1. EXECUTIVE SUMMARY

• ​CVSS v3 7.5 
• ​ATTENTION: Exploitable remotely/low attack complexity 
• ​Vendor: OPTO 22 
• ​Equipment: SNAP PAC S1 
• ​Vulnerabilities: Improper Restriction of Excessive Authentication Attempts, Weak Password Requirements, Improper Access Control, Uncontrolled Resource Consumption 

2. RISK EVALUATION

​Successful exploitation of these vulnerabilities could allow an attacker to brute force passwords, access certain device files, or cause a denial-of-service condition. 

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

​The following version of SNAP PAC S1, an industrial programmable automation controller, is affected: 

• ​SNAP PAC S1 Firmware: Version R10.3b 

3.2 VULNERABILITY OVERVIEW

3.2.1 ​IMPROPER RESTRICTION OF EXCESSIVE AUTHENTICATION ATTEMPTS CWE-307 

​There is no limit on the number of login attempts. This could allow a brute force attack on the built-in web server login. 

​CVE-2023-40706 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). 

3.2.2 ​WEAK PASSWORD REQUIREMENTS CWE-521 

​There are no requirements for setting a complex password, which could allow a successful brute force attack if users don’t setup complex credentials. 

​CVE-2023-40707 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). 

3.2.3 ​IMPROPER ACCESS CONTROL CWE-284 

​The File Transfer Protocol (FTP) port is open by default. This could allow an adversary to access some device files. 

​CVE-2023-40708 has been assigned to this vulnerability. A CVSS v3 base score of 5.3 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N). 

3.2.4 UNCONTROLLED RESOURCE CONSUMPTION CWE-400 

​An adversary could crash the entire device by sending large quantity of ICMP requests if the controller has the built-in web server enabled but not completely set-up and configured. 

​CVE-2023-40709 has been assigned to this vulnerability. A CVSS v3 base score of 5.9 has been assigned; the CVSS vector string is (AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H). 

3.2.5 ​UNCONTROLLED RESOURCE CONSUMPTION CWE-400 

​An adversary could cause a continuous restart loop to the entire device by sending large quantity of HTTP GET requests if the controller has the built-in web server enabled but does not have the built-in web server completely set-up and configured. 

​CVE-2023-40710 has been assigned to this vulnerability. A CVSS v3 base score of 5.9 has been assigned; the CVSS vector string is (AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H). 

3.3 BACKGROUND

• ​CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing 
• ​COUNTRIES/AREAS DEPLOYED: Worldwide 
• ​COMPANY HEADQUARTERS LOCATION: United States 

3.4 RESEARCHER

​Nicolas Cano of Dragos reported these vulnerabilities to CISA. 

4. MITIGATIONS

​OPTO 22 recommends users follow the direction Dragos and CISA provided for this vulnerability. 

​Dragos recommends users take the following actions: 

• ​Disable the built-in web server when not in use through the Network Security settings within the OPTO 22 Pac Manager software. 
• ​Restrict access to the built-in web server found on HTTPS (TCP/443). 
• ​Restrict access to the FTP Port (TCP/21). 
• ​Ensure user credentials are changed to something long, complex, and unique. 

​CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. Specifically, users should: 

• ​Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet. 
• ​Locate control system networks and remote devices behind firewalls and isolate them from business networks. 
• ​When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices. 

​CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. 

​CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies. 

​Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies. 

​Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. 

​No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time. 

1. EXECUTIVE SUMMARY

• CVSS v3 3.3 
• ATTENTION: low attack complexity 
• Vendor: CODESYS, GmbH 
• Equipment: CODESYS Development System 
• Vulnerability: Improper Restriction of Excessive Authentication Attempts. 

2. RISK EVALUATION

Successful exploitation of this vulnerability could provide a local attacker with account information. 

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

CODESYS reports this vulnerability affects the following versions of CODESYS Development System: 

• CODESYS Development System: versions prior to 3.5.19.20 

3.2 VULNERABILITY OVERVIEW

3.2.1 INSUFFICIENT VERIFICATION OF DATA AUTHENTICITY CWE-345 

A missing brute-force protection in CODESYS Development System prior to 3.5.19.20 could allow a local attacker to have unlimited attempts of guessing the password within an import dialog. 

CVE-2023-3669 has been assigned to this vulnerability. A CVSS v3 base score of 3.3 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N). 

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing 
• COUNTRIES/AREAS DEPLOYED: Worldwide 
• COMPANY HEADQUARTERS LOCATION: Germany 

3.4 RESEARCHER

A user reported this vulnerability. CERT@VDE coordinated the vulnerability. 

4. MITIGATIONS

CODESYS recommends users update the CODESYS Development System to version 3.5.19.20. 

The CODESYS Development System can be downloaded and installed directly with the CODESYS Installer or be downloaded from the CODESYS Store. 

Alternatively, users may find further information on obtaining the software update in the CODESYS Update area. 

For more information, please see the advisory CERT@VDE published for CODESYS at: 

https://cert.vde.com/en-us/advisories/vde-2023-023 

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. 

CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies. 

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies. 

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. 

CISA also recommends users take the following measures to protect themselves from social engineering attacks: 

• Do not click web links or open attachments in unsolicited email messages. 
• Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams. 
• Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks. 

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability is not exploitable remotely. 

1. EXECUTIVE SUMMARY

• CVSS v3 7.5 
• ATTENTION: Exploitable remotely/low attack complexity/known public exploitation 
• Vendor: KNX Association 
• Equipment: KNX devices using KNX Connection Authorization 
• Vulnerability: Overly Restrictive Account Lockout Mechanism 

2. RISK EVALUATION

Successful exploitation of this vulnerability could cause users to lose access to their device, potentially with no way to reset the device. 

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following devices using KNX Protocol are affected: 

• KNX devices using Connection Authorization Option 1 Style in which no BCU Key is currently set: All versions 

3.2 VULNERABILITY OVERVIEW

3.2.1 OVERLY RESTRICTIVE ACCOUNT LOCKOUT MECHANISM CWE-645 

KNX devices that use KNX Connection Authorization and support Option 1 are, depending on the implementation, vulnerable to being locked and users being unable to reset them to gain access to the device. The BCU key feature on the devices can be used to create a password for the device, but this password can often not be reset without entering the current password. If the device is configured to interface with a network, an attacker with access to that network could interface with the KNX installation, purge all devices without additional security options enabled, and set a BCU key, locking the device. Even if a device is not connected to a network, an attacker with physical access to the device could also exploit this vulnerability in the same way. 

CVE-2023-4346 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). 

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Critical Facilities 
• COUNTRIES/AREAS DEPLOYED: Europe 
• COMPANY HEADQUARTERS LOCATION: Belgium 

3.4 RESEARCHER

Felix Eberstaller reported this vulnerability to CISA. 

4. MITIGATIONS

KNX Association recommends all system integrators, installers, ETS users, and end customers to follow common IT security guidelines. KNX Association recommends users follow the recommendations in the KNX Secure Checklist. 

The KNX Association also recommends developers always set the BCU Key in every KNX Project that is already finished and will be commissioned in the future. Handover the BCU Key as part of the Project Documentation to the Building Owner. 

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should: 

• Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet. 
• Locate control system networks and remote devices behind firewalls and isolate them from business networks. 
• When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices. 

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. 

CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies. 

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies. 

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. 

CISA has received reports of this vulnerability being actively exploited. 

1. EXECUTIVE SUMMARY

• ​CVSS v3 8.6 
• ​ATTENTION: Exploitable remotely/low attack complexity 
• ​Vendor: Rockwell Automation  
• ​Equipment: 1734-AENT/1734-AENTR Series C, 1734-AENT/1734-AENTR Series B, 1738-AENT/ 1738-AENTR Series B, 1794-AENTR Series A, 1732E-16CFGM12QCWR Series A, 1732E-12X4M12QCDR Series A, 1732E-16CFGM12QCR Series A, 1732E-16CFGM12P5QCR Series A, 1732E-12X4M12P5QCDR Series A, 1732E-16CFGM12P5QCWR Series B, 1732E-IB16M12R Series B, 1732E-OB16M12R Series B, 1732E-16CFGM12R Series B, 1732E-IB16M12DR Series B, 1732E-OB16M12DR Series B, 1732E-8X8M12DR Series B, 1799ER-IQ10XOQ10 Series B 
• ​Vulnerability: Out-of-Bounds Write 

2. RISK EVALUATION

​Successful exploitation of this vulnerability could allow an attacker to cause a denial-of-service on the affected products.  

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

​The following versions of select Input/Output Modules from Rockwell Automation are affected: 

• ​1734-AENT/1734-AENTR Series C: Versions 7.011 and prior  
• ​1734-AENT/1734-AENTR Series B: Versions 5.019 and prior  
• ​1738-AENT/ 1738-AENTR Series B: Versions 6.011 and prior  
• ​1794-AENTR Series A: Versions 2.011 and prior  
• ​1732E-16CFGM12QCWR Series A: Versions 3.011 and prior 
• ​1732E-12X4M12QCDR Series A: Versions 3.011 and prior  
• ​1732E-16CFGM12QCR Series A: Versions 3.011 and prior  
• ​1732E-16CFGM12P5QCR Series A: Versions 3.011 and prior  
• ​1732E-12X4M12P5QCDR Series A: Versions 3.011 and prior 
• ​1732E-16CFGM12P5QCWR Series B: Versions 3.011 and prior  
• ​1732E-IB16M12R Series B: Versions 3.011 and prior  
• ​1732E-OB16M12R Series B: Versions 3.011 and prior  
• ​1732E-16CFGM12R Series B: Versions 3.011 and prior  
• ​1732E-IB16M12DR Series B: Versions 3.011 and prior  
• ​1732E-OB16M12DR Series B: Versions 3.011 and prior  
• ​1732E-8X8M12DR Series B: Versions 3.011 and prior 
• ​1799ER-IQ10XOQ10 Series B: Versions 3.011 and prior  

3.2 VULNERABILITY OVERVIEW

3.2.1 ​OUT-OF-BOUNDS WRITE CWE-787 

​Pyramid Solutions’ affected products, the Developer and DLL kits for EtherNet/IP Adapter and EtherNet/IP Scanner may be vulnerable to an out-of-bounds write, which may allow an unauthorized threat actor to send a specially crafted packet that may result in a denial-of-service condition. 

​CVE-2022-1737 has been assigned to this vulnerability. A CVSS v3 base score of 8.6 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H). 

3.3 BACKGROUND

• ​CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing 
• ​COUNTRIES/AREAS DEPLOYED: Worldwide 
• ​COMPANY HEADQUARTERS LOCATION: United States 

3.4 RESEARCHER

​Rockwell Automation reported this vulnerability to CISA. 

4. MITIGATIONS

​Rockwell Automation has released and recommends users apply the following mitigations: 

• ​1734-AENT/1734-AENTR Series C: Versions 7.011 and prior. Upgrade to 7.013 
• ​1734-AENT/1734-AENTR Series B: Versions 5.019 and prior. Upgrade to 5.021  
• ​1738-AENT/ 1738-AENTR Series B: Versions 6.011 and prior. Upgrade to 6.013  
• ​1794-AENTR Series A: Versions 2.011 and prior. Upgrade to 2.012  
• ​1732E-16CFGM12QCWR Series A: Versions 3.011 and prior. Upgrade to 3.012 
• ​1732E-12X4M12QCDR Series A: Versions 3.011 and prior. Upgrade to 3.012  
• ​1732E-16CFGM12QCR Series A: Versions 3.011 and prior. Upgrade to 3.012  
• ​1732E-16CFGM12P5QCR Series A: Versions 3.011 and prior. Upgrade to 3.012  
• ​1732E-12X4M12P5QCDR Series A: Versions 3.011 and prior. Upgrade to 3.012 
• ​1732E-16CFGM12P5QCWR Series B: Versions 3.011 and prior. Upgrade to 3.012  
• ​1732E-IB16M12R Series B: Versions 3.011 and prior. Upgrade to 3.012  
• ​1732E-OB16M12R Series B: Versions 3.011 and prior. Upgrade to 3.012  
• ​1732E-16CFGM12R Series B: Versions 3.011 and prior. Upgrade to 3.012  
• ​1732E-IB16M12DR Series B: Versions 3.011 and prior. Upgrade to 3.012  
• ​1732E-OB16M12DR Series B: Versions 3.011 and prior. Upgrade to 3.012  
• ​1732E-8X8M12DR Series B: Versions 3.011 and prior. Upgrade to 3.012 
• ​1799ER-IQ10XOQ10 Series B: Versions 3.011 and prior. Upgrade to 3.012 

​Rockwell Automation encourages users of the affected software to apply the risk mitigations below, if possible. Additionally, users are encouraged to implement suggested security best practices to minimize the risk of vulnerability. 

​Users should upgrade to the corrected firmware to mitigate the issues:

• ​Security best practices 

​For more information, see Rockwell Automation’s Security Advisory. 

​CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. 

​CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies. 

​Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies. 

​Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. 

​No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.  

1. EXECUTIVE SUMMARY

• ​CVSS v3 7.3 
• ​ATTENTION: low attack complexity 
• ​Vendor: CODESYS, GmbH 
• ​Equipment: CODESYS Development System 
• ​Vulnerability: Uncontrolled Search Path Element. 

2. RISK EVALUATION

​Successful exploitation of this vulnerability could cause users to unknowingly launch a malicious binary placed by a local attacker. 

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

​CODESYS reports this vulnerability affects the following versions of CODESYS Development System: 

• ​CODESYS Development System: versions from 3.5.17.0 and prior to 3.5.19.20 

3.2 VULNERABILITY OVERVIEW

3.2.1 ​UNCONTROLLED SEARCH PATH ELEMENT CWE-427 

​In CODESYS Development System versions from 3.5.17.0 and prior to 3.5.19.20 a vulnerability allows for execution of binaries from the current working directory in the users’ context. 

​CVE-2023-3662 has been assigned to this vulnerability. A CVSS v3 base score of 7.3 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H). 

3.3 BACKGROUND

• ​CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing 
• ​COUNTRIES/AREAS DEPLOYED: Worldwide 
• ​COMPANY HEADQUARTERS LOCATION: Germany 

3.4 RESEARCHER

​Carlo Di Dato of Deloitte Risk Advisory Italia – Vulnerability Research Team reported this vulnerability. CERT@VDE coordinated the vulnerability. 

4. MITIGATIONS

ODESYS recommends users update the CODESYS Development System to version 3.5.19.20. 

​The CODESYS Development System can be downloaded and installed directly with the CODESYS Installer or be downloaded from the CODESYS Store. 

​Alternatively, users may find further information on obtaining the software update in the CODESYS Update area. 

​For more information, please see the advisory CERT@VDE published for CODESYS at: 

​https://cert.vde.com/en-us/advisories/vde-2023-021 

​CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should: 

• ​Exercise principles of least privilege. 

​CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. 

​CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies. 

​Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies. 

​Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. 

​CISA also recommends users take the following measures to protect themselves from social engineering attacks: 

• ​Do not click web links or open attachments in unsolicited email messages. 
• ​Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams. 
• ​Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks. 

​No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability is not exploitable remotely. 

Today CISA hosted the nation’s largest annual election security exercise this week in close coordination with the National Association of Secretaries of State (NASS) and the National Association of State Election Directors (NASED).

We applaud Microsoft’s announcement to make necessary logs identified by CISA and our partners as most critical to identifying cyber-attacks available to customers without additional cost.

U.S. and international cybersecurity partners published an advisory today on the common vulnerabilities and exposures (CVEs), to include associated common weakness enumeration (CWE), that were routinely and frequently exploited by malicious actors last year.