CISA released one Industrial Control Systems (ICS) advisory on August 29, 2023. This advisory provides timely information about current security issues, vulnerabilities, and exploits surrounding ICS. 

• ICSA-23-241-01 PTC CodeBeamer

CISA encourages users and administrators to review the newly released ICS advisory for technical details and mitigations.

1. EXECUTIVE SUMMARY

• ​CVSS v3 8.8
• ​ATTENTION: Exploitable remotely/low attack complexity
• ​Vendor: PTC
• ​Equipment: Codebeamer
• ​Vulnerability: Cross site scripting

2. RISK EVALUATION

​Successful exploitation of this vulnerability could allow an attacker to inject arbitrary JavaScript code, which could be executed in the victim’s browser upon clicking on a malicious link.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

​The following versions of PTC Codebeamer, Application Lifecycle Management (ALM) platform for product and software development, are affected:

• ​Codebeamer: v22.10-SP6 or lower
• ​Codebeamer: v22.04-SP2 or lower
• ​Codebeamer: v21.09-SP13 or lower

3.2 VULNERABILITY OVERVIEW

3.2.1 CROSS-SITE SCRIPTING CWE-79

​If an attacker tricks an admin user of PTC Codebeamer into clicking on a malicious link, it may allow the attacker to inject arbitrary code to be executed in the browser on the target device.

​CVE-2023-4296 has been assigned to this vulnerability. A CVSS v3 base score of 8.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

3.3 BACKGROUND

• ​CRITICAL INFRASTRUCTURE SECTORS: Multiple
• ​COUNTRIES/AREAS DEPLOYED: Worldwide
• ​COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER

​Niklas Schilling of SEC Consult Vulnerability Lab reported this vulnerability to CISA.

4. MITIGATIONS

​PTC recommends the following:

• ​Version 22.10.X: upgrade to 22.10-SP7 or newer version
• ​Version 22.04.X: upgrade to 22.04-SP3 or newer version
• ​Version 21.09.X: upgrade to 21.09-SP14 or newer version

​Docker Image download: https://hub.docker.com/r/intland/codebeamer/tags

​Codebeamer installers: https://intland.com/codebeamer-download/

​Hosted customers may request an upgrade through the support channel.

​Note that version 2.0 is not impacted by this vulnerability.

​For more information refer to PTC Security Advisory and Resolution.

​CISA recommends users take the following measures to protect themselves from social engineering attacks:

• ​Do not click web links or open attachments in unsolicited email messages.
• ​Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
• ​Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

​CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

​CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

​Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

​Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

​No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

CISA has released additional indicators of compromise (IOCs) associated with exploitation of CVE-2023-2868. CVE-2023-2868 is a remote command injection vulnerability affecting Barracuda Email Security Gateway (ESG) Appliance, versions 5.1.3.001-9.2.0.006. Malicious threat actors exploited this vulnerability as a zero day as early as October 2022 to gain access to ESG appliances. 

Download the newly released IOCs associated with this activity:

Review the following advisories for more information:  

• Barracuda: Barracuda Email Security Gateway Appliance (ESG) Vulnerability
• Mandiant: Diving Deep into UNC4841 Operations Following Barracuda ESG Zero-Day Remediation (CVE-2023-2868)

See CISA Releases Malware Analysis Reports on Barracuda Backdoors for malware analysis reports (MARs) covering previously released IOCs and YARA rules and Barracuda Networks Releases Update to Address ESG Vulnerability. 

Today, the Cybersecurity and Infrastructure Security Agency (CISA) released its inaugural Vulnerability Disclosure Policy (VDP) Platform 2022 Annual Report, highlighting the service’s progress supporting vulnerability awareness and remediation across the Federal Civilian Executive Branch (FCEB). This report showcases how agencies have used the VDP Platform—launched in July 2021—to safeguard the FCEB and support risk reduction. The VDP platform gives federal agencies a single, user-friendly interface to intake vulnerability information and to collaborate with the public researcher community for vulnerability awareness and remediation.

CISA urges FCEB agencies to review the VDP Platform 2022 Annual Report and encourages use of the platform to promote good-faith security research if they are not already doing so. By promoting an agency’s VDP to the public security researcher community, the platform benefits users by harnessing researchers’ expertise to search for and detect vulnerabilities that traditional scanning technology might not find.

CISA is actively seeking to enhance future collaborations with the public security researcher community and welcomes participation and partnership.

1. EXECUTIVE SUMMARY

• CVSS v3 3.3 
• ATTENTION: low attack complexity 
• Vendor: CODESYS, GmbH 
• Equipment: CODESYS Development System 
• Vulnerability: Improper Restriction of Excessive Authentication Attempts. 

2. RISK EVALUATION

Successful exploitation of this vulnerability could provide a local attacker with account information. 

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

CODESYS reports this vulnerability affects the following versions of CODESYS Development System: 

• CODESYS Development System: versions prior to 3.5.19.20 

3.2 VULNERABILITY OVERVIEW

3.2.1 INSUFFICIENT VERIFICATION OF DATA AUTHENTICITY CWE-345 

A missing brute-force protection in CODESYS Development System prior to 3.5.19.20 could allow a local attacker to have unlimited attempts of guessing the password within an import dialog. 

CVE-2023-3669 has been assigned to this vulnerability. A CVSS v3 base score of 3.3 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N). 

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing 
• COUNTRIES/AREAS DEPLOYED: Worldwide 
• COMPANY HEADQUARTERS LOCATION: Germany 

3.4 RESEARCHER

A user reported this vulnerability. CERT@VDE coordinated the vulnerability. 

4. MITIGATIONS

CODESYS recommends users update the CODESYS Development System to version 3.5.19.20. 

The CODESYS Development System can be downloaded and installed directly with the CODESYS Installer or be downloaded from the CODESYS Store. 

Alternatively, users may find further information on obtaining the software update in the CODESYS Update area. 

For more information, please see the advisory CERT@VDE published for CODESYS at: 

https://cert.vde.com/en-us/advisories/vde-2023-023 

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. 

CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies. 

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies. 

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. 

CISA also recommends users take the following measures to protect themselves from social engineering attacks: 

• Do not click web links or open attachments in unsolicited email messages. 
• Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams. 
• Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks. 

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability is not exploitable remotely. 

1. EXECUTIVE SUMMARY

• CVSS v3 7.5 
• ATTENTION: Exploitable remotely/low attack complexity/known public exploitation 
• Vendor: KNX Association 
• Equipment: KNX devices using KNX Connection Authorization 
• Vulnerability: Overly Restrictive Account Lockout Mechanism 

2. RISK EVALUATION

Successful exploitation of this vulnerability could cause users to lose access to their device, potentially with no way to reset the device. 

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following devices using KNX Protocol are affected: 

• KNX devices using Connection Authorization Option 1 Style in which no BCU Key is currently set: All versions 

3.2 VULNERABILITY OVERVIEW

3.2.1 OVERLY RESTRICTIVE ACCOUNT LOCKOUT MECHANISM CWE-645 

KNX devices that use KNX Connection Authorization and support Option 1 are, depending on the implementation, vulnerable to being locked and users being unable to reset them to gain access to the device. The BCU key feature on the devices can be used to create a password for the device, but this password can often not be reset without entering the current password. If the device is configured to interface with a network, an attacker with access to that network could interface with the KNX installation, purge all devices without additional security options enabled, and set a BCU key, locking the device. Even if a device is not connected to a network, an attacker with physical access to the device could also exploit this vulnerability in the same way. 

CVE-2023-4346 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). 

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Critical Facilities 
• COUNTRIES/AREAS DEPLOYED: Europe 
• COMPANY HEADQUARTERS LOCATION: Belgium 

3.4 RESEARCHER

Felix Eberstaller reported this vulnerability to CISA. 

4. MITIGATIONS

KNX Association recommends all system integrators, installers, ETS users, and end customers to follow common IT security guidelines. KNX Association recommends users follow the recommendations in the KNX Secure Checklist. 

The KNX Association also recommends developers always set the BCU Key in every KNX Project that is already finished and will be commissioned in the future. Handover the BCU Key as part of the Project Documentation to the Building Owner. 

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should: 

• Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet. 
• Locate control system networks and remote devices behind firewalls and isolate them from business networks. 
• When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices. 

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. 

CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies. 

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies. 

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. 

CISA has received reports of this vulnerability being actively exploited. 

1. EXECUTIVE SUMMARY

• ​CVSS v3 8.6 
• ​ATTENTION: Exploitable remotely/low attack complexity 
• ​Vendor: Rockwell Automation  
• ​Equipment: 1734-AENT/1734-AENTR Series C, 1734-AENT/1734-AENTR Series B, 1738-AENT/ 1738-AENTR Series B, 1794-AENTR Series A, 1732E-16CFGM12QCWR Series A, 1732E-12X4M12QCDR Series A, 1732E-16CFGM12QCR Series A, 1732E-16CFGM12P5QCR Series A, 1732E-12X4M12P5QCDR Series A, 1732E-16CFGM12P5QCWR Series B, 1732E-IB16M12R Series B, 1732E-OB16M12R Series B, 1732E-16CFGM12R Series B, 1732E-IB16M12DR Series B, 1732E-OB16M12DR Series B, 1732E-8X8M12DR Series B, 1799ER-IQ10XOQ10 Series B 
• ​Vulnerability: Out-of-Bounds Write 

2. RISK EVALUATION

​Successful exploitation of this vulnerability could allow an attacker to cause a denial-of-service on the affected products.  

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

​The following versions of select Input/Output Modules from Rockwell Automation are affected: 

• ​1734-AENT/1734-AENTR Series C: Versions 7.011 and prior  
• ​1734-AENT/1734-AENTR Series B: Versions 5.019 and prior  
• ​1738-AENT/ 1738-AENTR Series B: Versions 6.011 and prior  
• ​1794-AENTR Series A: Versions 2.011 and prior  
• ​1732E-16CFGM12QCWR Series A: Versions 3.011 and prior 
• ​1732E-12X4M12QCDR Series A: Versions 3.011 and prior  
• ​1732E-16CFGM12QCR Series A: Versions 3.011 and prior  
• ​1732E-16CFGM12P5QCR Series A: Versions 3.011 and prior  
• ​1732E-12X4M12P5QCDR Series A: Versions 3.011 and prior 
• ​1732E-16CFGM12P5QCWR Series B: Versions 3.011 and prior  
• ​1732E-IB16M12R Series B: Versions 3.011 and prior  
• ​1732E-OB16M12R Series B: Versions 3.011 and prior  
• ​1732E-16CFGM12R Series B: Versions 3.011 and prior  
• ​1732E-IB16M12DR Series B: Versions 3.011 and prior  
• ​1732E-OB16M12DR Series B: Versions 3.011 and prior  
• ​1732E-8X8M12DR Series B: Versions 3.011 and prior 
• ​1799ER-IQ10XOQ10 Series B: Versions 3.011 and prior  

3.2 VULNERABILITY OVERVIEW

3.2.1 ​OUT-OF-BOUNDS WRITE CWE-787 

​Pyramid Solutions’ affected products, the Developer and DLL kits for EtherNet/IP Adapter and EtherNet/IP Scanner may be vulnerable to an out-of-bounds write, which may allow an unauthorized threat actor to send a specially crafted packet that may result in a denial-of-service condition. 

​CVE-2022-1737 has been assigned to this vulnerability. A CVSS v3 base score of 8.6 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H). 

3.3 BACKGROUND

• ​CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing 
• ​COUNTRIES/AREAS DEPLOYED: Worldwide 
• ​COMPANY HEADQUARTERS LOCATION: United States 

3.4 RESEARCHER

​Rockwell Automation reported this vulnerability to CISA. 

4. MITIGATIONS

​Rockwell Automation has released and recommends users apply the following mitigations: 

• ​1734-AENT/1734-AENTR Series C: Versions 7.011 and prior. Upgrade to 7.013 
• ​1734-AENT/1734-AENTR Series B: Versions 5.019 and prior. Upgrade to 5.021  
• ​1738-AENT/ 1738-AENTR Series B: Versions 6.011 and prior. Upgrade to 6.013  
• ​1794-AENTR Series A: Versions 2.011 and prior. Upgrade to 2.012  
• ​1732E-16CFGM12QCWR Series A: Versions 3.011 and prior. Upgrade to 3.012 
• ​1732E-12X4M12QCDR Series A: Versions 3.011 and prior. Upgrade to 3.012  
• ​1732E-16CFGM12QCR Series A: Versions 3.011 and prior. Upgrade to 3.012  
• ​1732E-16CFGM12P5QCR Series A: Versions 3.011 and prior. Upgrade to 3.012  
• ​1732E-12X4M12P5QCDR Series A: Versions 3.011 and prior. Upgrade to 3.012 
• ​1732E-16CFGM12P5QCWR Series B: Versions 3.011 and prior. Upgrade to 3.012  
• ​1732E-IB16M12R Series B: Versions 3.011 and prior. Upgrade to 3.012  
• ​1732E-OB16M12R Series B: Versions 3.011 and prior. Upgrade to 3.012  
• ​1732E-16CFGM12R Series B: Versions 3.011 and prior. Upgrade to 3.012  
• ​1732E-IB16M12DR Series B: Versions 3.011 and prior. Upgrade to 3.012  
• ​1732E-OB16M12DR Series B: Versions 3.011 and prior. Upgrade to 3.012  
• ​1732E-8X8M12DR Series B: Versions 3.011 and prior. Upgrade to 3.012 
• ​1799ER-IQ10XOQ10 Series B: Versions 3.011 and prior. Upgrade to 3.012 

​Rockwell Automation encourages users of the affected software to apply the risk mitigations below, if possible. Additionally, users are encouraged to implement suggested security best practices to minimize the risk of vulnerability. 

​Users should upgrade to the corrected firmware to mitigate the issues:

• ​Security best practices 

​For more information, see Rockwell Automation’s Security Advisory. 

​CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. 

​CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies. 

​Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies. 

​Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. 

​No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.