CISA issues ICS advisories covering hardware vulnerabilities in Rockwell, Mitsubishi Electric equipment

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued on Thursday three advisories focused on industrial control systems (ICS). These advisories aim to provide up-to-date information on security issues, vulnerabilities, and exploits related to ICS. The advisories address hardware vulnerabilities in Rockwell Automation FactoryTalk Activation and Mitsubishi Electric Factory Automation products. Additionally, an update is provided regarding Unitronics Vision and Samba Series. These advisories offer essential security recommendations to mitigate risks and enhance the overall security posture of ICS systems.

In its advisory, CISA disclosed the presence of an ‘Out-of-Bounds Write’ vulnerability in Rockwell’s FactoryTalk Activation Manager equipment used across the critical manufacturing sector. “Successful exploitation of these vulnerabilities could result in a buffer overflow and allow the attacker to gain full access to the system,” it added.

The affected versions of Factory Talk include Factory Talk: V4.00 which utilizes Wibu-Systems CodeMeter <7.60c. An anonymous researcher is said to have reported these vulnerabilities to CISA.

Rockwell Automation FactoryTalk Activation Manager and Studio 5000 Logix Designer use the affected Wibu-Systems’ products which internally use a version of ‘libcurl’ that is vulnerable to a buffer overflow attack if curl is configured to redirect traffic through a SOCKS5 proxy, CISA detailed. A malicious proxy can exploit a bug in the implemented handshake to cause a buffer overflow. If no SOCKS5 proxy has been configured, there is no attack surface.

The advisory disclosed that CVE-2023-38545 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.8 has been calculated. 

CISA added that Rockwell Automation FactoryTalk Activation Manager and Studio 5000 Logix Designer use the affected Wibu-Systems’ products which contain a heap buffer overflow vulnerability in Wibu CodeMeter Runtime network service up to Version 7.60b that allows an unauthenticated, remote attacker to achieve RCE and gain full access of the host system. In this case, CVE-2023-3935 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated. 

Users of the affected software are advised to apply the provided risk mitigations. It is recommended to upgrade to FactoryTalk Activation Manager 5.01, which includes patches to address these issues. Rockwell Automation encourages users to implement their suggested security best practices to ensure the security of industrial automation control systems. These practices are designed to minimize the risk associated with the vulnerability.

In another ICS advisory, CISA warned of the presence of observable timing discrepancy, double free, and access of resources using incompatible types (type confusion) in multiple Mitsubishi Electric Factory Automation products. “Successful exploitation of these vulnerabilities could disclose information in the product or could cause denial-of-service (DoS) condition,” it added. 

The affected Factory Automation products include GT SoftGOT2000 versions 1.275M to 1.290C; OPC UA Data Collector versions 1.04E and prior; MX OPC Server UA (software packaged with MC Works64) versions 3.05F and later (packaged with MC Works64 Version 4.03D and later); all versions of OPC UA Server Unit, and FX5-OPC versions 1.006 and prior. Mitsubishi Electric reported these vulnerabilities to CISA.

CISA disclosed that the affected products contain an observable timing discrepancy vulnerability in their RSA decryption implementation. “By sending specially crafted packets and performing a Bleichenbacher style attack, an attack method to decrypt ciphertext by observing the behavior when a padding error occurs, an attacker could decrypt the ciphertext and disclose sensitive information. CVE-2022-4304 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.9 has been calculated,” it added. 

The advisory also revealed that the affected products contain a double-free vulnerability when reading a PEM file. An attacker could cause denial-of-service (DoS) on the product by leading a legitimate user to import a malicious certificate. CVE-2022-4450 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated. 

Additionally, the affected products contain a type confusion vulnerability relating to X.400 address processing inside an X.509 GeneralName. “An attacker could disclose sensitive information in memory of the product or cause denial-of-service (DoS) on the product by getting to load a specially crafted certificate revocation list (CRL). CVE-2023-0286 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.4 has been calculated,” the advisory further identified. 

Mitsubishi Electric advises users to ensure that their products are updated to the recommended versions for optimal performance. These versions include GT SoftGOT2000: Version 1.295H or later, OPC UA data collector: 1.05F or later, MX OPC Server UA: Utilize the recommended mitigations/workarounds, OPC UA server unit: Implement the recommended mitigations/workarounds, and FX5-OPC: Version 1.010 or later.

In its last advisory on Thursday, CISA identified the presence of exploitable remotely/low attack complexity/public exploits available/known public exploitation in Unitronics Vision and Samba Series, respectively. The agency said that an ‘initialization of a resource with an insecure default’ vulnerability has been detected. CISA became aware of the active exploitation of this vulnerability.

The advisory added that the “successful exploitation of this vulnerability could allow an unauthenticated attacker to take administrative control of Unitronics Vision and Samba series systems and use a default administrative password.” 

The Unitronics products affected include VisiLogic versions before 9.9.00 and OS versions before 12.38. 

Typically deployed globally in the water and wastewater sector, Unitronics Vision Series PLCs (programmable logic controllers) and HMIs (human-machine interface) use default administrative passwords, CISA revealed. “An unauthenticated attacker with network access to a PLC or HMI can take administrative control of the system. CVE-2023-6448 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.8 has been calculated,” it added. 

Unitronics has patched this vulnerability in VisiLogic version 9.9.00 and recommends all users update to the latest version.

In November, the CISA said that it is responding to the active exploitation of Unitronics PLCs used in the water and wastewater systems sector. The cyber threat actors likely accessed the affected device—a Unitronics Vision Series PLC with an HMI—by exploiting cybersecurity weaknesses, including poor password security and exposure to the internet.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.