CISA discloses ICS vulnerabilities in ARDEREG, GE Digital, PTC, Digi International equipment

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) published last Thursday four ICS (industrial control systems) advisories with timely information about current security issues, vulnerabilities, and exploits surrounding ICS. The notices cover hardware vulnerabilities in equipment from ARDEREG, GE Digital, PTC, and Digi International. Organizations have been advised to examine these ICS notices and execute necessary mitigation actions. 

In an ICS advisory, CISA identified exploitable remotely/low attack complexity ‘SQL injection’ vulnerability in ARDEREG Sistemas SCADA equipment, affecting versions 2.203 and prior. “Successful exploitation of this vulnerability could allow an attacker to manipulate SQL query logic to extract sensitive information and perform unauthorized actions within the database.”

Deployed in the health and public health sector, the notice identified that Sistema SCADA Central, a supervisory control and data acquisition (SCADA) system, is designed to monitor and control various industrial processes and critical infrastructure. 

“ARDEREG identified this SCADA system’s login page to be vulnerable to an unauthenticated blind SQL injection attack,” according to the CISA advisory. “An attacker could manipulate the application’s SQL query logic to extract sensitive information or perform unauthorized actions within the database. In this case, the vulnerability could allow an attacker to execute arbitrary SQL queries through the login page, potentially leading to unauthorized access, data leakage, or even disruption of critical industrial processes,” it added. 

​CVE-2023-4485 has been assigned to this vulnerability, while a CVSS v3 base score of 9.8 has been calculated. Momen Eldawakhly of Samurai Digital Security Ltd. reported this vulnerability to CISA.

The advisory noted that ARDEREG is aware of the issue but has not responded to CISA’s requests. ​ARDEREG recommends security awareness and training, ​regular security assessments, ​incident response plan, vendor and supply chain security, and system segmentation to help reduce the risk.

In another advisory, CISA revealed the presence of ‘process control’ vulnerability in GE Digital’s CIMPLICITY equipment, typically deployed across multiple critical infrastructure sectors. The notice said that CIMPLICITY v2023 was affected and that ‘successful exploitation of this vulnerability could allow a low-privileged local attacker to escalate privileges to SYSTEM.’

GE CIMPLICITY 2023 is a process control vulnerability, which could allow a local attacker to insert malicious configuration files in the expected web server execution path to escalate privileges and gain full control of the HMI software, the advisory added. “​CVE-2023-4487 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated.”

Michael Heinzl reported this vulnerability to CISA. GE Digital has advised users to update CIMPLICITY to v2023 SIM 1. 

In another advisory, CISA disclosed exploitable remotely/low attack complexity vulnerabilities in the PTC Kepware KepServerEX industrial automation control platform, used across the global critical manufacturing sector. The identified vulnerabilities include uncontrolled search path elements, improper input validation, and insufficiently protected credentials. ​Sam Hanson of Dragos reported these vulnerabilities to CISA.

CISA said that the installer application of KEPServerEX is vulnerable to DLL search order hijacking. “This could allow an adversary to repackage the installer with a malicious DLL and trick users into installing the trojanized software. Successful exploitation could lead to code execution with administrator privileges. ​CVE-2023-29444 has been assigned to this vulnerability. A CVSS v3 base score of 6.3 has been assigned.”

“​KEPServerEX binary is vulnerable to DLL search order hijacking. A locally authenticated adversary could escalate privileges to administrator by planting a malicious DLL in a specific directory,” the advisory added. “​CVE-2023-29445 has been assigned to this vulnerability. A CVSS v3 base score of 6.3 has been assigned.”

Additionally, the ​KEPServerEx is vulnerable to UNC path injection via a malicious project file. “By tricking a user into loading a project file and clicking a specific button in the GUI, an adversary could obtain Windows user NTLMv2 hashes, and crack them offline. ​CVE-2023-29446 has been assigned to this vulnerability. A CVSS v3 base score of 4.7 has been assigned,” it added.

The KEPServerEX Configuration web server uses basic authentication to protect user credentials, CISA pointed out. “An adversary could perform a man-in-the-middle (MitM) attack via ARP spoofing to obtain the web server’s plaintext credentials. CVE-2023-29447 has been assigned to this vulnerability. A CVSS v3 base score of 5.7 has been assigned.”

The agency added that ​PTC is aware of these vulnerabilities and is developing patches to address them. “PTC expects these issues to be addressed by November 2023. This advisory will be updated when these patches are ready.”

CISA revealed the presence of a remotely exploitable ‘use of password hash instead of password for authentication’ vulnerability in Digi International’s Digi RealPort protocol. “​Successful exploitation of this vulnerability could allow the attacker to access connected equipment.”

Dragos’ ​Reid Wightman reported this vulnerability to Digi International.

The affected products that use Digi RealPort Protocol are ​Digi RealPort for Windows: version 4.8.488.0 and earlier; ​Digi RealPort for Linux: version 1.9-40 and earlier; Digi ConnectPort TS 8/16: versions prior to 2.26.2.4; ​Digi Passport Console Server: all versions; ​Digi ConnectPort LTS 8/16/32: versions prior to 1.4.9; Digi CM Console Server: all versions; and the ​Digi PortServer TS: all versions. 

The advisory reveals that Digi PortServer TS MEI, Digi PortServer TS MEI Hardened, Digi PortServer TS M MEI, Digi PortServer TS P MEI, Digi One IAP Family, Digi One IA, Digi One SP IA, and Digi One SP are affected versions. Additionally, Digi WR31, Digi WR11 XT, Digi WR44 R, Digi WR21, Digi Connect ES, and Digi Connect SP are also affected.

​Digi International reports that all versions of Digi 6350-SR and ​Digi ConnectCore 8X products that do not use Digi RealPort Protocol are not affected. 

Digi RealPort Protocol is vulnerable to a replay attack that may allow an attacker to bypass authentication to access connected equipment, the advisory added. “​CVE-2023-4299 has been assigned to this vulnerability. A CVSS v3 base score of 9.0 has been calculated.”

Digi International recommends users acquire and install patches that they have made available for ​RealPort software for Windows: Fixed in 4.10.490; ​Digi ConnectPort TS 8/16: Fixed in firmware version 2.26.2.4; ​Digi ConnectPort LTS 8/16/32: Fixed in version 1.4.9; and Digi Connect ES: Fixed in firmware version 2.26.2.4.

Last month, CISA also released six ICS (industrial control systems) advisories that provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS. The notices cover hardware vulnerabilities in KNX Protocol, Opto 22 SNAP PAC S1, Rockwell Automation Input/Output modules, and the last three advisories covered the CODESYS Development System.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.