The U.S. Cybersecurity and Infrastructure Security Agency (CISA) released Tuesday ten ICS (industrial control systems) advisories that provide timely information about current security issues, vulnerabilities, and exploits surrounding critical infrastructure equipment. Deployed across critical infrastructure frameworks, the agency warned of vulnerabilities in AVEVA, Ocean Data Systems, and various Rockwell Automation hardware lines.
In its advisory, CISA disclosed the presence of ‘allocation of resources without limits or throttling’ vulnerability in AVEVA SuiteLink Server equipment used across the global critical manufacturing sector. “Successful exploitation of this vulnerability could allow an attacker to cause the server to consume excessive system resources, preventing the processing of SuiteLink messages on the targeted host,” it added.
DOE CESER’s CyTRICS program at Idaho National Laboratory reported this vulnerability to AVEVA.
The advisory noted that if exploited, this vulnerability could cause a SuiteLink server to consume excessive system resources and slow down the processing of Data I/O for the duration of the attack. CVE-2024-7113 has been identified as a significant vulnerability, with a CVSS v3.1 base score of 7.5. Additionally, under the CVSS v4 criteria, it has been assigned a base score of 8.7.
AVEVA recommends that organizations evaluate the impact of these vulnerabilities based on their operational environment, architecture, and product implementation. Users with the affected product versions should apply security updates as soon as possible. All impacted products and affected versions can be fixed by installing SuiteLink v3.7.100.
In another advisory, CISA revealed the presence of improper input validation and use of externally controlled format string vulnerabilities in Rockwell Automation’s AADvance Standalone OPC-DA Server equipment. “Successful exploitation of these vulnerabilities could allow an attacker to execute arbitrary code in the affected product.”
Rockwell Automation reported these vulnerabilities to CISA, and a CVSS v3 base score of 9.8 has been assigned.
CISA disclosed the presence of improper checks for unusual or exceptional conditions in Rockwell’s ControlLogix 5580 and GuardLogix 5580 equipment. “Successful exploitation of this vulnerability could allow an attacker to perform a denial-of-service on the device,” it added.
The agency added that a denial-of-service vulnerability exists in the affected products. The vulnerability occurs when a malformed CIP packet is sent over the network to the device and results in a major nonrecoverable fault causing a denial-of-service.
CVE-2024-40619 has been assigned to this vulnerability. It has received a CVSS v3.1 base score of 7.5 and a CVSS v4 base score of 8.7. Rockwell Automation has issued updates for the AADvance Standalone OPC-DA Server to address these vulnerabilities. Users are advised to upgrade to version 2.02 or higher.
The security agency published another security advisory warning the global critical manufacturing sector of the ‘missing encryption of sensitive data’ vulnerability in Rockwell’s Pavilion8 equipment. “Successful exploitation of this vulnerability could allow an attacker to view sensitive data due to a lack of encryption,” it added.
It added that a vulnerability exists in the affected product due to a lack of encryption of sensitive information. “The vulnerability results in data being sent between the Console and the Dashboard without encryption, which can be seen in the logs of proxy servers, potentially impacting the data’s confidentiality.”
CVE-2024-40620 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.4 has been calculated, and on the CVSS v4 scale, a base score of 5.3 has been calculated.
In another advisory, the CISA warned of improper authentication vulnerability in Rockwell Automation’s DataMosaix Private Cloud equipment used across the critical manufacturing sector. “Successful exploitation of this vulnerability could allow an attacker to generate cookies for a user ID without the use of a username or password, resulting in the malicious actor to take over the account.”
The advisory added that an improper authentication vulnerability exists in the affected product, which could allow a malicious user to generate cookies for any user ID without the use of a username or password. If exploited, a malicious user could take over the account of a legitimate user. The malicious user would be able to view and modify data stored in the cloud. CVE-2024-6078 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.1 has been calculated; and on the CVSS v4 scale, a base score of 8.6 has been calculated.
CISA published another advisory on Rockwell Automation’s FactoryTalk View Site Edition hardware containing an incorrect permission assignment for critical resource vulnerability. Deployed across the chemical, commercial facilities, critical manufacturing, energy, government facilities, water and wastewater systems, the advisory pointed out that exploitation of this vulnerability could allow any user to edit or replace files, which are executed by account with elevated permissions.
A code execution vulnerability exists in the affected product. The vulnerability occurs due to improper default file permissions allowing any user to edit or replace files, which are executed by an account with elevated permissions. CVE-2024-7513 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.8 has been calculated, and on the CVSS v4 scale, a base score of 8.5 has been calculated.
The agency published another advisory addressing an ‘uncontrolled resource consumption’ vulnerability affecting Rockwell Automation’s Micro850/870 equipment used across the critical manufacturing sector. “Successful exploitation of this vulnerability may cause CIP/Modbus communication to be disrupted for short duration,” it added.
It pointed out that a denial-of-service vulnerability exists via the CIP/Modbus port in Micro850/870. If exploited, the CIP/Modbus communication may be disrupted for a short duration. CVE-2024-7567 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.3 has been calculated, and on the CVSS v4 scale, a base score of 6.9 has been calculated.
In another advisory, CISA noted that Path Traversal and Incorrect Permission Assignment for Critical Resource vulnerabilities have been detected in Ocean Data Systems Dream Report 2023 equipment. “Successful exploitation of these vulnerabilities could allow an attacker to perform remote code execution or escalate their privileges and cause a denial-of-service condition,” it added.
Deployed across the critical manufacturing, chemical, energy, and water and wastewater systems, Claroty Team82 reported these vulnerabilities to CISA.
Commenting on the CISA ICS advisories, Marcus Fowler, CEO of Darktrace Federal wrote in an emailed statement that due to the diversity of devices and bespoke protocols often used in ICS, many critical infrastructure organizations struggle to maintain an accurate and up-to-date catalog of all their assets. “It is crucial that organizations have visibility into all their assets, not just those identified as critical – you cannot protect what you cannot see. This is especially critical as multi-stage and multi-domain attacks are now widely used by adversaries, who take advantage of a lack of visibility and siloes to move undetected between systems.”
“AI-augmented solutions can identify all assets in an organization’s environment, giving security teams full visibility across their ecosystem,” according to Fowler. “Automating asset identification, even attack path modeling to identify critical and critical adjacent assets and doing so in a comprehensive way across every part of the organization, can build confidence and free up security teams to focus on proactive measures, like planning, preparing and practicing ahead of an attack and strategic proactive security efforts.”
“Versions of Rockwell Automation AADvance Standalone OPC DA Servers that are vulnerable to CVE-2018-1285 & CVE-2006-0743 are included in this advisory. As you can see, these vulnerabilities are pretty old,” Mayuresh Dani, security research manager at Qualys Threat Research Unit, wrote in an emailed statement. “CVE-2018-1285 affects the Apache log4net component versions prior to 2.0.10, allowing XML external entity injection (XXE) based attacks. Proof of Concept code for this specific CVE is also available.”
He added that all an attacker would need is to find a vulnerable endpoint and exploit unpatched versions. “Rockwell has released an update patching the vulnerability. CVE-2006-0743 also affects the Apache log4net component version 1.2.9 beta allowing denial of service conditions on the endpoint. Customers should ideally install the patches provided by the vendor. As a stop-gap mitigation, they can block unauthorized access to the ports used by the servers.”
Last month, CISA introduced an Infrastructure Resilience Planning Framework (IRPF) designed to guide localities, regions, and the private sector in collaboratively planning for the security and resilience of critical infrastructure services amidst various threats and changes. While primarily aimed at state, local, tribal, and territorial (SLTT) governments and their regional organizations, the IRPF framework is versatile enough for use by any organization looking to improve its resilience planning.