1. EXECUTIVE SUMMARY

CVSS v3 9.8
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Emerson
Equipment: Ovation
Vulnerabilities: Missing Authentication for Critical Function, Insufficient Verification of Data Authenticity

CISA is aware of a public report, known as “OT:ICEFALL”, detailing vulnerabilities found in multiple operational technology (OT) vendors. CISA is issuing this advisory to provide notice of the reported vulnerabilities and identify baseline mitigations for reducing risks to these and other cybersecurity attacks.

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow remote code execution, loss of sensitive information, denial-of-service, or allow an attacker to modify the controller configuration.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following Emerson products are affected:

Ovation: Version 3.8.0 Feature Pack 1 and prior

3.2 Vulnerability Overview

3.2.1 MISSING AUTHENTICATION FOR CRITICAL FUNCTION CWE-306

The affected product has several protocols that have no authentication, which could allow an attacker to change controller configuration or cause a denial-of-service condition.

CVE-2022-29966 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2022-29966. A base score of 9.3 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.2 INSUFFICIENT VERIFICATION OF DATA AUTHENTICITY CWE-345

The affected product was found to have no authentication of firmware signing and relies on an insecure checksum for integrity. This could allow an attacker to push malicious firmware images, cause a denial-of-service condition, or achieve remote code execution.

CVE-2022-30267 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.1 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

A CVSS v4 score has also been calculated for CVE-2022-30267. A base score of 8.7 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Energy
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER

Daniel dos Santos and Jos Wetzels from Forescout Technologies reported these vulnerabilities to CISA

4. MITIGATIONS

Emerson recommends the following:

Upgrade to the currently available release of Ovation 3.8.0 Feature Pack 3 for remediation of many of the identified vulnerabilities.
Users are advised to consider the use of OCR3000 controllers, which offer an extra layer of protection that is not available to older controller models.
Deploy and configure Ovation systems and related components as described in the Cybersecurity for Ovation Systems manual (OVREF1000). Ovation Users’ Group Website (User Manuals | Reference Manuals) (login required)
Users with questions or concerns regarding the impact of these vulnerabilities on Ovation should contact the
Ovation-CERT by email or phone (1-800-445-9723, option 3).

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY

June 6, 2024: Initial Publication

Readout from CISA’s 2024 Second Quarter Cybersecurity Advisory Committee Meeting

CISA Hosts First Annual Information and Communications Technology Supply Chain Risk Management Task Force Conference

Baxter Welch Allyn Configuration Tool

View CSAF

1. EXECUTIVE SUMMARY

CVSS v4 9.4
ATTENTION: Exploitable remotely
Vendor: Baxter
Equipment: Welch Allyn Configuration Tool
Vulnerability: Insufficiently Protected Credentials

2. RISK EVALUATION

Successful exploitation of this vulnerability could lead to the unintended exposure of credentials to unauthorized users.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following Baxter (formerly Hillrom and Welch Allyn) products, are affected:

Welch Allyn Product Configuration Tool: Versions 1.9.4.1 and prior

3.2 Vulnerability Overview

3.2.1 INSUFFICIENTLY PROTECTED CREDENTIALS CWE-522

Any credentials that were used for authentication or input while using the Welch Allyn Configuration Tool have the potential to be compromised and should be changed immediately.

CVE-2024-5176 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.6 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:L).

A CVSS v4 score has also been calculated for CVE-2024-5176. A base score of 9.4 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:L/SC:H/SI:H/SA:L).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Healthcare and Public Health
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER

Baxter reported this vulnerability to CISA.

4. MITIGATIONS

Baxter has found no evidence to date of any compromise of personal or health data. Baxter will release a software update for all impacted software to address this vulnerability. A new version of the product that mitigates the vulnerability will be available as follows:

Welch Allyn Product Configuration Tool versions 1.9.4.2: Available Q3 2024
No user action will be required once the update is released.

Baxter recommends the following workarounds to help reduce risk:

Apply proper network and physical security controls.
The Welch Allyn Configuration Tool has been removed from public access. Customers are advised to contact Baxter Technical Support or their Baxter Project Manager to create configuration files, as needed. Baxter Technical Support can be reached at (800)535-6663, option 2.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

May 30, 2024: Initial Publication

Fuji Electric Monitouch V-SFT

View CSAF

1. EXECUTIVE SUMMARY

CVSS v4 8.5
ATTENTION: Low attack complexity
Vendor: Fuji Electric
Equipment: Monitouch V-SFT
Vulnerabilities: Out-of-Bounds Write, Stack-Based Buffer Overflow

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to execute arbitrary code.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of Fuji Electric’s Monitouch V-SFT, a screen configuration software, are affected:

Monitouch V-SFT: Versions prior to 6.2.3.0

3.2 Vulnerability Overview

3.2.1 OUT-OF-BOUNDS WRITE CWE-787

The affected product is vulnerable to an out-of-bounds write because of a type confusion, which could result in arbitrary code execution.

CVE-2024-5271 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-5271. A base score of 8.5 has been calculated; the CVSS vector string is (CVSS4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.2 STACK-BASED BUFFER OVERFLOW CWE-121

The affected product is vulnerable to a stack-based buffer overflow, which could allow an attacker to execute arbitrary code.

CVE-2024-34171 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-34171. A base score of 8.5 has been calculated; the CVSS vector string is (CVSS4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing, Energy
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Japan

3.4 RESEARCHER

kimiy, working with Trend Micro Zero Day Initiative, reported these vulnerabilities to CISA.

4. MITIGATIONS

Fuji Electric recommends users update the product to Monitouch V-SFT v6.2.3.0.

CISA recommends users take defensive measures to minimize the risk of exploitation of this these vulnerabilities, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time. These vulnerabilities are not exploitable remotely.

5. UPDATE HISTORY

May 30, 2024: Initial Publication

A Plan to Protect Critical Infrastructure from 21st Century Threats

Cisco Releases May 2024 Cisco ASA, FMC, and FTD Software Security Publication

Cisco released a bundled publication for security advisories that address vulnerabilities in Cisco Adaptive Security Appliance (ASA), Firepower Management Center (FMC), and Firepower Threat Defense (FTD) software. A cyber threat actor could exploit one of these vulnerabilities to take control of an affected system.

Users and administrators are encouraged to review the following publication and apply necessary updates:

Cisco Event Response: May 2024 Cisco ASA, FMC, and FTD Software Security Advisory Bundled Publication

AutomationDirect Productivity PLCs

View CSAF

1. EXECUTIVE SUMMARY

CVSS v4 9.3
ATTENTION: Exploitable remotely/low attack complexity
Vendor: AutomationDirect
Equipment: Productivity PLCs
Vulnerabilities: Buffer Access with Incorrect Length Value, Out-of-bounds Write, Stack-based Buffer Overflow, Improper Access Control, Active Debug Code, Insufficient Verification of Data Authenticity

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could lead to remote code execution and denial of service.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

AutomationDirect reports the following versions of Productivity PLCs are affected:

Productivity 3000 P3-550E CPU: FW 1.2.10.9
Productivity 3000 P3-550E CPU: SW 4.1.1.10
Productivity 3000 P3-550 CPU: FW 1.2.10.9
Productivity 3000 P3-550 CPU: SW 4.1.1.10
Productivity 3000 P3-530 CPU: FW 1.2.10.9
Productivity 3000 P3-530 CPU: SW 4.1.1.10
Productivity 2000 P2-550 CPU: FW 1.2.10.10
Productivity 2000 P2-550 CPU: SW 4.1.1.10
Productivity 1000 P1-550 CPU: FW 1.2.10.10
Productivity 1000 P1-550 CPU: SW 4.1.1.10
Productivity 1000 P1-540 CPU: FW 1.2.10.10
Productivity 1000 P1-540 CPU: SW 4.1.1.10

3.2 Vulnerability Overview

3.2.1 Buffer Access with Incorrect Length Value CWE-805

A heap-based buffer overflow vulnerability exists in the Programming Software Connection FiBurn functionality of AutomationDirect P3-550E 1.2.10.9. A specially crafted network packet can lead to a buffer overflow. An attacker can send an unauthenticated packet to trigger this vulnerability.

CVE-2024-24851 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

A CVSS v4 score has also been calculated for CVE-2024-24851. A base score of 8.7 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N).

3.2.2 Out-of-bounds Write CWE-787

A length exceeded buffer overflow vulnerability exists in the Programming Software Connection CurrDir functionality of AutomationDirect P3-550E 1.2.10.9. A specially crafted network packet can lead to a denial of service. An attacker can send an unauthenticated packet to trigger this vulnerability.

CVE-2024-24946 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.2 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H).

A CVSS v4 score has also been calculated for CVE-2024-24946. A base score of 8.8 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N).

3.2.3 Out-of-bounds Write CWE-787

An allocation failed buffer overflow vulnerability exists in the Programming Software Connection CurrDir functionality of AutomationDirect P3-550E 1.2.10.9. A specially crafted network packet can lead to a denial of service. An attacker can send an unauthenticated packet to trigger this vulnerability.

CVE-2024-24947 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.2 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H).

A CVSS v4 score has also been calculated for CVE-2024-24947. A base score of 8.8 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N).

3.2.4 Out-of-bounds Write CWE-787

A null-byte write vulnerability exists in the Programming Software Connection FileSystem API functionality of AutomationDirect P3-550E 1.2.10.9. Specially crafted network packets can lead to heap-based memory corruption. An attacker can send malicious packets to trigger these vulnerabilities.

CVE-2024-24954 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.2 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H).

A CVSS v4 score has also been calculated for CVE-2024-24954. A base score of 8.8 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N).

3.2.5 Out-of-bounds Write CWE-787

CVE-2024-24955 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.2 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H).

A CVSS v4 score has also been calculated for CVE-2024-24955. A base score of 8.8 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N).

3.2.6 Out-of-bounds Write CWE-787

CVE-2024-24956 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.2 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H).

A CVSS v4 score has also been calculated for CVE-2024-24956. A base score of 8.8 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N).

3.2.7 Out-of-bounds Write CWE-787

CVE-2024-24957 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.2 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H).

A CVSS v4 score has also been calculated for CVE-2024-24957. A base score of 8.8 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N).

3.2.8 Out-of-bounds Write CWE-787

CVE-2024-24958 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.2 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H).

A CVSS v4 score has also been calculated for CVE-2024-24958. A base score of 8.8 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N).

3.2.9 Out-of-bounds Write CWE-787

CVE-2024-24959 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.2 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H).

A CVSS v4 score has also been calculated for CVE-2024-24959. A base score of 8.8 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N).

3.2.10 Stack-based Buffer Overflow CWE-121

A stack-based buffer overflow vulnerability exists in the Programming Software Connection FileSelect functionality of AutomationDirect P3-550E 1.2.10.9. A specially crafted network packet can lead to stack-based buffer overflow. An attacker can send an unauthenticated packet to trigger this vulnerability.

CVE-2024-24962 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-24962. A base score of 9.3 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.11 Stack-based Buffer Overflow CWE-121

CVE-2024-24963 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-24963. A base score of 9.3 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.12 Improper Access Control CWE-284

A write-what-where vulnerability exists in the Programming Software Connection Remote Memory Diagnostics functionality of AutomationDirect P3-550E 1.2.10.9. A specially crafted network packet can lead to an arbitrary write. An attacker can send an unauthenticated packet to trigger this vulnerability.

CVE-2024-22187 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.1 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-22187. A base score of 8.8 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.13 Improper Access Control CWE-284

A read-what-where vulnerability exists in the Programming Software Connection IMM 01A1 Memory Read functionality of AutomationDirect P3-550E 1.2.10.9. A specially crafted network packet can lead to a disclosure of sensitive information. An attacker can send an unauthenticated packet to trigger this vulnerability.

CVE-2024-23315 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2024-23315. A base score of 8.7 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N).

3.2.14 Active Debug Code CWE-489

Leftover debug code exists in the Telnet Diagnostic Interface functionality of AutomationDirect P3-550E 1.2.10.9. A specially crafted series of network requests can lead to unauthorized access. An attacker can send a sequence of requests to trigger this vulnerability.

CVE-2024-21785 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-21785. A base score of 9.3 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.15 Insufficient Verification of Data Authenticity CWE-345

A code injection vulnerability exists in the scan_lib.bin functionality of AutomationDirect P3-550E 1.2.10.9. A specially crafted scan_lib.bin can lead to arbitrary code execution. An attacker can provide a malicious file to trigger this vulnerability.

CVE-2024-23601 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-23601. A base score of 9.3 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Commercial Facilities, Critical Manufacturing, Information Technology
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER

Matt Wiseman of CISCO TALOS reported these vulnerabilities to AutomationDirect.

4. MITIGATIONS

AutomationDirect recommends that users:

Update the Productivity Suite programming software to version 4.2.0.x or higher.
Update Productivity PLC’s firmware to the latest version.

Although Automation Networks and Systems come equipped with built-in password protection mechanisms, this represents a fraction of the security measures needed to safeguard these systems. It is imperative that Automation Control System Networks integrate data protection and security measures that match, if not exceed, the robustness of conventional business computer systems. AutomationDirect advises users of PLCs, HMI products, and SCADA systems to conduct a thorough network security analysis to ascertain the appropriate level of security necessary for their specific application.

AutomationDirect has identified the following mitigation for instances where systems cannot be upgraded to latest version:

Physically disconnect the PLC from any external networks, including the internet, local area networks (LANs), and other interconnected systems.
Configure network segmentation to isolate PLC from other devices and systems withing the organization.
Implement firewall rules or network access control (NAC) policies to block incoming and outgoing traffic to the PLC.

Please refer to the following link for supporting information related to security considerations. https://support.automationdirect.com/docs/securityconsiderations.pdf

If you have any questions regarding this issue, please contact AutomationDirect Technical Support at 770-844-4200 or 800-633-0405 for further assistance.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as virtual private networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

Do not click web links or open attachments in unsolicited email messages.
Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY

May 23, 2024: Initial Publication

CISA and ONCD Award the Winners of the Fifth Annual President’s Cup Cybersecurity Competition