CISA publishes ICS advisories covering hardware vulnerabilities in KNX, Opto 22, Rockwell Automation, CODESYS equipment

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) released Thursday six ICS (industrial control systems) advisories that provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS. The notices cover hardware vulnerabilities in KNX Protocol, Opto 22 SNAP PAC S1, Rockwell Automation Input/Output modules, and the last three advisories covered the CODESYS Development System. For immediate technical information and mitigations, the security organization advises users and administrators to examine the latest ICS warnings.

CISA disclosed the presence of an exploitable remotely/low attack complexity/known public exploitation in KNX devices using KNX Connection Authorization. The agency said that an ‘overly restrictive account lockout mechanism’ vulnerability was found in all versions of the KNX devices using Connection Authorization Option 1 Style in which no BCU Key is currently set. 

The advisory added that ‘successful exploitation of this vulnerability could cause users to lose access to their device, potentially with no way to reset the device.’ Felix Eberstaller reported this vulnerability to CISA.

Furthermore, the notice added that KNX devices that use KNX Connection Authorization and support Option 1 are, depending on the implementation, vulnerable to being locked and users being unable to reset them to gain access to the device. “The BCU key feature on the devices can be used to create a password for the device, but this password can often not be reset without entering the current password.” 

It also said that if the device is configured to interface with a network, an attacker with access to that network could interface with the KNX installation, purge all devices without additional security options enabled, and set a BCU key, locking the device. “Even if a device is not connected to a network, an attacker with physical access to the device could also exploit this vulnerability in the same way. CVE-2023-4346 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been assigned.”

The Belgian company recommends system integrators, installers, ETS users, and end customers to follow common IT security guidelines, and asks users to follow the recommendations in the KNX Secure Checklist. It also recommends that developers always set the BCU Key in every KNX Project that is already finished and will be commissioned in the future. Handover the BCU Key as part of the project documentation to the building owner.

In another advisory, CISA identified that the OPTO 22 SNAP PAC S1 industrial programmable automation controller equipment contained various vulnerabilities, including improper restriction of excessive authentication attempts, weak password requirements, improper access control, and uncontrolled resource consumption. Nicolas Cano of Dragos reported these vulnerabilities to CISA.

Deployed across the critical manufacturing sector, the advisory added that SNAP PAC S1 firmware version R10.3b is affected. It also noted that ‘successful exploitation of these vulnerabilities could allow an attacker to brute force passwords, access certain device files, or cause a denial-of-service condition.’

OPTO 22 recommends users follow directions from industrial cybersecurity company Dragos and CISA for this vulnerability. 

Dragos recommends that users disable the built-in web server when not in use through the Network Security settings within the OPTO 22 Pac Manager software; restrict access to the built-in web server found on HTTPS (TCP/443); restrict access to the FTP Port (TCP/21); and ensure user credentials are changed to something long, complex, and unique. 

​CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. Specifically, users should minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet. They must locate control system networks and remote devices behind firewalls and isolate them from business networks. ​When remote access is required, use secure methods, such as virtual private networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also, CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

In another ICS advisory, Rockwell Automation warned of the presence of an ‘out-of-bounds write’ vulnerability across 1734-AENT/1734-AENTR Series C, 1734-AENT/1734-AENTR Series B, 1738-AENT/ 1738-AENTR Series B, 1794-AENTR Series A, 1732E-16CFGM12QCWR Series A, 1732E-12X4M12QCDR Series A, 1732E-16CFGM12QCR Series A, 1732E-16CFGM12P5QCR Series A, 1732E-12X4M12P5QCDR Series A, 1732E-16CFGM12P5QCWR Series B, 1732E-IB16M12R Series B, 1732E-OB16M12R Series B, 1732E-16CFGM12R Series B, 1732E-IB16M12DR Series B, 1732E-OB16M12DR Series B, 1732E-8X8M12DR Series B, 1799ER-IQ10XOQ10 Series B equipment. 

The agency added that ‘successful exploitation of this vulnerability could allow an attacker to cause a denial-of-service on the affected products.’ Rockwell Automation reported this vulnerability to CISA.

Deployed across the global critical manufacturing sector, the advisory added that select Input/Output modules from Rockwell Automation are affected, including ​1734-AENT/1734-AENTR Series C: Versions 7.011 and prior; ​1734-AENT/1734-AENTR Series B: Versions 5.019 and prior; ​1738-AENT/ 1738-AENTR Series B: Versions 6.011 and prior; ​1794-AENTR Series A: Versions 2.011 and prior; ​1732E-16CFGM12QCWR Series A: Versions 3.011 and prior; ​1732E-12X4M12QCDR Series A: Versions 3.011 and prior; and 1732E-16CFGM12QCR Series A: Versions 3.011 and prior. 

The notice also identified ​1732E-16CFGM12P5QCR Series A: Versions 3.011 and prior; ​1732E-12X4M12P5QCDR Series A: Versions 3.011 and prior; ​1732E-16CFGM12P5QCWR Series B: Versions 3.011 and prior; ​1732E-IB16M12R Series B: Versions 3.011 and prior; ​1732E-OB16M12R Series B: Versions 3.011 and prior; ​1732E-16CFGM12R Series B: Versions 3.011 and prior; 1732E-IB16M12DR Series B: Versions 3.011 and prior; ​1732E-OB16M12DR Series B: Versions 3.011 and prior; ​1732E-8X8M12DR Series B: Versions 3.011 and prior; and 1799ER-IQ10XOQ10 Series B: Versions 3.011 and prior. 

“Pyramid Solutions’ affected products, the Developer and DLL kits for EtherNet/IP Adapter and EtherNet/IP Scanner may be vulnerable to an out-of-bounds write, which may allow an unauthorized threat actor to send a specially crafted packet that may result in a denial-of-service condition,” the advisory said. “​CVE-2022-1737 has been assigned to this vulnerability. A CVSS v3 base score of 8.6 has been calculated.”

Rockwell Automation encourages users of the affected software to upgrade to the corrected firmware to mitigate the issues. Additionally, users are encouraged to implement suggested security best practices to minimize the risk of vulnerability.  

In another advisory, CISA disclosed the presence of an ‘uncontrolled search path element’ vulnerability in CODESYS Development System affecting versions from 3.5.17.0 and prior to 3.5.19.20. “​Successful exploitation of this vulnerability could cause users to unknowingly launch a malicious binary placed by a local attacker.”

Deployed across the critical manufacturing sector, CISA said that ​”in CODESYS Development System versions from 3.5.17.0 and prior to 3.5.19.20 a vulnerability allows for execution of binaries from the current working directory in the users’ context. The ​CVE-2023-3662 has been assigned to this vulnerability. A CVSS v3 base score of 7.3 has been calculated.”

The advisory revealed that Carlo Di Dato of Deloitte Risk Advisory Italia – Vulnerability Research Team reported this vulnerability. CERT@VDE coordinated the vulnerability.

ODESYS recommends users update the CODESYS Development System to version 3.5.19.20, the advisory said. ​The CODESYS Development System can be downloaded and installed directly with the CODESYS Installer or be downloaded from the CODESYS Store.

In another advisory, CISA reported the presence of the ‘improper restriction of excessive authentication attempts’ vulnerability in the CODESYS Development System, affecting versions prior to 3.5.19.20. “Successful exploitation of this vulnerability could provide a local attacker with account information.”

CISA said that a user reported this vulnerability. CERT@VDE coordinated the vulnerability. “A missing brute-force protection in CODESYS Development System prior to 3.5.19.20 could allow a local attacker to have unlimited attempts of guessing the password within an import dialog. CVE-2023-3669 has been assigned to this vulnerability. A CVSS v3 base score of 3.3 has been calculated,” it added. 

CODESYS recommends users update the CODESYS Development System to version 3.5.19.20, the advisory added. “The CODESYS Development System can be downloaded and installed directly with the CODESYS Installer or be downloaded from the CODESYS Store.”

In yet another advisory, CISA disclosed the presence of ‘insufficient verification of data authenticity’ vulnerability in CODESYS Development System, affecting versions from 3.5.11.0 and prior to 3.5.19.20. “Successful exploitation of this vulnerability could allow an attacker to execute a-man-in-the-middle (MITM) attack to execute arbitrary code.”

Sina Kheirkhah of Summoning Team working with Trend Micro Zero Day Initiative reported this vulnerability. CERT@VDE coordinated the vulnerability, according to CISA. “In CODESYS Development System versions from 3.5.11.0 and before 3.5.19.20 a missing integrity check might allow an unauthenticated remote attacker to manipulate the content of notifications received via HTTP by the CODESYS notification server. CVE-2023-3663 has been assigned to this vulnerability. A CVSS v3 base score of 9.6 has been calculated,” it added.

Earlier, this week, the CISA published four ICS advisories that provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS environments. The agency disclosed hardware loopholes in Hitachi Energy AFF66x firmware, Trane thermostats, and Rockwell Automation ThinManager ThinServer. CISA also released an update on the Mitsubishi Electric MELSEC WS Series.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.