CISA warns of vulnerabilities in Rapid Software, Horner Automation, Schneider Electric, Siemens equipment

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) announced last week the release of ICS (industrial control system) advisories providing timely information about current security issues, vulnerabilities, and exploits surrounding ICS. Hardware equipment deployed across the critical infrastructure sector from Rapid Software, Horner Automation, Schneider Electric, and Siemens were affected. 

In its advisory, the CISA highlighted the presence of remotely exploitable vulnerabilities with low attack complexity in Rapid Software LLC Rapid SCADA, an open-source industrial automation platform. The affected version of Rapid SCADA is 5.8.4 and earlier, which is widely used in the energy and transportation sectors worldwide. Identified vulnerabilities include path traversal, relative path traversal, local privilege escalation through incorrect permission assignment for critical resources, open redirect, use of hard-coded credentials, plaintext storage of a password, and generation of error messages containing sensitive information. 

The agency identified that “Successful exploitation of these vulnerabilities could result in an attacker reading sensitive files from the Rapid Scada server, writing files to the Rapid Scada directory (thus achieving code execution), gaining access to sensitive systems via legitimate-seeming phishing attacks, connecting to the server and performing attacks using the high privileges of a service, obtaining administrator passwords, learning sensitive information about the internal code of the application, or achieving remote code execution.”

Noam Moshe of Claroty Research reported these vulnerabilities to CISA.

Rapid Software did not respond to CISA’s attempts at coordination. Users of Rapid SCADA are encouraged to contact Rapid Software and keep their systems up to date.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as minimizing network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet. Additionally, organizations must locate control system networks and remote devices behind firewalls and isolate them from business networks. 

It added that when remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

In another advisory, CISA identified the presence of stack-based buffer overflow vulnerability in Horner Automation Cscape equipment, with versions 9.90 SP10 and prior said to be affected. “Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code,” it added. 

Deployed across the critical manufacturing sector, CISA said that in Horner Automation Cscape versions 9.90 SP10 and prior, local attackers can exploit this vulnerability if a user opens a malicious CSP file, which would result in the execution of arbitrary code on affected installations of Cscape. CVE-2023-7206 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated. 

Michael Heinzl reported this vulnerability, while Horner Automation recommends users apply v9.90 SP11 or the latest version of their software.

CISA also warned of the presence of deserialization of untrusted data in Schneider Electric’s Easergy Studio equipment, a power relay protection control software. “Successful exploitation of this vulnerability could allow an attacker to gain full control of a workstation.”

Deployed across the energy sector, the security agency identified that a deserialization of untrusted data vulnerability exists in Schneider Electric Easergy Studio versions before v9.3.5 that could allow an attacker logged in with a user-level account to gain higher privileges by providing a harmful serialized object. CVE-2023-7032 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.8 has been calculated. 

Sina Kheirkhah (@SinSinology) of Summoning Team (@SummoningTeam) working with Trend Micro Zero Day Initiative reported this vulnerability to CISA.

Schneider Electric has released Easergy Studio Version 9.3.6 as a mitigation measure that includes a fix for this vulnerability and is available via SESU (Schneider Electric Software Update).

In another advisory notice, CISA warned of the presence of Out-of-bounds Read, Null pointer dereference, and stack-based buffer overflow in Siemens JT2Go and Teamcenter Visualization equipment. “Successful exploitation of these vulnerabilities could allow an attacker to execute code in the context of the software’s current process or crash the application causing a denial of service,” it added.

Deployed across the critical manufacturing sector, Siemens reported this vulnerability to CISA. 

Siemens recommends users update software to mitigate risk from these vulnerabilities by updating JT2Go to V14.3.0.6 or later version; updating Teamcenter Visualization V13.3 to V13.3.0.13 or later version; updating Teamcenter Visualization V14.1 to V14.1.0.12 or later version; updating Teamcenter Visualization V14.2 to V14.2.0.9 or later version; and updating Teamcenter Visualization V14.3 to V14.3.0.6 or later version.

Siemens also recommends that users avoid opening untrusted CGM files in JT2Go and Teamcenter Visualization.

CISA warned of the presence of use of uninitialized resource vulnerability in Siemens SICAM A8000 equipment, used across the critical manufacturing sector. “Successful exploitation of this vulnerability could allow an authenticated remote attacker to inject commands that are executed on the device with root privileges during device startup,” it added. 

“The network configuration service of affected devices contains a flaw in the conversion of ipv4 addresses that could lead to an uninitialized variable being used in succeeding validation steps,” according to CISA. “By uploading specially crafted network configuration, an authenticated remote attacker could be able to inject commands that are executed on the device with root privileges during device startup.”

Siemens reported this vulnerability to CISA. 

Earlier this month, the CISA issued three ICS advisories to provide up-to-date information on security issues, vulnerabilities, and exploits related to ICS. The advisories address hardware vulnerabilities in Rockwell Automation FactoryTalk Activation and Mitsubishi Electric Factory Automation products.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.