The U.S. Cybersecurity and Infrastructure Security Agency (CISA) published eight Industrial Control Systems (ICS) advisories highlighting serious vulnerabilities impacting Rockwell Automation and Delta Electronics devices. This release covers 13 security flaws in InfraSuite Device Master, a real-time device monitoring program from Delta Electronics. All versions before 1.0.5 are affected by the vulnerabilities. “Successful exploitation of these vulnerabilities could allow an unauthenticated attacker to obtain access to files and credentials, escalate privileges, and remotely execute arbitrary code,” reads the advisory from CISA. The top critical flaw on the list is CVE-2023-1133 (CVSS score: 9.8), which results from InfraSuite Device Master accepting unverified User Datagram Protocol (UDP) packets and deserializing the content, enabling a threat actor to execute arbitrary code remotely without any authentication. CISA issued a warning on two further deserialization vulnerabilities: CVE-2023-1139 (CVSS score: 8.8) and CVE-2023-1145 (CVSS score: 7.8). These vulnerabilities could also be used to enable remote code execution.
Another set of vulnerabilities is related to Rockwell Automation’s ThinManager ThinServer was released by CISA. It affects the following versions of the thin client and Remote Desktop Protocol (RDP) management software:
- 6.x – 10.x
- 11.0.0 – 11.0.5
- 11.1.0 – 11.1.5
- 11.2.0 – 11.2.6
- 12.0.0 – 12.0.4
- 12.1.0 – 12.1.5
- 13.0.0 – 13.0.1
Analyst Notes
The following ThinServer vulnerabilities are notable: CVE-2023-28756 (CVSS score: 7.5) and CVE-2023-28755 (CVSS score: 9.8), because they could enable an unauthenticated, remote attacker to upload any file to the directory where ThinServer.exe is installed. In addition, a threat actor might use the CVE-2023-28755 vulnerability to replace current executable files with trojanized versions. To reduce security risks, users are urged to update software to the following versions: 11.0.6, 11.1.6, 11.2.7, 12.0.5, 12.1.6, and 13.0.2. Versions 6.x through 10.x of the ThinManager ThinServer are outdated, so users should upgrade them to supported versions. It is also advised to restrict remote access to known thin clients and ThinManager servers using port 2031/TCP as a solution.
In addition, it is highly recommended for all organizations deploying ICS infrastructure to ensure that there is no Internet facing access for these devices. Control system networks and devices should be located behind firewall and other perimeter security controls separate from business and other systems. Any cases of remote access should only be allowed from restricted addresses and devices across a private, up-to-date VPN.
https://thehackernews.com/2023/03/cisa-alerts-on-critical-security.html
https://www.cisa.gov/news-events/ics-advisories/icsa-23-080-02
