The U.S. Cybersecurity and Infrastructure Security Agency (CISA) released advisories for industrial control systems (ICS) on Thursday, offering critical infrastructure sector updates on current security challenges, vulnerabilities, and exploits affecting ICS. CISA highlighted hardware vulnerabilities in equipment from Beckhoff Automation, Delta Electronics, and Bosch, which are deployed across critical infrastructure installations.
In an advisory, CISA revealed the existence of an ‘Improper Neutralization of Special Elements used in an OS Command Injection’ vulnerability in Beckhoff Automation’s TwinCAT Package Manager equipment. “Successful exploitation of this vulnerability could allow a local attacker with administrative access rights to execute arbitrary OS commands on the affected system.”
Deployed across the critical manufacturing sector, the affected Beckhoff Automation products are the TwinCAT Package Manager versions before 1.0.603.0. CISA detailed that a local user with administrative access rights can enter specially crafted settings at the TwinCAT Package Manager’s user interface (UI), which then causes arbitrary OS commands to be executed.
The Beckhoff vulnerability has been assigned CVE-2024-8934. It has a CVSS v3 base score of 6.5 and a CVSS v4 base score of 7.0. elcazator of Elex Feigong Research Institute of Elex CyberSecurity, Inc. reported this vulnerability to CISA.
Beckhoff Automation recommends users update to at least version 1.0.613.0.
Additionally, the German company identified a couple of workarounds and mitigations users can apply to reduce risk. These include administrative users who should always act thoroughly, inspect the values they enter, and update to a recent version of the affected product.
In another advisory, CISA warned of the ‘Stack-based Buffer Overflow’ vulnerability in Delta Electronics’ DIAScreen equipment. “Successful exploitation of these vulnerabilities could crash the device being accessed; a buffer overflow condition may allow remote code execution.”
DIAScreen is a component of Delta’s DIAStudio Smart Machine Suite integrated engineering software package, and the affected versions are before v1.5.0.
CISA noted that if an attacker tricks a valid user into running Delta Electronics DIAScreen with a file containing malicious code, a stack-based buffer overflow in BACnetObjectInfo can be exploited, allowing the attacker to remotely execute arbitrary code. The vulnerability has been designated as CVE-2024-47131. It has received a CVSS v3.1 base score of 7.5, and a CVSS v4 base score of 8.4 has also been determined.
The agency also revealed that if an attacker tricks a valid user into running Delta Electronics DIAScreen with a file containing malicious code, a stack-based buffer overflow in BACnetParameter can be exploited, allowing the attacker to remotely execute arbitrary code. The vulnerability is identified as CVE-2024-39605. It has a CVSS v3.1 base score of 7.5 and a CVSS v4 base score of 8.4.
CISA also identified that if an attacker tricks a valid user into running Delta Electronics DIAScreen with a file containing malicious code, a stack-based buffer overflow in CEtherIPTagItem can be exploited, allowing the attacker to remotely execute arbitrary code. CVE-2024-39354 has been designated for this vulnerability. It has a CVSS v3.1 base score of 7.5 and a CVSS v4 base score of 8.4.
Used in the energy sector, Natnael Samson working with Trend Micro Zero Day Initiative reported these vulnerabilities to CISA.
Delta Electronics has released v1.5.0 of DIAScreen (login required) and recommends users install this update on all affected systems.
CISA also disclosed the presence of ‘Uncontrolled Resource Consumption’ vulnerability in Bosch Rexroth IndraDrive equipment used in the critical manufacturing sector. “Successful exploitation of this vulnerability could allow an attacker to cause a denial-of-service, rendering the device unresponsive by sending arbitrary UDP messages.”
A vulnerability in the PROFINET stack implementation of the IndraDrive of Bosch Rexroth allows an attacker to cause a denial of service, rendering the device unresponsive by sending arbitrary UDP messages.
CVE-2024-48989 has been designated for this vulnerability. It has a CVSS v3.1 base score of 7.5 and a CVSS v4 base score of 8.7. Roni Gavrilov from OTORIO reported this vulnerability to CISA.
The CISA advisory noted that Bosch Rexroth has fixed this vulnerability starting with FWA-INDRV-MP-20V36. Bosch Rexroth recommends updating as soon as possible. “In use cases in which a device update is not possible or not feasible, Bosch Rexroth recommends compensatory measures which prevent or at least complicate taking advantage of the vulnerability. Always define such compensatory measures individually, in the context of the operational environment,” it added.
CISA recommends that asset owners and operators take defensive measures to minimize the risk of exploitation of this vulnerability, such as minimizing network exposure for control system devices and/or systems, ensuring they are not accessible from the internet; and locating control system networks and remote devices behind firewalls and isolating them from business networks.
Also, when remote access is required, use more secure methods, such as virtual private networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices. The agency also reminds organizations to perform proper impact analysis and risk assessment before deploying defensive measures.