a%20malicious%20actor.

On Tuesday, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued eight Industrial Control Systems (ICS) recommendations highlighting serious vulnerabilities impacting products from Rockwell Automation and Delta Electronics.

This covers 13 security flaws in InfraSuite Device Master, a real-time device monitoring programme from Delta Electronics. The problems exist in all releases prior to 1.0.5.

According to CISA, successful exploitation of these flaws might provide an unauthenticated attacker access to files and credentials, grant them further rights, and allow them to remotely execute arbitrary code.

The most serious weakness on the list is CVE-2023-1133 (CVSS rating: 9.8), which is caused by the fact that InfraSuite Device Master accepts unauthenticated UDP packets and deserializes the data, enabling an unauthenticated remote attacker to execute arbitrary code.

The CISA issued a warning on two further deserialization weaknesses, CVE-2023-1139 (CVSS score: 8.8) and CVE-2023-1145 (CVSS score: 7.8), which might be used as a weapon to acquire remote code execution.

The security researcher who went unnamed and Piotr Bazydlo are credited with finding and alerting CISA to the flaws.

The two path traversal flaws, CVE-2023-28755 (CVSS score: 9.8) and CVE-2023-28756 (CVSS score: 7.5), are the most serious of the problems because they could allow an unauthenticated remote attacker to upload any file to the directory where ThinServer.exe is installed.

Successful exploitation of these flaws might enable an attacker to potentially execute remote code on the target system or device or cause the software to crash, according to CISA.

Updates to versions 11.0.6, 11.1.6, 11.2.7, 12.0.5, 12.1.6, and 13.0.2 are advised for users to mitigate potential hazards. Versions 6.x through 10.x of the ThinManager ThinServer are no longer maintained, so users must upgrade to a supported version.

It is also advised to restrict remote access to known thin clients and ThinManager servers using port 2031/TCP as a solution.

A high-severity buffer overflow vulnerability in Rockwell Automation ThinManager ThinServer (CVE-2022-38742, CVSS score: 8.1) that might allow arbitrary remote code execution has now been publicly disclosed, more than six months after CISA first made the vulnerability known.

I am providing objective information about the cybersecurity vulnerabilities discovered by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) in the Industrial Control Systems (ICS) products from Rockwell Automation and Delta Electronics. The vulnerabilities identified by CISA are serious and could potentially lead to unauthorized access to files and credentials, remote code execution, and other malicious activities by attackers. It is highly recommended for affected users to upgrade to the latest supported versions of the software and restrict remote access to known thin clients and ThinManager servers using port 2031/TCP to mitigate the risks.

The disclosure of the high-severity buffer overflow vulnerability in Rockwell Automation ThinManager ThinServer more than six months after CISA first made it known is concerning and highlights the need for timely vulnerability disclosures and patches to prevent potential attacks.

The US Cybersecurity and Infrastructure Agency (CISA) has warned organizations to check recently disclosed vulnerabilities affecting operational technology (OT) devices that should be – but aren't always – isolated from the internet. 

On Tuesday, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued eight Industrial Control Systems (ICS) recommendations highlighting serious vulnerabilities impacting products from Rockwell Automation and Delta Electronics.

This covers 13 security flaws in InfraSuite Device Master, a real-time device monitoring programme from Delta Electronics. The problems exist in all releases prior to 1.0.5.

According to CISA, successful exploitation of these flaws might provide an unauthenticated attacker access to files and credentials, grant them further rights, and allow them to remotely execute arbitrary code.

The most serious weakness on the list is CVE-2023-1133 (CVSS rating: 9.8), which is caused by the fact that InfraSuite Device Master accepts unauthenticated UDP packets and deserializes the data, enabling an unauthenticated remote attacker to execute arbitrary code.

The CISA issued a warning on two further deserialization weaknesses, CVE-2023-1139 (CVSS score: 8.8) and CVE-2023-1145 (CVSS score: 7.8), which might be used as a weapon to acquire remote code execution.

The security researcher who went unnamed and Piotr Bazydlo are credited with finding and alerting CISA to the flaws.

The two path traversal flaws, CVE-2023-28755 (CVSS score: 9.8) and CVE-2023-28756 (CVSS score: 7.5), are the most serious of the problems because they could allow an unauthenticated remote attacker to upload any file to the directory where ThinServer.exe is installed.

Successful exploitation of these flaws might enable an attacker to potentially execute remote code on the target system or device or cause the software to crash, according to CISA.

Updates to versions 11.0.6, 11.1.6, 11.2.7, 12.0.5, 12.1.6, and 13.0.2 are advised for users to mitigate potential hazards. Versions 6.x through 10.x of the ThinManager ThinServer are no longer maintained, so users must upgrade to a supported version.

It is also advised to restrict remote access to known thin clients and ThinManager servers using port 2031/TCP as a solution.

A high-severity buffer overflow vulnerability in Rockwell Automation ThinManager ThinServer (CVE-2022-38742, CVSS score: 8.1) that might allow arbitrary remote code execution has now been publicly disclosed, more than six months after CISA first made the vulnerability known.


CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the Catalog that meet the specified criteria. CISA has issued warnings for vulnerabilities in ICS products before, emphasizing the critical importance of improved cybersecurity strategies in these industries.


https://socradar.io/cisa-issues-a-new-warning-for-vulnerabilities-in-industrial-control-systems-ics/

Reply