CISA discloses presence of ICS vulnerabilities in equipment from Hitachi Energy, Trane, Rockwell 

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) published Tuesday four ICS (industrial control systems) advisories that provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS environments. The agency disclosed hardware loopholes in Hitachi Energy AFF66x firmware, Trane thermostats, and Rockwell Automation ThinManager ThinServer. CISA also released an update on Mitsubishi Electric MELSEC WS Series.

The lead security agency called upon organizations to take note of these vulnerabilities and encouraged users and administrators to review the newly released ICS advisories for technical details and mitigations.

CISA has identified that the firmware version 03.0.02 and earlier of Hitachi Energy AFF660/665 equipment is affected. The vulnerabilities include cross-site scripting, use of insufficiently random values, origin validation error, integer overflow or wraparound, uncontrolled resource consumption, and null pointer dereference. “​Successful exploitation of these vulnerabilities could allow an attacker to compromise availability, integrity, and confidentiality of the targeted devices,” it added. 

“In uClibc and uClibc-ng before 1.0.39, incorrect handling of special characters in domain names DNS servers returned via gethostbyname, getaddrinfo, gethostbyaddr, and getnameinfo could lead to output of wrong hostnames (leading to domain hijacking) or injection into applications (leading to remote code execution, XSS, applications crashes, etc.),” CISA identified. “In other words, a validation step, which is expected in any stub resolver, does not occur. ​CVE-2021-43523 has been assigned to this vulnerability. A CVSS v3 base score of 9.6 has been calculated.”

It added that “ntpd in ntp before 4.2.8p14 and 4.3.x before 4.3.100 could allow remote attackers to cause a denial of service (daemon exit or system time change) by predicting transmit timestamps for use in spoofed packets. The victim must rely on unauthenticated IPv4 time sources. There must be an off-path attacker who could query time from the victim’s ntpd instance. ​CVE-2020-13817 has been assigned to this vulnerability. A CVSS v3 base score of 7.4 has been calculated.”

“​ntpd in ntp before 4.2.8p14 and 4.3.x before 4.3.100 could allow an off-path attacker to block unauthenticated synchronization via a server mode packet with a spoofed source IP address because transmissions are rescheduled even when a packet lacks a valid origin timestamp,” the CISA advisory revealed. CVE-2020-11868 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated. 

The advisory also said that “​TCP_SKB_CB(skb)->tcp_gso_segs value is subject to an integer overflow in the Linux kernel when handling TCP selective acknowledgments (SACKs). A remote attacker could use this to cause a denial of service. This has been fixed in stable kernel releases 4.4.182, 4.9.182, 4.14.127, 4.19.52, 5.1.11, and is fixed in commit. ​CVE-2019-11477 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated.”

CISA said that a vulnerability named ‘non-responsive delegation attack’ (NRDelegation attack) has been discovered in various DNS resolving software. “The NRDelegation attack works by having a malicious delegation with a considerable number of non-responsive nameservers. The attack starts by querying a resolver for a record that relies on those unresponsive nameservers.” 

It added that the attack could cause a resolver to spend time/resources resolving records under a malicious delegation point where a considerable number of unresponsive NS records reside. “It could trigger high CPU usage in some resolver implementations that continually look in the cache for resolved NS records in that delegation, which could lead to degraded performance and eventually denial of service in orchestrated attacks. Unbound does not suffer from high CPU usage but still requires resources to resolve the malicious delegation. Unbound will continue to try to resolve the record until it reaches hard limits.” 

The advisory added that based on the nature of the attack and the replies, Unbound could reach different limits. “From version 1.16.3 on, Unbound introduces fixes for better performance when under load by cutting opportunistic queries for nameserver discovery and DNSKEY prefetching and limiting the number of times a delegation point can issue a cache lookup for missing records. ​CVE-2022-3204 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated.”

“snmp_oid_compare in snmplib/snmp_api.c in NetSNMP before 5.8 has a NULL pointer exception bug that an unauthenticated attacker could use to remotely cause the instance to crash via a crafted UDP packet, resulting in denial of service. ​CVE-2018-18066 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated,” CISA revealed. 

Hitachi Energy recommends updating to the upcoming AFF660/665 FW 04.6.01 release when available; configuring only trusted DNS server(s) and the NTP service with redundant trustworthy sources of time; restricting TCP/IP-based management protocols to trusted IP addresses; and disabling the SNMP server (CLI and web interface will continue to function as they use an internal connection).

In another ICS advisory, CISA detailed the presence of a low attack complexity injection vulnerability affecting Trane’s XL824, XL850, XL1050, and Pivot thermostats. Deployed across the critical manufacturing sector, ​Houlton McGuinn reported this vulnerability to Trane. “Successful exploitation of this vulnerability could allow an attacker to execute arbitrary commands as root using a specially crafted filename.”

CISA said that various thermostats are affected by this vulnerability, including its XL824 Thermostat: Firmware versions 5.9.8 and earlier; XL850 Thermostat: Firmware versions 5.9.8 and earlier; ​ XL1050 Thermostat: Firmware versions 5.9.8 and earlier; and Pivot Thermostat: Firmware versions 1.8 and earlier.

“A command injection vulnerability exists in Trane XL824, XL850, XL1050, and Pivot thermostats allowing an attacker to execute arbitrary commands as root using a specially crafted filename,” the advisory said. “The vulnerability requires physical access to the device via a USB stick. ​CVE-2023-4212 has been assigned to this vulnerability. A CVSS v3 base score of 6.8 has been calculated.”

The Irish company has pushed the patch out to all devices, CISA revealed. “The patch is available to all affected devices. As soon as the device is connected to the internet, it will check for a new firmware version. If a new version is available, the device will download and install it. Other than connecting the device to the internet, no user interaction is required.”

The advisory added that if a user wants to verify that they received a patch for this vulnerability, they can verify the firmware version is greater than what is listed above by navigating to the ‘About’ screen on the thermostat ‘Menu > System Info > About.’

CISA also revealed the presence of an exploitable remotely/low attack complexity improper input validation vulnerability affecting Rockwell Automation’s ThinManager ThinServer equipment. Deployed across the critical manufacturing sector, the advisory disclosed the vulnerability affects various versions of ThinManager ThinServer, a thin client and remote desktop protocol (RDP) server management software. 

The agency said that ‘successful exploitation of these vulnerabilities could allow an attacker to remotely delete arbitrary files with system privileges.’ Additionally, “due to improper input validation, an integer overflow condition exists in the affected products. When ThinManager processes incoming messages, a read access violation occurs and terminates the process. A malicious user could exploit this vulnerability by sending a crafted synchronization protocol message. CVE-2023-2914 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been assigned.”

The affected versions include ThinManager ThinServer: Versions 11.0.0-11.0.6, ThinManager ThinServer: Versions 11.1.0-11.1.6, ThinManager ThinServer: Versions 11.2.0-11.2.6, ThinManager ThinServer: Versions 12.1.0-12.1.6, ThinManager ThinServer: Versions 12.0.0-12.0.5, ThinManager ThinServer: Versions 13.0.0-13.0.2, and ThinManager ThinServer: Version 13.1.0. 

Rockwell Automation has called upon users of ThinManager ThinServer: Versions 11.0.0-11.2.6 to update to 11.0.7; ThinManager ThinServer: Versions 11.1.0-11.1.6 to update to 11.1.7; ThinManager ThinServer: Versions 11.2.0-11.2.6 to update to 11.2.8; ThinManager ThinServer: Versions 12.1.0-12.1.6 to update to 12.1.7; ThinManager ThinServer: Versions 12.0.0-12.0.5 to update to 12.0.6; ThinManager ThinServer: Versions 13.0.0-13.0.2 to update to 13.0.3; and ThinManager ThinServer: Version 13.1.0 to update to 13.1.1.

Last week, CISA highlighted the presence of hardware vulnerabilities in components of Schneider Electric EcoStruxure and Modicon, and Rockwell Automation Armor PowerFlex. It disclosed the presence of remotely exploitable ‘authentication bypass by capture-replay’ vulnerability in Schneider Electric’s EcoStruxure Control Expert, EcoStruxure Process Expert, Modicon M340 CPU, Modicon M580 CPU, Modicon Momentum Unity M1E Processor, Modicon MC80 equipment.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.