US
There are 212 posts filed in US (this is page 11 of 22).
CISA and FEMA Open the Application Process for the Tribal Cybersecurity Grant Program
Advantech EKI-1524-CE series
1. EXECUTIVE SUMMARY
- CVSS v3 5.4
- ATTENTION: Exploitable remotely/low attack complexity/public exploits are available
- Vendor: Advantech
- Equipment: EKI-1524-CE, EKI-1522-CE, EKI-1521-CE
- Vulnerabilities: Cross-Site Scripting
2. RISK EVALUATION
Successful exploitation of these vulnerabilities could allow an attacker to execute code in the context of the session.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following Advantech serial device servers are affected:
- EKI-1524-CE series: versions 1.24 and prior
- EKI-1522-CE series: versions 1.24 and prior
- EKI-1521-CE series: versions 1.24 and prior
3.2 Vulnerability Overview
3.2.1 Cross-Site Scripting CWE-79
Advantech EKI-1524, EKI-1522, EKI-1521 devices through version 1.21 are affected by a stored cross-site scripting vulnerability, which can be triggered by authenticated users in the device name field of the web-interface.
CVE-2023-4202 has been assigned to this vulnerability. A CVSS v3 base score of 5.4 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N).
3.2.2 Cross-Site Scripting CWE-79
Advantech EKI-1524, EKI-1522, EKI-1521 devices through version 1.24 are affected by a stored cross-site scripting vulnerability, which can be triggered by authenticated users in the ping tool of the web-interface.
CVE-2023-4203 has been assigned to this vulnerability. A CVSS v3 base score of 5.4 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N).
3.3 BACKGROUND
- CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
- COUNTRIES/AREAS DEPLOYED: Worldwide
- COMPANY HEADQUARTERS LOCATION: Taiwan
3.4 RESEARCHER
These vulnerabilities were discovered during research by R. Haas, A. Resanovic, T. Etzenberger, M. Bineder at St. Plten UAS, supported and coordinated by CyberDanube.
4. MITIGATIONS
Advantech recommends users upgrade to the latest version available (currently v1.26) as shown below:
CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:
- Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
- Locate control system networks and remote devices behind firewalls and isolating them from business networks.
- When remote access is required, use more secure methods, such as virtual private networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.
CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
CISA also recommends users take the following measures to protect themselves from social engineering attacks:
- Do not click web links or open attachments in unsolicited email messages.
- Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
- Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.
No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.
5. UPDATE HISTORY
- September 26, 2023: Initial Publication
Suprema BioStar 2
1. EXECUTIVE SUMMARY
- CVSS v3 6.5
- ATTENTION: Exploitable remotely/low attack complexity/public exploits are available/known public exploitation
- Vendor: Suprema Inc.
- Equipment: BioStar 2
- Vulnerability: SQL Injection
2. RISK EVALUATION
Successful exploitation of this vulnerability could allow an attacker to perform a SQL injection to execute arbitrary commands.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following versions of Suprema BioStar 2, an access control system, are affected:
- BioStar 2: version 2.8.16
3.2 Vulnerability Overview
3.2.1 IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS USED IN AN SQL COMMAND (‘SQL INJECTION’) CWE-89
Suprema BioStar 2 v2.8.16 was discovered to contain a SQL injection vulnerability via value parameters.
CVE-2023-27167 has been assigned to this vulnerability. A CVSS v3 base score of 6.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N).
3.3 BACKGROUND
- CRITICAL INFRASTRUCTURE SECTORS: Multiple
- COUNTRIES/AREAS DEPLOYED: Worldwide
- COMPANY HEADQUARTERS LOCATION: South Korea
3.4 RESEARCHER
CISA discovered a public proof of concept (PoC) as authored by Yuriy (Vander) Tsarenko and reported it to Exploit-db.
4. MITIGATIONS
SupremaINC has released BioStar 2 2.9.4 to fix this vulnerability.
CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:
- Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
- Locate control system networks and remote devices behind firewalls and isolating them from business networks.
- When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.
CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
5. UPDATE HISTORY
- September 26, 2023: Initial Publication
CISA Launches National Public Service Announcement Campaign Encouraging Americans to Take Steps to Keep Themselves and Their Families Safe Online
Mitsubishi Electric FA Engineering Software
1. EXECUTIVE SUMMARY
- CVSS v3 9.3
- ATTENTION: Low attack complexity
- Vendor: Mitsubishi Electric
- Equipment: FA Engineering Software Products
- Vulnerability: Incorrect Default Permissions
2. RISK EVALUATION
Successful exploitation of this vulnerability could allow a local attacker to execute code, which could result in information disclosure, tampering with and deletion of information, or a denial-of-service (DoS) condition.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following versions of Mitsubishi Electric FA Engineering Software Products are affected:
- GX Works3: All versions
3.2 Vulnerability Overview
3.2.1 INCORRECT DEFAULT PERMISSIONS CWE-276
In all versions of Mitsubishi Electric GX Works3, code execution is possible due to permission issues. This could allow an attacker to cause information disclosure, tampering with and deletion of information, or a denial-of-service (DoS) condition.
CVE-2023-4088 has been assigned to this vulnerability. A CVSS v3 base score of 9.3 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).
3.3 BACKGROUND
- CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
- COUNTRIES/AREAS DEPLOYED: Worldwide
- COMPANY HEADQUARTERS LOCATION: Japan
3.4 RESEARCHER
01dGu0 of ZHEJIANG QIAN INFORMATION & TECHNOLOGY CO., LTD reported this vulnerability to Mitsubishi Electric.
4. MITIGATIONS
Mitsubishi Electric recommends that customers take the following mitigation measures to minimize the risk of exploiting this vulnerability:
- Install the version described in the Mitsubishi Electric advisory into the default installation folder. If it is necessary to change the installation folder from the default, select a folder that only users with Administrator privileges have permission to change.
- Install an anti-virus software on the computer using the affected product.
- Use your computer with the affected product within the LAN and block remote login from untrusted networks, hosts, and users.
- When connecting your computer with the affected product to the Internet, use a firewall, virtual private network (VPN),
etc., and allow only trusted users to remote login. - Don’t open untrusted files or click untrusted links.
For more information, see the Mitsubishi security advisory.
CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability is not exploitable remotely.
5. UPDATE HISTORY
- September 26, 2023: Initial Publication
Baker Hughes Bently Nevada 3500
1. EXECUTIVE SUMMARY
- CVSS v3 7.5
- ATTENTION: Exploitable remotely/low attack complexity
- Vendor: Baker Hughes – Bently Nevada
- Equipment: Bently Nevada 3500 System
- Vulnerabilities: Exposure of Sensitive Information to an Unauthorized Actor, Cleartext Transmission of Sensitive Information, Authentication Bypass by Capture-replay
2. RISK EVALUATION
Successful exploitation of these vulnerabilities could allow an attacker to steal sensitive information and gain access to the device.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following versions of the Bently Nevada 3500 System, a real-time monitoring solution, are affected:
- Bently Nevada 3500 Rack (TDI Firmware): version 5.05
3.2 Vulnerability Overview
3.2.1 EXPOSURE OF SENSITIVE INFORMATION TO AN UNAUTHORIZED ACTOR CWE-200
Baker Hughes – Bently Nevada 3500 System TDI Firmware version 5.05 has a vulnerability in their password retrieval functionality which could be used by an attacker to access passwords stored on the device.
CVE-2023-34437 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).
3.2.2 CLEARTEXT TRANSMISSION OF SENSITIVE INFORMATION CWE-319
Baker Hughes – Bently Nevada 3500 System TDI Firmware version 5.05 authentication secrets, used with the Connect Password, are passed in cleartext with every request to the device. An attacker could steal the authentication secret from communication traffic to the device and reuse it for arbitrary requests.
CVE-2023-34441 has been assigned to this vulnerability. A CVSS v3 base score of 6.8 has been calculated; the CVSS vector string is (AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L).
3.2.3 AUTHENTICATION BYPASS BY CAPTURE-REPLAY CWE-294
Baker Hughes – Bently Nevada 3500 System TDI Firmware version 5.05 accepts out-of-sequence messages from older communications. This could allow an attacker to replay older captured packets of traffic to the device to gain access.
CVE-2023-36857 has been assigned to this vulnerability. A CVSS v3 base score of 5.4 has been calculated; the CVSS vector string is (AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N).
3.3 BACKGROUND
- CRITICAL INFRASTRUCTURE SECTORS: Multiple
- COUNTRIES/AREAS DEPLOYED: Worldwide
- COMPANY HEADQUARTERS LOCATION: United States
3.4 RESEARCHER
Diego Zaffaroni of Nozomi Networks reported these vulnerabilities to CISA.
4. MITIGATIONS
Baker Hughes – Bently Nevada recommends that users follow their hardening guidelines to reduce the risk of exploitation. Customers who have registered for access to Baker Hughes DAM may directly access the hardening guideline at https://dam.bakerhughes.com/media/?mediaId=32F7FC2F-9F22-4C69-BB847565B7834D08.
For customers that do not have access to Baker Hughes DAM may send an email to bentlysupport@bakerhughes.com to request document 106M9733.
CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:
- Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
- Locate control system networks and remote devices behind firewalls and isolating them from business networks.
- When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.
CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.
5. UPDATE HISTORY
- September 26, 2023: Initial Publication
Hitachi Energy Asset Suite 9
1. EXECUTIVE SUMMARY
- CVSS v3 6.9
- ATTENTION: Exploitable remotely/low attack complexity
- Vendor: Hitachi Energy
- Equipment: Asset Suite 9
- Vulnerability: Improper Authentication
2. RISK EVALUATION
Successful exploitation of this vulnerability could allow an authenticated user to enter an arbitrary password to execute equipment tag out actions.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
Hitachi Energy reports these vulnerabilities affect the following products:
- Asset Suite: Versions 9.6.3.11.1 and prior
- Asset Suite: Version 9.6.4
3.2 Vulnerability Overview
3.2.1 IMPROPER AUTHENTICATION CWE-287
A vulnerability exists in the Equipment Tag Out authentication, when configured with Single Sign-On (SSO) with password validation in T214. This vulnerability can be exploited by an authenticated user performing an Equipment Tag Out holder action (Accept, Release, and Clear) for another user and entering an arbitrary password in the holder action confirmation dialog box. Despite entering an arbitrary password in the confirmation box, the system will execute the selected holder action.
CVE-2023-4816 has been assigned to this vulnerability. A CVSS v3 base score of 6.9 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:H/UI:R/S:C/C:N/I:H/A:L).
3.3 BACKGROUND
- CRITICAL INFRASTRUCTURE SECTORS: Energy
- COUNTRIES/AREAS DEPLOYED: Worldwide
- COMPANY HEADQUARTERS LOCATION: Switzerland
3.4 RESEARCHER
Hitachi Energy reported this vulnerability to CISA.
4. MITIGATIONS
Hitachi Energy recommends applying one the following mitigation actions until a fix has been delivered in a patch:
- Configure Asset Suite 9 with a different authentication method other than SSO.
- Configure Asset Suite security to disallow holder actions to be taken on behalf of other employees by removing authorization for the following security events to all users: T214ACT, T214RLS, and T214CLR.
- Set Equipment Tag Out preference ‘C/O HOLDER PSWD’ to ‘N’.
For more information, see Hitachi Energy advisory 8DBD000172
CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:
- Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
- Locate control system networks and remote devices behind firewalls and isolating them from business networks.
- When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.
CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
CISA also recommends users take the following measures to protect themselves from social engineering attacks:
- Do not click web links or open attachments in unsolicited email messages.
- Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
- Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.
No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.
5. UPDATE HISTORY
- September 26, 2023: Initial Publication
CISA Adds Three Known Exploited Vulnerabilities to Catalog
CISA has added three new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.
- CVE-2023-41991 Apple Multiple Products Improper Certificate Validation Vulnerability
- CVE-2023-41992 Apple Multiple Products Kernel Privilege Escalation Vulnerability
- CVE-2023-41993 Apple Multiple Products WebKit Code Execution Vulnerability
These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise. Note: To view other newly added vulnerabilities in the catalog, click on the arrow in the “Date Added to Catalog” column—which will sort by descending dates.
Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information.
Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.