The US Cybersecurity and Infrastructure Security Agency (CISA) published four advisories on industrial control systems (ICS) on Friday. These advisories provide important updates on current security challenges, vulnerabilities, and potential exploits impacting Schneider Electric, Delta Electronics, and Rockwell Automation hardware.
CISA has disclosed the presence of “false authentication” in Schneider Electric's PowerChute Serial Shutdown equipment affecting versions 1.2.0.301 and earlier deployed in the critical manufacturing sector worldwide. “Successful exploitation of this vulnerability could result in access to the web interface being denied if someone on the local network repeatedly requests the /accessdenied URL.”
An improper authentication vulnerability exists that could result in access to the web interface being denied if someone on the local network repeatedly requests the /accessdenied URL. CVE-2024-10511 has been assigned to this vulnerability. A CVSS v3.1 baseline score of 5.3 was determined and a CVSS v4 baseline score of 6.3 was also calculated. Schneider Electric has reported this vulnerability to CISA.
As a workaround, Schneider Electric recommends PowerChute Serial Shutdown: Version v1.2.0.301 and a previous update to PowerChute Serial Shutdown: Version 1.3.
In another ICS advisory, CISA revealed an exploitable remote/low complexity attack based on the “Use of unmaintained third-party components” vulnerability in Schneider Electric's Harmony HMI and Pro-face HMI products. “Successful exploitation of this vulnerability could result in complete control of the device if an authenticated user installs malicious code into the HMI product.”
Affected products include all versions of the Harmony HMIST6, Harmony HMISTM6, Harmony HMIG3U, Harmony HMIG3X, Harmony HMISTO7 series with Ecostruxure Operator Terminal Expert Runtime, PFXST6000, PFXSTM6000, PFXSP5000 series, and the PFXGP4100 series with Pro-face BLUE Runtime.
According to CISA, the affected product, used in chemical, critical manufacturing, energy, and water and wastewater systems, is vulnerable to the use of a vulnerability in an unmaintained third-party component that could lead to complete control of the device if a authenticated user installed malicious code into an HMI product.
This vulnerability has been assigned CVE-2024-11999. A CVSS v3.1 baseline score of 8.8 was determined and a CVSS v4 baseline score of 8.7 was also calculated. Schneider Electric has reported this vulnerability to CISA.
Schneider Electric recommends users to reduce the risk of exploitation by only using HMI in a protected environment to minimize network exposure and ensure that they are not accessible via the public Internet or untrusted networks. Set up network segmentation and implement a firewall to block unauthorized access. restrict the use of unverifiable portable media; Restrict application access to limit the transfer of firmware to HMI. Scanning software/files for rootkits before use and verifying the digital signature; Use secure communication protocols when sharing files over the network.
Schneider Electric has also mandated some industry cybersecurity best practices, including locating control and security system networks and remote devices behind firewalls and isolating them from the corporate network; Installing physical controls to prevent unauthorized personnel from accessing industrial control and security systems, components, peripherals and networks; Place all controllers in locked cabinets and never leave them in programming mode.
The company also recommends that you never connect programming software to a network other than the network intended for the device; Scanning all methods of mobile data exchange with the isolated network such as CDs, USB drives, etc. before use in the terminals or any node connected to these networks; and not allowing mobile devices connected to a network other than the intended network to connect to the security or control networks without proper sanitation.
In addition, Schneider Electric recommends minimizing the network load of all control system devices and systems and ensuring that they are not accessible via the Internet. If remote access is required, use secure methods such as Virtual Private Networks (VPNs). However, keep in mind that VPNs may have vulnerabilities and should be updated to the latest version available. Additionally, remember that VPNs are only as secure as the devices connected to them.
In another ICS alert, CISA uncovered improper write and type confusion vulnerabilities in Delta Electronics' DRASimuCAD devices used in critical manufacturing sectors worldwide. “Successful exploitation of these vulnerabilities could crash the device or potentially allow remote code execution.”
Delta Electronics DRASimuCAD expects a specific data type when opening files, but the program accepts data of the wrong type from specially crafted files. CVE-2024-12834 has been assigned to this vulnerability. A CVSS v3.1 baseline score of 7.8 and a CVSS v4 baseline score of 8.4 were calculated.
When a specially crafted file is opened with Delta Electronics DRASimuCAD, the program can be forced to write data outside of the intended buffer. CVE-2024-12835 has been assigned to this vulnerability. A CVSS v3.1 baseline score of 7.8 and a CVSS v4 baseline score of 8.4 were calculated.
Delta Electronics DRASimuCAD expects a specific data type when opening files, but the program accepts data of the wrong type from specially crafted files. CVE-2024-12836 has been assigned to this vulnerability. A CVSS v3.1 baseline score of 7.8 and a CVSS v4 baseline score of 8.4 were calculated.
rgod, which works with the Trend Micro Zero Day Initiative, reported these vulnerabilities to CISA.
The CISA advisory added that Delta Electronics will release a new version of DRASimuCAD in January to address these issues and recommends users install this update on all affected systems.
In another alert, CISA identified the presence of vulnerabilities such as “Use After Free, Out-of-bounds Write, Improper Initialization, Out-of-bounds Read, Dependency on Vulnerable Third-Party Component” in Rockwell Automation's Arena equipment. “Successful exploitation of these vulnerabilities could result in the execution of arbitrary code,” it said.
Rocco Calvi (@TecR0c) of TecSecurity in collaboration with the Trend Micro Zero Day Initiative and Mat Powell of the Trend Micro Zero Day Initiative were deployed in the critical manufacturing sector and reported these vulnerabilities to Rockwell Automation.
Rockwell Automation recommends users upgrade to V16.20.06 or later. Additionally, users of the affected software are advised not to load untrusted Arena model files. and hold down the Ctrl key while loading files to prevent the VBA file stream from loading.
