CISA Announces Launch of Logging Made Easy

Today, CISA announces the launch of a new version of Logging Made Easy (LME), a straightforward log management solution for Windows-based devices that can be downloaded and self-installed for free. CISA’s version reimagines technology developed by the United Kingdom’s National Cyber Security Centre (NCSC), making it available to a wider audience.

Log management makes systems more secure. Until now, it has been a heavy lift for many targeted organizations, especially those with limited resources. CISA’s LME is a turnkey solution for public and private organizations seeking to strengthen their cybersecurity while reducing their log management burden.

As CISA’s newest shared services product offering, LME builds upon the success of the NCSC’s log management solution, which was decommissioned in March 2023. CISA urges organizations to secure their Windows-based devices today by downloading the free LME technical solution.

CISA Announces New Release of Logging Made Easy

Dingtian DT-R002

View CSAF

1. EXECUTIVE SUMMARY

CVSS v3 5.9
ATTENTION: Exploitable remotely/public exploits are available
Vendor: Dingtian
Equipment: DT-R002
Vulnerability: Authentication Bypass by Capture-Replay

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to bypass authentication.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of Dingtian DT-R002, a relay board, are affected:

DT-R002: version 3.1.276A

3.2 Vulnerability Overview

3.2.1 AUTHENTICATION BYPASS BY CAPTURE-REPLAY CWE-294

relay_cgi.cgi on Dingtian DT-R002 2CH relay devices with firmware 3.1.276A allows an attacker to replay HTTP post requests without the need for authentication or a valid signed/authorized request.

CVE-2022-29593 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.9 has been calculated; the CVSS vector string is (AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Unknown
COMPANY HEADQUARTERS LOCATION: China

3.4 RESEARCHER

CISA discovered a public Proof of Concept (PoC) as authored by Victor Hanna of Trustwave SpiderLabs.

4. MITIGATIONS

Dingtian has not responded to requests to work with CISA to mitigate this vulnerability. Users of affected versions of Dingtian DT-R002 are invited to contact Dingtian customer support for additional information.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

Do not click web links or open attachments in unsolicited email messages.
Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

This vulnerability has a high attack complexity.

5. UPDATE HISTORY

October 26, 2023: Initial Publication

CISA Issues Request for Comment on Software Identification Ecosystem Analysis White Paper

Opinion | Can we Afford the Risk? Measuring the cost of the Expiration of the Chemical Facilities Anti-Terrorism Standards Program

Sielco PolyEco FM Transmitter

View CSAF

1. EXECUTIVE SUMMARY

CVSS v3 9.8
ATTENTION: Exploitable remotely/low attack complexity/public exploits are available
Vendor: Sielco
Equipment: PolyEco1000
Vulnerabilities: Session Fixation, Improper Restriction of Excessive Authentication Attempts, Improper Access Control

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to escalate privileges, access restricted pages, or hijack sessions.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of Sielco PolyEco1000, a FM transmitter, are affected:

PolyEco1000: CPU:2.0.6 FPGA:10.19
PolyEco1000: CPU:1.9.4 FPGA:10.19
PolyEco1000: CPU:1.9.3 FPGA:10.19
PolyEco500: CPU:1.7.0 FPGA:10.16
PolyEco300: CPU:2.0.2 FPGA:10.19
PolyEco300: CPU:2.0.0 FPGA:10.19

3.2 Vulnerability Overview

3.2.1 SESSION FIXATION CWE-384

Sielco PolyEco1000 is vulnerable to a session hijack vulnerability due to the cookie being vulnerable to a brute force attack, lack of SSL, and the session being visible in requests.

CVE-2023-0897 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

3.2.2 IMPROPER RESTRICTION OF EXCESSIVE AUTHENTICATION ATTEMPTS CWE-307

Sielco PolyEco1000 uses a weak set of default administrative credentials that can be easily guessed in remote password attacks and gain full control of the system.

CVE-2023-5754 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.1 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N).

3.2.3 IMPROPER ACCESS CONTROL CWE-284

Sielco PolyEco1000 is vulnerable to an attacker escalating their privileges by modifying passwords in POST requests.

CVE-2023-46661 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

3.2.4 IMPROPER ACCESS CONTROL CWE-284

Sielco PolyEco1000 is vulnerable to an information disclosure vulnerability due to improper access control enforcement. An unauthenticated remote attacker can exploit this via a specially crafted request to gain access to sensitive information.

CVE-2023-46662 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

3.2.5 IMPROPER ACCESS CONTROL CWE-284

Sielco PolyEco1000 is vulnerable to an attacker bypassing authorization and accessing resources behind protected pages. The application interface allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests.

CVE-2023-46663 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

3.2.6 IMPROPER ACCESS CONTROL CWE-284

Sielco PolyEco1000 is vulnerable to an improper access control vulnerability when the application provides direct access to objects based on user-supplied input. As a result of this vulnerability attackers can bypass authorization and access resources behind protected pages.

CVE-2023-46664 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

3.2.7 IMPROPER ACCESS CONTROL CWE-284

Sielco PolyEco1000 is vulnerable to an authentication bypass vulnerability due to an attacker modifying passwords in a POST request and gain unauthorized access to the affected device with administrative privileges.

CVE-2023-46665 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Communications
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Italy

3.4 RESEARCHER

CISA discovered a public proof of concept as authored by Gjoko Krstic of ZeroScience.

4. MITIGATIONS

Sielco has not responded to requests to work with CISA to mitigate these vulnerabilities. Users of affected versions of Sielco PolyEco FM Transmitter are invited to contact Sielco customer support for additional information.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

Do not click web links or open attachments in unsolicited email messages.
Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

5. UPDATE HISTORY

October 26, 2023: Initial Publication

Rockwell Automation FactoryTalk View Site Edition

View CSAF

1. EXECUTIVE SUMMARY

CVSS v3 7.5
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Rockwell Automation
Equipment: FactoryTalk View Site Edition
Vulnerability: Improper Input Validation

2. RISK EVALUATION

Successful exploitation of this vulnerability could cause the product to become unavailable and require a restart to recover resulting in a denial-of-service condition.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

Rockwell Automation reports that the following versions of FactoryTalk View Site Edition are affected:

FactoryTalk View Site Edition: V11.0

3.2 Vulnerability Overview

3.2.1 IMPROPER INPUT VALIDATION CWE-20

FactoryTalk View Site Edition V11.0 insufficiently validates user input, which could potentially allow threat actors to send malicious data bringing the product offline. If exploited, the product would become unavailable and require a restart to recover resulting in a denial-of-service condition.

CVE-2023-46289 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER

Rockwell Automation reported this vulnerability to CISA.

4. MITIGATIONS

Rockwell Automation has provided patches for these versions v11.0 & v12.0 & v13.0.

Rockwell Automation encourages users of the affected software to apply the risk mitigations if possible. Additionally, they encourage users to implement their suggested security best practices to minimize the risk

For more information, see Rockwell Automation’s security advisory.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as virtual private networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

5. UPDATE HISTORY

October 26, 2023: Initial Publication

Centralite Pearl Thermostat

View CSAF

1. EXECUTIVE SUMMARY

CVSS v3 7.5
ATTENTION: Exploitable remotely/low attack complexity/public exploits are available
Vendor: Centralite
Equipment: Pearl Thermostat
Vulnerability: Allocation of Resources Without Limits or Throttling

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to cause a denial of service on the affected product.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions Centralite Pearl Thermostat are affected:

Pearl Thermostat: version 0x04075010

3.2 Vulnerability Overview

3.2.1 ALLOCATION OF RESOURCES WITHOUT LIMITS OR THROTTLING CWE-770

A vulnerability in Centralite Pearl Thermostat 0x04075010 allows attackers to cause a denial of service (DoS) via a crafted Zigbee message.

CVE-2023-24678 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Commercial Facilities, Communications
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER

Xiaoyue Ma (xma9@gmu.edu), Lannan “Lisa” Luo (lluo4@gmu.edu) and Qiang Zeng (zeng@gmu.edu) of George Mason University reported this vulnerability.

4. MITIGATIONS

Centralite has not responded to requests to work with CISA to mitigate this vulnerability. Users of affected versions of Centralite Pearl Thermostat are invited to contact Centralite customer support for additional information.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

5. UPDATE HISTORY

October 26, 2023: Initial Publication

VMware Releases Security Advisory for vCenter Server

VMware released a security advisory for a vulnerability (CVE-2023-34048) affecting the VMware vCenter Server and (CVE-2023-34056) affecting [VMware Cloud Foundation]. A remote cyber actor could exploit these vulnerabilities to obtain information or take control of an affected system.

CISA encourages users and administrators to review the VMware vCenter Server Out-of-Bounds Write Vulnerability VMSA-2023-0023 advisory and apply the necessary updates.

Sielco Radio Link and Analog FM Transmitters

View CSAF

1. EXECUTIVE SUMMARY

CVSS v3 9.8
ATTENTION: Exploitable remotely/low attack complexity/public exploits are available
Vendor: Sielco
Equipment: Analog FM Transmitters and Radio Link
Vulnerabilities: Improper Access Control, Cross-Site Request Forgery, Privilege Defined with Unsafe Actions

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to escalate privileges, access restricted pages, or hijack sessions.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following Sielco devices are affected:

Analog FM transmitter: 2.12 (EXC5000GX)
Analog FM transmitter: 2.12 (EXC120GX)
Analog FM transmitter: 2.11 (EXC300GX)
Analog FM transmitter: 2.10 (EXC1600GX)
Analog FM transmitter: 2.10 (EXC2000GX)
Analog FM transmitter: 2.08 (EXC1600GX)
Analog FM transmitter: 2.08 (EXC1000GX)
Analog FM transmitter: 2.07 (EXC3000GX)
Analog FM transmitter: 2.06 (EXC5000GX)
Analog FM transmitter: 1.7.7 (EXC30GT)
Analog FM transmitter: 1.7.4 (EXC300GT)
Analog FM transmitter: 1.7.4 (EXC100GT)
Analog FM transmitter: 1.7.4 (EXC5000GT)
Analog FM transmitter: 1.6.3 (EXC1000GT)
Analog FM transmitter: 1.5.4 (EXC120GT)
Radio Link: 2.06 (RTX19)
Radio Link: 2.05 (RTX19)
Radio Link: 2.00 (EXC19)
Radio Link: 1.60 (RTX19)
Radio Link: 1.59 (RTX19)
Radio Link: 1.55 (EXC19)

3.2 Vulnerability Overview

3.2.1 Improper Access Control CWE-284

The cookie session ID is of insufficient length and can be exploited by brute force, which may allow a remote attacker to obtain a valid session, bypass authentication, and manipulate the transmitter.

CVE-2023-42769 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

3.2.2 Cross-Site Request Forgery CWE-352

The application interface allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to perform certain actions with administrative privileges if a logged-in user visits a malicious web site.

CVE-2023-45317 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

3.2.3 Improper Access Control CWE-284

The application suffers from improper access control when editing users. A user with read permissions can manipulate users, passwords, and permissions by sending a single HTTP POST request with modified parameters.

CVE-2023-45228 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N).

3.2.4 Privilege Defined With Unsafe Actions CWE-267

The application suffers from a privilege escalation vulnerability. A user with read permissions can elevate privileges by sending a HTTP POST to set a parameter.

CVE-2023-41966 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Communications
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Italy

3.4 RESEARCHER

CISA discovered public proof of concept of these vulnerabilities as authored by Gjoko Krstic of ZeroScience.

4. MITIGATIONS

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as virtual private networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.
Exercise principles of least privilege.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

Do not click web links or open attachments in unsolicited email messages.
Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

5. UPDATE HISTORY

October 26, 2023: Initial Publication