Attacks and Vulnerabilities
CISA
Control device security
Critical infrastructure
ICS Security Framework
Industrial Cyber Attacks
Malware, Phishing & Ransomware
News
Secure Remote Access
Secure-by-Design
Supply Chain Security
System Design & Architecture
Technology & Solutions
Threat Landscape
Vulnerabilities

US CISA issues ICS advisories on hardware vulnerabilities in Rockwell Automation, alpitronic, Delta Electronics

May 10, 2024
CISA issues ICS advisories covering hardware vulnerabilities in Rockwell, Mitsubishi Electric equipment

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) published Thursday ICS (industrial control systems) advisories addressing presence of hardware vulnerabilities in equipment deployed across the critical infrastructure sector. The agency warned of security loopholes in Rockwell Automation, alpitronic, and Delta Electronics. Additionally, CISA published an update to Rockwell Automation ControlLogix and GuardLogix. 

CISA issued an advisory revealing exploitable vulnerabilities in Rockwell’s FactoryTalk Historian SE versions v9.0 and earlier, commonly utilized in the global critical manufacturing sector. The vulnerabilities involve issues like the improper release of resources after their effective lifetime and inadequate handling of exceptional conditions. “Successful exploitation of these vulnerabilities could allow an attacker to cause a denial-of-service condition,” it added. 

The advisory pointed out that FactoryTalk Historian SE utilizes the AVEVA PI Server, which contains a vulnerability that could allow an unauthenticated user to cause a partial denial-of-service condition in the PI Message Subsystem of a PI Server by consuming available memory. The vulnerability exists in FactoryTalk Historian SE versions 9.0 and earlier, and its exploitation could cause FactoryTalk Historian SE to become unavailable, requiring a power cycle to recover it. 

CVE-2023-31274 has been assigned to this vulnerability with a CVSS v3.1 base score of 7.5. Additionally, a CVSS v4 score has been calculated for CVE-2023-31274, resulting in a base score of 7.7.

CISA added that FactoryTalk Historian SE uses the AVEVA PI Server, which contains a vulnerability that could allow an unauthenticated user to remotely crash the PI Message Subsystem of a PI Server, resulting in a denial-of-service condition. This vulnerability exists in FactoryTalk Historian SE versions 9.0 and earlier. The exploitation of this vulnerability could cause FactoryTalk Historian SE to become unavailable, requiring a power cycle to recover it.

CVE-2023-34348 has been identified for this vulnerability, with a calculated CVSS v3.1 base score of 7.5. Additionally, a CVSS v4 score has been determined for CVE-2023-34348, resulting in a base score of 7.7.

Rockwell reported these vulnerabilities to CISA and has released product updates addressing this vulnerability calling upon users using the affected software to install FactoryTalk Historian SE version 9.01 or higher as soon as feasible.

CISA revealed in an advisory disclosing presence of ‘use of default credentials’ vulnerability affecting all versions of the alpitronic Hypercharger EV charger. “Successful exploitation of this vulnerability could result in an attacker disabling the device, bypassing payment, or accessing payment data.”

Deployed across the transportation sector, CISA mentioned that “If misconfigured, the charging devices can expose a web interface protected by authentication. If the default credentials are not changed, an attacker can use public knowledge to access the device as an administrator.”

CVE-2024-4622 has been designated for this vulnerability, with a calculated CVSS v3 base score of 8.2. Additionally, a CVSS v4 score has been computed for CVE-2024-4622, resulting in a base score of 8.3. Hanno Böck reported these vulnerabilities to CISA.

alpitronic recommends users change the default credentials for all charging devices.

CISA revealed that alpitronic advises that the interface should be connected only to internal segregated and access-controlled networks and not exposed to the public internet/web.

When informed of these vulnerabilities, alpitronic, in conjunction with and/or on behalf of affected clients, disabled the interface on any exposed devices and all clients were contacted directly and reminded that the interface is not intended to be visible on the public Internet and that default passwords should be changed.

alpitronic is also applying mitigations to all devices in the field and to new devices in production. New devices will come with unique passwords. Devices using the default password will be automatically assigned new unique passwords, or at first access if the device has not yet been installed. Devices with the default passwords already changed will not be affected. New passwords can be obtained by scanning the QR-Code inside the charger or in the DMS portal hyperdoc. 

In another advisory, CISA disclosed presence of ‘deserialization of untrusted data’ vulnerability in Delta Electronics’ InfraSuite Device Master equipment used in the critical manufacturing sector. “Successful exploitation of this vulnerability could allow remote code execution,” it added. 

CISA detailed that Delta Electronics InfraSuite Device Master contains a deserialization of untrusted data vulnerability because it runs a version of Apache ActiveMQ (5.15.2) which is vulnerable to CVE-2023-46604.

CVE-2023-46604 has been linked to this vulnerability, with a calculated CVSS v3.1 base score of 9.8. Additionally, a CVSS v4 score has been determined for CVE-2023-46604, resulting in a base score of 9.3. 

An anonymous researcher working with Trend Micro Zero Day Initiative reported this vulnerability to CISA.

Delta Electronics states that this issue was fixed by version 1.0.11 released in December 2023. Delta recommends updating to version 1.0.11 or later.

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

Related

TSA seeks feedback on enhanced transportation security assessments for surface transportation personnel
TSA seeks feedback on enhanced transportation security assessments for surface transportation personnel
Dispel announces appointment of Dean Macris as chief information security officer
Forescout, Microsoft form partnership to secure managed and unmanaged devices
Forescout, Microsoft form partnership to secure managed and unmanaged devices
Slicing through Biden’s NSM-22 amidst ongoing need to shore up critical infrastructure security and resilience
Slicing through Biden’s NSM-22 amidst ongoing need to shore up critical infrastructure security and resilience
CISA debuts encrypted DNS implementation guidance for federal agencies aligned with zero trust strategy
CISA debuts encrypted DNS implementation guidance for federal agencies aligned with zero trust strategy
Vulnerabilities in GE Healthcare Vivid ultrasound system could allow malicious insiders to install ransomware, access patient data
Vulnerabilities in GE Healthcare Vivid ultrasound system could allow malicious insiders to install ransomware, access patient data
Relyens, Cynerio partner to introduce advanced healthcare cybersecurity solution to European market
Relyens, Cynerio partner to introduce advanced healthcare cybersecurity solution to European market
Cybellum joins forces with M-ISAC to help Japanese MDMs improve cybersecurity
Cybellum’s Product Security Platform 3.0: Risk Edition enables threat modeling, risk and compliance management at scale 
ABS Consulting, Hexagon partner to empower industries with improved asset management solutions
ABS Consulting, Hexagon partner to empower industries with improved asset management solutions
OPSWAT
OPSWAT Academy debuts authorized training program to empower global cybersecurity capabilities