Working with Region 10 cybersecurity, protective security, and election security advisors, the Idaho Secretary of State Office recently spearheaded a comprehensive initiative aimed at bolstering election security readiness through a virtual webinar training series.
DHS
Category Added in a WPeMatico Campaign
There are 849 posts filed in DHS (this is page 37 of 85).
PTC Kepware ThingWorx Kepware Server
1. EXECUTIVE SUMMARY
- CVSS v4 5.9
- ATTENTION: Exploitable from adjacent network.
- Vendor: PTC
- Equipment: Kepware ThingWorx Kepware Server
- Vulnerability: Allocation of Resources Without Limits or Throttling
2. RISK EVALUATION
Successful exploitation of this vulnerability could crash the target device.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
PTC reports that the following products and versions are affected:
- PTC Kepware ThingWorx Kepware Server: V6
- PTC Kepware KEPServerEX: V6
- Software Toolbox TOP Server: V6
- GE IGS: V7.6x
3.2 Vulnerability Overview
3.2.1 Allocation of Resources Without Limits or Throttling CWE-770
When performing an online tag generation to devices which communicate using the ControlLogix protocol, a machine-in-the-middle, or a device that is not configured correctly, could deliver a response leading to unrestricted or unregulated resource allocation. This could cause a denial-of-service condition and crash the Kepware application. By default, these functions are turned off, yet they remain accessible for users who recognize and require their advantages.
CVE-2024-6098 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.3 has been calculated; the CVSS vector string is (CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H).
A CVSS v4 score has also been calculated for CVE-2024-6098. A base score of 5.9 has been calculated; the CVSS vector string is (CVSS4.0/AV:A/AC:H/AT:P/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N).
3.3 BACKGROUND
- CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
- COUNTRIES/AREAS DEPLOYED: Worldwide
- COMPANY HEADQUARTERS LOCATION: United States
3.4 RESEARCHER
Sharon Brizinov and Vera Mens of Claroty Research – Team82 reported this vulnerability to PTC.
4. MITIGATIONS
PTC recommends users take a defense-in-depth stance with regards to their manufacturing networks ensuring proper access control is maintained. Additionally, proper adherence to the Kepware Secure Deployment Guide will minimize this threat through accurate configuration and use of the product.
Please refer to this article (login required) for specific information on how this risk may be mitigated in your environment.
If additional questions remain, contact PTC Technical Support.
CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:
- Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
- Locate control system networks and remote devices behind firewalls and isolating them from business networks.
- When remote access is required, use more secure methods, such as virtual private networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.
CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.
5. UPDATE HISTORY
- August 15, 2024: Initial Publication
Siemens COMOS
As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens’ ProductCERT Security Advisories (CERT Services | Services | Siemens Global).
1. EXECUTIVE SUMMARY
- CVSS v3 7.8
- ATTENTION: Low attack complexity
- Vendor: Siemens
- Equipment: COMOS
- Vulnerabilities: Out-of-bounds Write, Use After Free
2. RISK EVALUATION
Successful exploitation of these vulnerabilities could allow an attacker to execute arbitrary code.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following versions of Siemens COMOS, a unified data platform, are affected:
- COMOS: All versions prior to V10.5
3.2 Vulnerability Overview
3.2.1 OUT-OF-BOUNDS WRITE CWE-787
An issue was discovered in Open Design Alliance Drawings SDK before 2024.12. A corrupted value of number of sectors used by the Fat structure in a crafted DGN file leads to an out-of-bounds write. An attacker can leverage this vulnerability to execute code in the context of the current process.
CVE-2023-5180 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).
3.2.2 USE AFTER FREE CWE-416
Open Design Alliance Drawings SDK (versions before 2024.1) contains a use-after-free vulnerability that could be triggered while parsing specially crafted DWG file. An attacker could leverage this in conjunction with other vulnerabilities to execute arbitrary code.
CVE-2023-26495 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).
3.3 BACKGROUND
- CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
- COUNTRIES/AREAS DEPLOYED: Worldwide
- COMPANY HEADQUARTERS LOCATION: Germany
3.4 RESEARCHER
Siemens reported these vulnerabilities to CISA.
4. MITIGATIONS
Siemens recommends users update to the latest version:
- Update to V10.5 or later version
Siemens has identified the following specific workarounds and mitigations that users can apply to reduce the risk:
- CVE-2023-5180, CVE-2023-26495: Ensure all files imported into the affected product originate from a trusted source and are transmitted over secure channels
Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage.
For more information see the associated Siemens security advisory SSA-659443 in HTML and CSAF.
CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:
- Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the Internet.
- Locate control system networks and remote devices behind firewalls and isolating them from business networks.
- When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.
CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
CISA also recommends users take the following measures to protect themselves from social engineering attacks:
- Do not click web links or open attachments in unsolicited email messages.
- Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
- Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.
No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time. These vulnerabilities are not exploitable remotely.
5. UPDATE HISTORY
- August 15, 2024: Initial Publication
SAFECOM Membership Spotlight ft. Red Grasso, North Carolina Department of Information Technology
Dorsett Controls InfoScan
1. EXECUTIVE SUMMARY
- CVSS v4 6.9
- ATTENTION: Exploitable remotely/low attack complexity
- Vendor: Dorsett Controls
- Equipment: InfoScan
- Vulnerabilities: Exposure of Sensitive Information To An Unauthorized Actor, Path Traversal
2. RISK EVALUATION
Successful exploitation of these vulnerabilities could allow an attacker to expose sensitive information, resulting in data theft and misuse of credentials.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following Dorsett Controls products are affected:
- InfoScan: v1.32, v1.33, and v1.35
3.2 Vulnerability Overview
3.2.1 EXPOSURE OF SENSITIVE INFORMATION TO AN UNAUTHORIZED ACTOR CWE-200
Dorsett Controls InfoScan is vulnerable due to a leak of possible sensitive information through the response headers and the rendered JavaScript prior to user login.
CVE-2024-42493 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.3 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).
A CVSS v4 score has also been calculated for CVE-2024-42493. A base score of 6.9 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N).
3.2.2 IMPROPER LIMITATION OF A PATHNAME TO A RESTRICTED DIRECTORY (‘PATH TRAVERSAL’) CWE-22
The InfoScan client download page can be intercepted with a proxy, to expose filenames located on the system, which could lead to additional information exposure.
CVE-2024-42408 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.3 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).
A CVSS v4 score has also been calculated for CVE-2024-42408. A base score of 6.9 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N).
3.2.3 EXPOSURE OF SENSITIVE INFORMATION TO AN UNAUTHORIZED ACTOR CWE-200
Dorsett Controls Central Server update server has potential information leaks with an unprotected file that contains passwords and API keys.
CVE-2024-39287 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.3 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).
A CVSS v4 score has also been calculated for CVE-2024-39287. A base score of 6.9 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N).
3.3 BACKGROUND
- CRITICAL INFRASTRUCTURE SECTORS: Water and Wastewater Systems
- COUNTRIES/AREAS DEPLOYED: United States
- COMPANY HEADQUARTERS LOCATION: United States
3.4 RESEARCHER
An anonymous researcher reported these vulnerabilities to CISA.
4. MITIGATIONS
Dorsett Controls recommends users update their InfoScan system v1.38 or later.
To install the new release, user administrators will need to:
- login to InfoScan and select “System Prefs” from the menu.
- Once the System Prefs application is open, select Maintenance.
- Click the Install Now button in the Ready To Install section.
- If no internet access available, the update will need to be downloaded from the Dorsett Controls Customer Portal by selecting the InfoScan Update tile. Download the update and following the instructions listed on the portal.
For more information, please refer to the Dorsett Controls security bulletin for more information.
CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:
- Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
- Locate control system networks and remote devices behind firewalls and isolating them from business networks.
- When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.
CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.
5. UPDATE HISTORY
- August 8, 2024: Initial Publication
Delta Electronics DIAScreen
1. EXECUTIVE SUMMARY
- CVSS v4 8.5
- ATTENTION: Low attack complexity
- Vendor: Delta Electronics
- Equipment: DIAScreen
- Vulnerability: Stack-based Buffer Overflow
2. RISK EVALUATION
Successful exploitation of this vulnerability could allow an attacker to cause a stack-based buffer overflow, resulting in execution of arbitrary code.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following versions of Delta Electronics DIAScreen visualization software are affected:
- DIAScreen: Versions prior to 1.4.2
3.2 Vulnerability Overview
3.2.1 STACK-BASED BUFFER OVERFLOW CWE-121
A crafted DPA file could force Delta Electronics DIAScreen to overflow a stack-based buffer, which could allow an attacker to execute arbitrary code.
CVE-2024-7502 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2024-7502. A base score of 8.5 has been calculated; the CVSS vector string is (CVSS4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).
3.3 BACKGROUND
- CRITICAL INFRASTRUCTURE SECTORS: Energy
- COUNTRIES/AREAS DEPLOYED: Worldwide
- COMPANY HEADQUARTERS LOCATION: Taiwan
3.4 RESEARCHER
Natnael Samson (@NattiSamson) working with Trend Micro Zero Day Initiative reported this vulnerability to CISA.
4. MITIGATIONS
Delta Electronics has released v1.4.2 of DIAScreen and recommends users install this update on all affected systems.
CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:
- Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
- Locate control system networks and remote devices behind firewalls and isolating them from business networks.
- When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.
CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability is not exploitable remotely.
5. UPDATE HISTORY
- August 6, 2024: Initial Publication
CISA Releases Secure by Demand Guidance
Today, CISA and the Federal Bureau of Investigation (FBI) have released Secure by Demand Guide: How Software Customers Can Drive a Secure Technology Ecosystem to help organizations drive a secure technology ecosystem by ensuring their software manufacturers prioritize secure technology from the start.
An organization’s acquisition staff often has a general understanding of the core cybersecurity requirements for a particular technology acquisition. However, they frequently don’t assess whether a given supplier has practices and policies in place to ensure that security is a core consideration from the earliest stages of the product development lifecycle.
This guide provides organizations with questions to ask when buying software, considerations to integrate product security into various stages of the procurement lifecycle, and resources to assess product security maturity in line with secure by design principles.
This guide compliments the “Software Acquisition Guide for Government Enterprise Consumers: Software Assurance in the Cyber-Supply Chain Risk Management (C-SCRM) Lifecycle” that was recently published.
CISA encourages organizations to review both the Secure by Demand Guide and Software Acquisition Guide and implement recommended actions.
CISA Releases Secure by Demand Guide
Rockwell Automation Logix Controllers
1. EXECUTIVE SUMMARY
- CVSS v4 7.3
- ATTENTION: Exploitable remotely/low attack complexity
- Vendor: Rockwell Automation
- Equipment: ControlLogix, GuardLogix, and 1756 ControlLogix I/O Modules
- Vulnerability: Unprotected Alternate Channel
2. RISK EVALUATION
Successful exploitation of this vulnerability could allow an attacker to execute CIP programming and configuration commands.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following versions of ControlLogix, GuardLogix, and 1756 ControlLogix I/O Modules are affected:
- ControlLogix: Version V28
- GuardLogix: Version V31
- 1756-EN4TR: Version V2
- 1756-EN2T, Series A/B/C (unsigned version): Version v5.007
- 1756-EN2F, Series A/B (unsigned version): Version v5.007
- 1756-EN2TR, Series A/B (unsigned version): Version v5.007
- 1756-EN3TR, Series B (unsigned version): Version v5.007
- 1756-EN2T, Series A/B/C (signed version): Version v5.027
- 1756-EN2F, Series A/B (signed version): Version v5.027
- 1756-EN2TR, Series A/B (signed version): Version v5.027
- 1756-EN3TR, Series B (signed version): Version v5.027
- 1756-EN2T, Series D: Version V10.006
- 1756-EN2F, Series C: Version V10.009
- 1756-EN2TR, Series C: Version V10.007
- 1756-EN3TR, Series B: Version V10.007
- 1756-EN2TP, Series A: Version V10.020
3.2 Vulnerability Overview
3.2.1 Unprotected Alternate Channel CWE-420
A vulnerability exists in the affected products that allows a threat actor to bypass the Trusted Slot feature in a ControlLogix controller. If exploited on any affected module in a 1756 chassis, a threat actor could potentially execute CIP commands that modify user projects and/or device configuration on a Logix controller in the chassis.
CVE-2024-6242 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.4 has been calculated; the CVSS vector string is (AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2024-6242. A base score of 7.3 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:H/VA:H/SC:L/SI:H/SA:H).
3.3 BACKGROUND
- CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
- COUNTRIES/AREAS DEPLOYED: Worldwide
- COMPANY HEADQUARTERS LOCATION: United States
3.4 RESEARCHER
Sharon Brizinov of Claroty Research – Team82 reported this vulnerability to Rockwell Automation.
4. MITIGATIONS
Rockwell Automation recommends users update the Logix controllers to the following:
- ControlLogix 5580 (1756-L8z): Update to versions V32.016, V33.015, V34.014,
V35.011 and later. - GuardLogix 5580 (1756-L8zS): Update to versions V32.016, V33.015, V34.014,
V35.011 and later. - 1756-EN4TR: Update to versions V5.001 and later.
- 1756-EN2T Series D, 1756-EN2F Series C, 1756-EN2TR Series C, 1756-EN3TR Series B, and 1756-EN2TP Series A: Update to version V12.001 and later
The products 1756-EN2T Series A/B/C, 1756-EN2F Series A/B, 1756-EN2TR Series A/B, and 1756-EN3TR Series B do not have a fix available. Users can upgrade to Series D to remediate this vulnerability.
Users that are using the affected firmware and who are not able to upgrade to one of the corrected versions are encouraged to apply the following mitigation and security best practices, where possible:
- Limit the allowed CIP commands on controllers by setting the mode switch to the RUN position.
- Security Best Practices
CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:
- Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
- Locate control system networks and remote devices behind firewalls and isolating them from business networks.
- When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.
CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
CISA also recommends users take the following measures to protect themselves from social engineering attacks:
- Do not click web links or open attachments in unsolicited email messages.
- Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
- Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.
No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.
5. UPDATE HISTORY
- August 01, 2024: Initial Publication
Johnson Controls exacqVision Web Service
1. EXECUTIVE SUMMARY
- CVSS v3 5.7
- ATTENTION: Exploitable remotely/low attack complexity
- Vendor: Johnson Controls, Inc.
- Equipment: Web Service
- Vulnerability: Use of GET Request Method With Sensitive Query Strings
2. RISK EVALUATION
Successful exploitation of this vulnerability could allow an attacker to gain sensitive information.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following versions of Johnson Controls exacqVision Web Service are affected:
- exacqVision Web Service: Versions 24.03 and prior
3.2 Vulnerability Overview
3.2.1 USE OF GET REQUEST METHOD WITH SENSITIVE QUERY STRINGS CWE-598
Under certain circumstances exacqVision Web Service versions 24.03 and prior can expose authentication token details within communications.
CVE-2024-32931 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.7 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N).
3.3 BACKGROUND
- CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing, Commercial Facilities, Government Facilities, Transportation Systems, Energy
- COUNTRIES/AREAS DEPLOYED: Worldwide
- COMPANY HEADQUARTERS LOCATION: Ireland
3.4 RESEARCHER
Diego Zaffaroni from Nozomi Networks reported this vulnerability to Johnson Controls, Inc.
4. MITIGATIONS
Johnson Controls recommends users update exacqVision Web Service to version 24.06
For more detailed mitigation instructions, please see Johnson Controls Product Security Advisory JCI-PSA-2024-19.
CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:
- Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
- Locate control system networks and remote devices behind firewalls and isolating them from business networks.
- When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.
CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
CISA also recommends users take the following measures to protect themselves from social engineering attacks:
- Do not click web links or open attachments in unsolicited email messages.
- Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
- Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.
No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.
5. UPDATE HISTORY
- August 01, 2024: Initial Publication