Schneider Electric PowerLogic PM55xx and PowerLogic PM8ECC

1. EXECUTIVE SUMMARY

CVSS v4 9.5
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Schneider Electric
Equipment: PowerLogic PM5500 and PowerLogic PM8ECC
Vulnerabilities: Weak Password Recovery Mechanism for Forgotten Password, Improper Authentication

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could result in an attacker gaining escalated privileges and obtaining control of the device.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of PowerLogic PM55xx power metering devices and PowerLogic PM8ECC ethernet communication module are affected:

PM5560: Versions prior to v2.7.8
PM5561: Versions prior to v10.7.3
PM5562: v2.5.4 and prior
PM5563: Versions prior to v2.7.8
PM8ECC: All versions

3.2 Vulnerability Overview

3.2.1 WEAK PASSWORD RECOVERY MECHANISM FOR FORGOTTEN PASSWORD CWE-640

The affected product is vulnerable due to weak password recovery mechanisms, which may allow an attacker to gain unauthorized access and potentially deny service to legitimate system users.

CVE-2021-22763 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.1 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2021-22763. A base score of 9.5 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H).

3.2.2 IMPROPER AUTHENTICATION CWE-287

The affected product is vulnerable due to improper authentication, which may provide an attacker with sensitive information or allow an attacker to remotely execute arbitrary code.

CVE-2021-22764 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.3 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).

A CVSS v4 score has also been calculated for CVE-2021-22764. A base score of 6.9 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Energy
COUNTRIES/AREAS DEPLOYED: Multiple
COMPANY HEADQUARTERS LOCATION: France

3.4 RESEARCHER

Jacob Baines of Dragos reported these vulnerabilities to CISA.

4. MITIGATIONS

Schneider has provided the following remediations:

Users should consider blocking HTTP access to the device at the firewall level or disable the HTTP web service to reduce the risk of exposure.
Version 2.8.3 of the PowerLogic PM5560, 5563, 5580 firmware includes fixes for these vulnerabilities.
Version 10.7.3 of the PowerLogic PM5561 firmware includes fixes for these vulnerabilities.
Version 4.3.5 of the PowerLogic PM5562 firmware. includes fixes for these vulnerabilities.
PowerLogic PM8ECC has reached end of service and is no longer supported.

Schneider Electric recommends the following industry cybersecurity best practices:

Locate control and safety system networks and remote devices behind firewalls and isolate them from the business network.
Install physical controls so no unauthorized personnel can access your industrial control and safety systems, components, peripheral equipment, and networks.
Place all controllers in locked cabinets and never leave them in the “Program” mode.
Never connect programming software to any network other than the network intended for that device.
Scan all methods of mobile data exchange with the isolated network such as CDs, USB drives, etc. before use in the terminals or any node connected to these networks.
Never allow mobile devices that have connected to any other network besides the intended network to connect to the safety or control networks without proper sanitation.
Minimize network exposure for all control system devices and systems and ensure that they are not accessible from the Internet.
When remote access is required, use secure methods, such as virtual private networks (VPNs). Recognize that VPNs may have vulnerabilities and should be updated to the most current version
available. Also, understand that VPNs are only as secure as the connected devices.

For more information refer to the Schneider Electric Recommended Cybersecurity Best Practices document and the associated Schneider Electric Security Notification SEVD-2021-159-02 in PDF and CSAF.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY

November 26, 2024: Initial Publication

Schneider Electric EcoStruxure Control Expert, EcoStruxure Process Expert, and Modicon M340, M580 and M580 Safety PLCs

View CSAF

1. EXECUTIVE SUMMARY

CVSS v3 8.1
ATTENTION: Exploitable remotely
Vendor: Schneider Electric
Equipment: EcoStruxure Control Expert, EcoStruxure Process Expert and Modicon M340, M580 and M580 Safety PLCs
Vulnerabilities: Improper Enforcement of Message Integrity During Transmission in a Communication Channel, Use of Hard-coded Credentials, Insufficiently Protected Credentials

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow a denial of service, a loss of confidentiality, and threaten the integrity of controllers.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following Schneider Electric products are affected:

Modicon M340 CPU (part numbers BMXP34*): Versions prior to sv3.60 (CVE-2023-6408)
Modicon M580 CPU (part numbers BMEP* and BMEH* excluding M580 CPU Safety): Versions prior to SV4.20 (CVE-2023-6408)
Modicon M580 CPU Safety: Versions prior to SV4.21 (CVE-2023-6408)
EcoStruxure Control Expert: Versions prior to v16.0
EcoStruxure Process Expert: Versions prior to v2023
Modicon MC80 (part numbers BMKC80): All versions (CVE-2023-6408)
Modicon Momentum Unity M1E Processor (171CBU*): All versions (CVE-2023-6408)

3.2 Vulnerability Overview

3.2.1 IMPROPER ENFORCEMENT OF MESSAGE INTEGRITY DURING TRANSMISSION IN A COMMUNICATION CHANNEL CWE-924

An improper enforcement of message integrity during transmission in a communication channel vulnerability exists that could cause a denial of service, a loss of confidentiality, and threaten the integrity of controllers through a man-in-the-middle attack.

CVE-2023-6408 has been assigned to this vulnerability. A CVSS v3 base score of 8.1 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).

3.2.2 USE OF HARD-CODED CREDENTIALS CWE-798

A use of hard-coded credentials vulnerability exists that could cause unauthorized access to a project file protected with application password when opening the file with EcoStruxure Control Expert.

CVE-2023-6409 has been assigned to this vulnerability. A CVSS v3 base score of 7.7 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N).

3.2.3 INSUFFICIENTLY PROTECTED CREDENTIALS CWE-522

An insufficiently protected credentials vulnerability exists that could cause unauthorized access to the project file in EcoStruxure Control Expert when a local user tampers with the memory of the engineering workstation.

CVE-2023-27975 has been assigned to this vulnerability. A CVSS v3 base score of 7.1 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: France

3.4 RESEARCHER

Gao Jian, Jianshuang Ding, and Kaikai Yang reported these vulnerabilities to Schneider Electric.

4. MITIGATIONS

Schneider Electric has identified the following remediations and mitigations users can apply to reduce risk:

Modicon M340 CPU (part numbers BMXP34*):

Firmware Version SV3.60 includes a fix for this vulnerability and is available for download.
Set up an application password in the project properties.
Set up network segmentation and implement a firewall to block all unauthorized access to Port 502/TCP.
Configure the access control list following the recommendations of the user manuals: “Modicon M340 for Ethernet Communications Modules and Processors User Manual” in chapter “Messaging Configuration Parameters”:
Set up a secure communication according to the following guideline “Modicon Controllers Platform Cyber Security Reference Manual,” in chapter “Set up secured communications”:
Consider use of external firewall devices such as EAGLE40-07 from Belden to establish VPN connections for M340 & M580 architectures. For more details refer to the chapter “How to protect M580 and M340 architectures with EAGLE40 using VPN”
Ensure the M340 CPU is running with the memory protection activated by configuring the input bit to a physical input, for more details refer to the following guideline “Modicon Controllers Platform Cyber Security Reference Manual”, “CPU Memory Protection section”.

Modicon M580 CPU (part numbers BMEP* and BMEH* excluding M580 CPU Safety):

Firmware Versions SV4.20 includes a fix for this vulnerability and is available for download.
Set up an application password in the project properties
Setup network segmentation and implement a firewall to block all unauthorized access to Port 502/TCP.
Configure the access control list following the recommendations of the user manuals: “Modicon M580, Hardware, Reference Manual”.
Set up a secure communication according to the following guideline “Modicon Controllers Platform Cyber Security Reference Manual,” in chapter “Set up secured communications”:
Use a BMENOC module and follow the instructions to configure IPSEC feature as described in the guideline “Modicon M580 – BMENOC03.1 Ethernet Communications Schneider Electric Security Notification Module, Installation and Configuration Guide” in the chapter “Configuring IPSEC communications”:
Use a BMENUA0100 module and follow the instructions to configure IPSEC feature as described in the chapter “Configuring the BMENUA0100 Cybersecurity Settings”.
Consider use of external firewall devices such as EAGLE40-07 from Belden to establish VPN connections for M340 & M580 architectures. For more details refer to the chapter “How to protect M580 and M340 architectures with EAGLE40 using VPN”.
Ensure the M580 CPU is running with the memory protection activated by configuring the input bit to a physical input, for more details refer to the following guideline “Modicon Controllers Platform Cyber Security Reference Manual”, “CPU Memory Protection section”.
The CPU memory protection cannot be configured with M580 Hot Standby CPUs. In such cases, use IPsec encrypted communication .

Modicon M580 CPU Safety (part numbers BMEP58S and BMEH58S):

Firmware SV4.21 includes a fix for CVE-2023-6408 and is available for download. Important: users needs to use version of EcoStruxure Control Expert v16.0 HF001 minimum to connect with the latest version of M580 CPU Safety.
If users choose not to apply the remediation, they are encouraged to immediately apply the following mitigations to reduce the risk of exploit:
Set up an application password in the project properties.
Setup network segmentation and implement a firewall to block all unauthorized access to Port 502/TCP.
Configure the Access Control List following the recommendations of “Modicon M580, Hardware, Reference Manual”
Set up a secure communication according to the following guideline “Modicon Controllers Platform Cyber Security Reference Manual,” in chapter “Set up secured communications”.
Use a BMENOC module and follow the instructions to configure IPSEC feature as described in the guideline “Modicon M580 – BMENOC03.1 Ethernet Communications Schneider Electric Security Notification Module, Installation and Configuration Guide” in the chapter “Configuring IPSEC communications”: https://www.se.com/ww/en/download/document/HRB62665/
Use a BMENUA0100 module and follow the instructions to configure IPSEC feature as described in the chapter “Configuring the BMENUA0100 Cybersecurity Settings”
Consider use of external firewall devices such as EAGLE40-07 from Belden to establish VPN connections for M340 & M580 architectures. For more details refer to the chapter “How to protect M580 and M340 architectures with EAGLE40 using VPN”
Ensure the M580 CPU is running with the memory protection activated by configuring the input bit to a physical input, for more details refer to the following guideline “Modicon Controllers Platform Cyber Security Reference Manual”, “CPU Memory Protection section”
NOTE: The CPU memory protection cannot be configured with M580 Hot Standby CPUs. In such cases, use IPsec encrypted communication.
To further reduce the attack surface on Modicon M580 CPU Safety: Ensure the CPU is running in Safety mode and maintenance input is configured to maintain this Safety mode during operation – refer to the document Modicon M580 – Safety System Planning Guide – in the chapter “Operating Mode Transitions”.
Schneider Electric is establishing a remediation plan for all future versions of EcoStruxure Process Expert that will include a fix for CVE-2023-6409 and CVE-2023-27975. They will update SEVD-2024-317-04 when the remediation is available. Until then, users should immediately apply the above mitigations to reduce the risk of exploit.

Modicon MC80 (part numbers BMKC80):

Set up an application password in the project properties.
Set up network segmentation and implement a firewall to block all unauthorized access to Port 502/TCP.
Configure the access control list following the recommendations of “Modicon MC80 Programmable Logic Controller (PLC) manual” in the chapter “Access Control List (ACL)” a secure communication according to “Modicon Controller Systems Cybersecurity, User Guide” in chapter “Set Up Encrypted Communication”.
(CVE-2023-6408) Schneider Electric Modicon Momentum Unity M1E Processor (171CBU*) All versions: Setup an application password in the project properties
- Setup network segmentation and implement a firewall to block all unauthorized access to Port 502/TCP
- Setup a secure communication according to the following guideline “Modicon Controller Systems Cybersecurity, User Guide” in chapter “Set Up Encrypted Communication”:

EcoStruxure Control Expert:

Version 16.0 includes a fix for these vulnerabilities and is available for download. Reboot the computer after installation is completed.
Enable encryption on application project and store application files in secure location with restricted access only for legitimate users.
Schneider Electric recommends using McAfee Application and Change Control software for application control. Refer to the Cybersecurity Application Note.
Follow workstation, network and site-hardening guidelines in the Recommended Cybersecurity Best Practices.

EcoStruxure Process Expert:

Version 15.3 HF008 includes the fix for these vulnerabilities and is available for download.
EcoStruxure Process Expert manages application files within its database in secure way. Do not export & store them outside the application.
Schneider Electric recommends using McAfee Application and Change Control software for application control. Refer to the Cybersecurity Application Note.
Follow workstation, network and site-hardening guidelines in the Recommended Cybersecurity Best Practices.

For more information refer to the Schneider Electric Recommended Cybersecurity Best Practices and the associated Schneider Electric Security Notification SEVD-2024-044-01 in PDF and CSAF.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time. These vulnerabilities have a high attack complexity.

5. UPDATE HISTORY

November 26, 2024: Initial Publication

Hitachi Energy MicroSCADA Pro/X SYS600

View CSAF

1. EXECUTIVE SUMMARY

CVSS v3 9.9
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Hitachi Energy
Equipment: MicroSCADA Pro/X SYS600
Vulnerabilities: Improper Neutralization of Special Elements in Data Query Logic, Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’), Authentication Bypass by Capture-replay, Missing Authentication for Critical Function, URL Redirection to Untrusted Site (‘Open Redirect’)

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to inject code towards persistent data, manipulate the file system, hijack a session, or engage in phishing attempts against users.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following Hitachi Energy products are affected:

Hitachi Energy MicroSCADA Pro/X SYS600: Version 10.0 to Version 10.5 (CVE-2024-4872, CVE-2024-3980, CVE-2024-3982, CVE-2024-7941)
Hitachi Energy MicroSCADA Pro/X SYS600: Version 10.2 to Version 10.5 (CVE-2024-7940)
Hitachi Energy MicroSCADA Pro/X SYS600: Version 10.5 (CVE-2024-7941)
Hitachi Energy MicroSCADA Pro/X SYS600: Version 9.4 FP1 (CVE-2024-3980)
Hitachi Energy MicroSCADA Pro/X SYS600: Version 9.4 FP2 HF1 to Version 9.4 FP2 HF5 (CVE-2024-4872, CVE-2024-3980)

3.2 Vulnerability Overview

3.2.1 IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS IN DATA QUERY LOGIC CWE-943

A vulnerability exists in the query validation of the MicroSCADA Pro/X SYS600 product. If exploited this could allow an authenticated attacker to inject code towards persistent data. Note that to successfully exploit this vulnerability an attacker must have a valid credential.

CVE-2024-4872 has been assigned to this vulnerability. A CVSS v3 base score of 9.9 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).

3.2.2 IMPROPER LIMITATION OF A PATHNAME TO A RESTRICTED DIRECTORY (‘PATH TRAVERSAL’) CWE-22

The MicroSCADA Pro/X SYS600 product allows an authenticated user input to control or influence paths or file names that are used in filesystem operations. If exploited the vulnerability allows the attacker to access or modify system files or other files that are critical to the application.

CVE-2024-3980 has been assigned to this vulnerability. A CVSS v3 base score of 8.8 has been assigned; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).

3.2.3 AUTHENTICATION BYPASS BY CAPTURE-REPLAY CWE-294

An attacker with local access to a machine where MicroSCADA X SYS600 is installed could enable session logging and try to exploit a session hijacking of an already established session. By default, the session logging level is not enabled and only users with administrator rights can enable it.

CVE-2024-3982 has been assigned to this vulnerability. A CVSS v3 base score of 8.2 has been assigned; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H).

3.2.4 MISSING AUTHENTICATION FOR CRITICAL FUNCTION CWE-306

The product exposes a service that is intended for local only to all network interfaces without any authentication.

CVE-2024-7940 has been assigned to this vulnerability. A CVSS v3 base score of 8.3 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H).

3.2.5 URL REDIRECTION TO UNTRUSTED SITE (‘OPEN REDIRECT’) CWE-601

A HTTP parameter may contain a URL value and could cause the web application to redirect the request to the specified URL. By modifying the URL value to a malicious site, an attacker may successfully launch a phishing scam and steal user credentials.

CVE-2024-7941 has been assigned to this vulnerability. A CVSS v3 base score of 4.3 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N).

3.3 PRODUCT IMPACT

Product-specific impact for an affected product vulnerable to the CVE:

CVE-2024-4872
- (Hitachi Energy MicroSCADA Pro/X SYS600): A CVSS v3 base score of 9.9 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).
- (Hitachi Energy MicroSCADA Pro/X SYS600): A CVSS v3 base score of 8.8 has been assigned; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).
CVE-2024-3980
- (Hitachi Energy MicroSCADA Pro/X SYS600): A CVSS v3 base score of 9.9 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).

3.4 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Switzerland

3.5 RESEARCHER

Hitachi Energy PSIRT reported these vulnerabilities to CISA.

4. MITIGATIONS

Hitachi Energy has identified the following specific workarounds and mitigations users can apply to reduce risk:

Hitachi Energy MicroSCADA X SYS600: Update to Version 10.6
(CVE-2024-4872, CVE-2024-3980) Hitachi Energy MicroSCADA Pro SYS600: Apply Patch 9.4 FP2 HF6 (Installation of previous FP2 hotfixes are required prior to the installation of HF6)
(CVE-2024-4872, CVE-2024-3980) Hitachi Energy MicroSCADA X SYS600, Hitachi Energy MicroSCADA Pro SYS600: Follow the general mitigation factors below.
(CVE-2024-3982, CVE-2024-7940, CVE-2024-7941) Hitachi Energy MicroSCADA X SYS600: Follow the general mitigation factors below.

Hitachi Energy recommends the following security practices and firewall configurations to help protect process control networks from attacks that originate from outside the network:

Ensure process control systems are physically protected from direct access by unauthorized personnel, have no direct connections to the Internet, and are separated from other networks by means of a firewall system that has a minimal number of ports exposed.
Process control systems should not be used for Internet
surfing, instant messaging, or receiving e-mails.
Portable computers and removable storage media should be carefully scanned for viruses before they are connected to a control system.
Proper password policies and processes should be followed.

For detailed mitigation strategies, users can approach their Hitachi Energy organization contact.

Hitachi Electric highly recommends deploying the product following the “MicroSCADA cybersecurity deployment guideline” document. Users should maintain their systems with products running on supported versions and follow maintenance releases.

For more information, see Hitachi Energy Cybersecurity Advisory “Multiple vulnerabilities in Hitachi Energy MicroSCADA Pro/X SYS600 product”

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

Do not click web links or open attachments in unsolicited email messages.
Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY

November 26, 2024: Initial Publication

New Resilient Power Guidance Added to the CISA Resilient Toolkit Portal

USDA Stops Credential Phishing with FIDO Authentication

USDA Releases Success Story Detailing the Implementation of Phishing-Resistant Multi-Factor Authentication

Today, the Cybersecurity and Infrastructure Security Agency (CISA) and the U.S. Department of Agriculture (USDA) released Phishing-Resistant Multi-Factor Authentication (MFA) Success Story: USDA’s FIDO Implementation. This report details how USDA successfully implemented phishing-resistant authentication for its personnel in situations where USDA could not exclusively rely on personal identity verification (PIV) cards.

USDA turned to Fast IDentity Online (FIDO) capabilities, a set of authentication protocols that uses cryptographic keys on user devices, to offer a secure way to authenticate user identities without passwords. USDA’s adoption of FIDO highlights the importance of organizations moving away from password authentication and adopting more secure MFA technologies.

This report offers examples to help organizations strengthen their cybersecurity posture through use cases, recommended actions, and resources. USDA successfully implemented MFA by adopting a centralized model, making incremental improvements, and addressing specific use cases. Organizations facing challenges with phishing-resistant authentication are encouraged to review this report.

For more information about phishing-resistant MFA, visit Phishing-Resistant MFA is Key to Peace of Mind and Implementing Phishing-Resistant MFA.

CISA Releases Venue Guide for Security Considerations

CISA Launches New Learning Platform to Enhance Training and Education U.S. Veterans and Other Stakeholders

CISA’s Vulnerability Management goes “Big” on Interns and the Results are Staggering!

Siemens SIPORT

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens’ ProductCERT Security Advisories (CERT Services | Services | Siemens Global).

View CSAF

1. EXECUTIVE SUMMARY

CVSS v4 8.5
ATTENTION: Low Attack Complexity
Vendor: Siemens
Equipment: SIPORT
Vulnerability: Incorrect Permission Assignment for Critical Resource

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow a local attacker with an unprivileged account to override or modify the service executable and subsequently gain elevated privileges.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following Siemens products are affected:

Siemens SIPORT: Versions prior to V3.4.0

3.2 Vulnerability Overview

3.2.1 INCORRECT PERMISSION ASSIGNMENT FOR CRITICAL RESOURCE CWE-732

The affected application improperly assigns file permissions to installation folders. This could allow a local attacker with an unprivileged account to override or modify the service executables and subsequently gain elevated privileges.

CVE-2024-47783 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-47783. A base score of 8.5 has been calculated; the CVSS vector string is (CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Commercial Facilities
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

Siemens reported this vulnerability to CISA.

4. MITIGATIONS

Siemens has identified the following specific workarounds and mitigations users can apply to reduce risk:

Remove write permissions for non-administrative users on files and folders located under the installation path
Update to V3.4.0 or later version

As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens’ operational guidelines for industrial security and following recommendations in the product manuals.

Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage

For more information see the associated Siemens security advisory SSA-064257 in HTML and CSAF.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability is not exploitable remotely.

5. UPDATE HISTORY

November 14, 2024: Initial Publication