Apple has released security updates to address vulnerabilities in multiple products. A cyber threat actor could exploit some of these vulnerabilities to take control of an affected device.

CISA encourages users and administrators to review the following advisories and apply the necessary updates.

• iOS 17.0.1 and iPadOS 17.0.1
• iOS 16.7 and iPadOS 16.7
• watchOS 10.0.1
• watchOS 9.6.3
• Safari 16.6.1
• macOS Ventura 13.6
• macOS Monterey 12.7

The Internet Systems Consortium (ISC) has released security advisories to address vulnerabilities affecting ISC’s Berkeley Internet Name Domain (BIND) 9. A malicious cyber actor could exploit these vulnerabilities to cause denial-of-service conditions.

CISA encourages users and administrators to review the following ISC advisories and apply necessary updates or workarounds:

• CVE-2023-4236: named may terminate unexpectedly under high DNS-over-TLS query load
• CVE-2023-3341: A stack exhaustion flaw in control channel code may cause named to terminate unexpectedly

CISA released six Industrial Control Systems (ICS) advisories on September 21, 2023. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS.

• ICSA-23-264-01 Real Time Automation 460 Series
• ICSA-23-264-02 Siemens Spectrum Power 7
• ICSA-23-264-03 Delta Electronics DIAScreen
• ICSA-23-264-04 Rockwell Automation Select Logix Communication Modules
• ICSA-23-264-05 Rockwell Automation Connected Components Workbench
• ICSA-23-264-06 Rockwell Automation FactoryTalk View Machine Edition

CISA encourages users and administrators to review the newly released ICS advisories for technical details and mitigations.

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v3 9.6
• ATTENTION: Exploitable remotely/low attack complexity/public exploits are available/known public exploitation
• Vendor: Rockwell Automation
• Equipment: Connected Components Workbench
• Vulnerabilities: Use After Free, Out-of-bounds Write

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to exploit heap corruption via a crafted HTML.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of Rockwell Automation Connected Components Workbench Smart Security Manager are affected:

• Connected Components Workbench: versions prior to R21

3.2 Vulnerability Overview

3.2.1 USE AFTER FREE CWE-416

Connected Components Workbench utilizes CefSharp version 81.3.100 that contains a use after free vulnerability in Google Chrome versions before 86.0.4240.198. If exploited, a remote threat actor could potentially perform a sandbox escape via a crafted HTML page.

CVE-2020-16017 has been assigned to this vulnerability. A CVSS v3 base score of 9.6 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H).

3.2.2 USE AFTER FREE CWE-416

Connected Components Workbench utilizes CefSharp version 81.3.100 that contains a use after free vulnerability in Animation within Google Chrome before 98.0.4758.102. This vulnerability could potentially allow a remote threat actor to exploit heap corruption via a crafted HTML page.

CVE-2022-0609 has been assigned to this vulnerability. A CVSS v3 base score of 8.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

3.2.3 OUT-OF-BOUNDS WRITE CWE-787

Connected Components Workbench utilizes CefSharp version 81.3.100 that contains an inappropriate implementation in V8 of Google Chrome before 86.0.4240.18. This vulnerability allows a remote threat actor to potentially exploit heap corruption via a crafted HTML page.

CVE-2020-16009 has been assigned to this vulnerability. A CVSS v3 base score of 8.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

3.2.4 OUT-OF-BOUNDS WRITE CWE-787

Connected Components Workbench utilizes CefSharp version 81.3.100 that contains an inappropriate implementation in V8 of Google Chrome before 86.0.4240.198. This vulnerability allows a remote threat actor to potentially exploit heap corruption via a crafted HTML page.

CVE-2020-16013 has been assigned to this vulnerability. A CVSS v3 base score of 8.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

3.2.5 OUT-OF-BOUNDS WRITE CWE-787

Connected Components Workbench utilizes CefSharp version 81.3.100 that contains a heap buffer overflow vulnerability in Freetype within Google Chrome before 86.0.4240.111. This vulnerability could allow a remote threat actor to potentially exploit heap corruption via a crafted HTML page.

CVE-2020-15999 has been assigned to this vulnerability. A CVSS v3 base score of 8.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Multiple
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER

Rockwell Automation reported these vulnerabilities to CISA.

4. MITIGATIONS

Rockwell Automation recommends users to update to R21 and later.

Users with the affected software are encouraged to apply the risk mitigations, if possible.

Additionally, Rockwell Automation encourages users to implement their suggested security best practices to minimize the risk of vulnerability.

• Security Best Practices

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

• Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
• Locate control system networks and remote devices behind firewalls and isolating them from business networks.
• When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

• Do not click web links or open attachments in unsolicited email messages.
• Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
• Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

5. UPDATE HISTORY

• September 21, 2023: Initial Publication

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens’ ProductCERT Security Advisories (CERT Services | Services | Siemens Global). 

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v3 8.2
• ATTENTION: Low Attack Complexity
• Vendor: Siemens
• Equipment: Spectrum Power 7
• Vulnerability: Incorrect Permission Assignment for Critical Resource

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow a local attacker to inject arbitrary code to the update script and escalate privileges.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following products of Siemens, are affected:

• Spectrum Power 7: versions prior to V23Q3

3.2 Vulnerability Overview

3.2.1 Incorrect Permission Assignment for Critical Resource CWE-732

The affected product assigns improper access rights to the update script. This could allow an authenticated local attacker to inject arbitrary code and escalate privileges.

CVE-2023-38557 has been assigned to this vulnerability. A CVSS v3 base score of 8.2 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Energy
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

Tyler Webb from Dragos Inc. reported this vulnerability to Siemens and CISA.

4. MITIGATIONS

Siemens has released an update for Spectrum Power 7 (V23Q3) and recommends to update to the latest version. For any versions of Spectrum Power 7 prior to V23Q3, please contact Siemens customer support

Operators of critical power systems (e.g. TSOs or DSOs) worldwide are usually required by regulations to build resilience into the power grids by applying multi-level redundant secondary protection schemes. It is therefore recommended that the operators check whether appropriate resilient protection measures are in place. The risk of cyber incidents impacting the grid’s reliability can thus be minimized by virtue of the grid design. Siemens strongly recommends applying the provided security updates using the corresponding tooling and documented procedures made available with the product. If supported by the product, an automated means to apply the security updates across multiple product instances may be used. Siemens strongly recommends prior validation of any security update before being applied, and supervision by trained staff of the update process in the target environment. As a general security measure Siemens strongly recommends to protect network access with appropriate mechanisms (e.g. firewalls, segmentation, VPN). It is advised to configure the environment according to Siemens’ operational guidelines in order to run the devices in a protected IT environment.

For more information see the associated Siemens security advisory SSA-357182 in HTML and CSAF.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

• Do not click web links or open attachments in unsolicited email messages.
• Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
• Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability is not exploitable remotely.

5. UPDATE HISTORY

• September 21, 2023: Initial Publication

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v3 5.5
• ATTENTION: Low attack complexity
• Vendor: Omron
• Equipment: Sysmac Studio
• Vulnerability: Improper Authorization

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of Omron engineering software are affected:

• Sysmac Studio: version 1.54 and prior

3.2 Vulnerability Overview

3.2.1 IMPROPER AUTHORIZATION CWE-285

Omron engineering applications install executables with low privileged user “write” permissions. This could allow an attacker to alter the files to execute arbitrary code.

CVE-2022-45793 has been assigned to this vulnerability. A CVSS v3 base score of 5.5 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: Japan

3.4 RESEARCHER

Reid Wightman of Dragos reported this vulnerability to CISA.

4. MITIGATIONS

OMRON recommends the following general mitigation measures to minimize the risk of exploitation of this vulnerability:

• Anti-virus protection
  • Protect any PC with access to the control system against malware and ensure installation and maintenance of up-to-date commercial grade anti-virus software protection.
• Security measures to prevent unauthorized access
  • Minimize connection of control systems and equipment to open networks, so that untrusted devices will be unable to access them.
  • Implement firewalls (by shutting down unused communications ports, limiting communications hosts) and isolate them from the IT network.
  • Use a virtual private network (VPN) for remote access to control systems and equipment.
  • Use strong passwords and change them frequently.
  • Install physical controls so that only authorized personnel can access control systems and equipment.
  • Scan for viruses to ensure safety of any USB drives or similar devices before connecting them to systems and devices.
  • Enforce multifactor authentication of all devices with remote access to control systems and equipment whenever possible.
• Data input and output protection
  • Perform process validation, such as backup validation or range checks, to cope with unintentional modification of input/output data to control systems and devices.
• Data recovery
  • Periodical data backup and maintenance to prevent data loss.

Please see Omron’s Advisory for more information.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should:

• Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
• Locate control system networks and remote devices behind firewalls and isolating them from business networks.
• When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability is not exploitable remotely.

5. UPDATE HISTORY

• September 19, 2023: Initial Publication

CISA has added one new vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.

• CVE-2023-28434 MinIO Security Feature Bypass Vulnerability

These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise. Note: To view other newly added vulnerabilities in the catalog, click on the arrow in the “Date Added to Catalog” column—which will sort by descending dates.

Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information.

Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens’ ProductCERT Security Advisories (CERT Services | Services | Siemens Global). 

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v3 5.5
• ATTENTION: low attack complexity
• Vendor: Siemens
• Equipment: SIMATIC PCS neo Administration Console
• Vulnerability: Insertion of Sensitive Information into Externally-Accessible File or Directory

2. RISK EVALUATION

Successful exploitation of this vulnerability could get the credentials, and impersonate the admin user, thereby gaining admin access to other Windows systems.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

Siemens reports that the following products are affected:

• SIMATIC PCS neo (Administration Console): V4.0
• SIMATIC PCS neo (Administration Console): V4.0 Update 1

3.2 Vulnerability Overview

3.2.1 Insertion of Sensitive Information into Externally-Accessible File or Directory CWE-538

The affected application leaks Windows admin credentials. An attacker with local access to the Administration Console could get the credentials, and impersonate the admin user, thereby gaining admin access to other Windows systems.

CVE-2023-38558 has been assigned to this vulnerability. A CVSS v3 base score of 5.5 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Multiple
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

Siemens reported this vulnerability to CISA.

4. MITIGATIONS

Siemens has released Security Patch 01 for the affected products and recommends users install the patch.

Siemens has identified the following specific workarounds and mitigations that
customers can apply to reduce the risk:

• Change the password of the Windows accounts used for the remote deployment of AC Agent and avoid to remotely deploy AC Agents

As a general security measure, Siemens strongly recommends protecting network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens’ operational guidelines for industrial security and follow the recommendations in the product manuals.
Additional information on industrial security by Siemens can be found
at: https://www.siemens.com/industrialsecurity

For more information see the associated Siemens security advisory SSA-646240 in HTML and CSAF.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

• September 19, 2023: Initial Publication