Key Takeaways

• Cyble highlights eight significant vulnerabilities affecting industrial control systems (ICS), as disclosed by the Cybersecurity and Infrastructure Security Agency (CISA).
• Among the critical issues identified, CVE-2024-45032, affecting Siemens Industrial Edge Management, stands out due to its critical CVSS score of 10. Exploitation of this bug requires no permissions or user interaction.
• Major vendors impacted by these vulnerabilities include Rockwell Automation, Siemens, and Viessmann Climate Solutions.
• Several critical vulnerabilities affecting Viessmann Vitogate 300 are at high risk of exploitation due to the availability of a proof of concept and the product’s internet exposure recorded by Cyble’s Internet of Things search engine – ODIN. 
• In the past week, U.S. CISA advisories disclosed multiple vulnerabilities impacting Sinema Remote Connect from Siemens. Cyble researchers using ODIN discovered over 1,000 internet-exposed instances that could become targets for attackers in the near future. 
• A critical Authorization Bypass vulnerability (CVE-2024-45032) in Siemens’ Industrial Edge Management has also been flagged, with Cyble’s ODIN scanner detecting over 52 internet-facing instances.

Overview

Cyble Research and Intelligence Labs (CRIL) has observed multiple vulnerabilities in its Weekly Industrial Control System (ICS) Vulnerability Intelligence Report. This report provides a comprehensive overview of critical vulnerabilities disclosed from September 10 to September 16.

The Cybersecurity and Infrastructure Security Agency (CISA) issued 29 security advisories concerning Industrial Control Systems (ICS) in the past week. These advisories highlight eight significant vulnerabilities in products from various vendors, including Rockwell Automation, Siemens, and Viessmann Climate Solutions.

Key vulnerabilities include command injection and heap-based overflow issues that could severely affect critical infrastructure.

The Week’s Top ICS Vulnerabilities

1. CVE-2024-45824: Command injection – Rockwell Automation

CVE-2024-45824 is a critical vulnerability found in Rockwell Automation FactoryTalk View Site Edition up to version 14.0. The vulnerability involves an unspecified functionality with a CVSS score of 9.8, indicating its severity. Exploiting this vulnerability requires network conditions but does not require any permissions or user interaction and is considered to have low difficulty of exploitation.

Mitigation: Upgrading the affected software eliminates the vulnerability. Utilize ODIN’s capabilities to determine if devices are exposed and secure them accordingly.

2. CVE-2024-35783: Execution with Unnecessary Privileges – Siemens

A critical vulnerability with a CVSS score of 9.1 has been identified in Siemens SIMATIC BATCH, SIMATIC Information Server (2020, 2022), SIMATIC PCS 7, SIMATIC Process Historian (2020, 2022), and SIMATIC WinCC (Runtime Professional, SCADA Software). This flaw, found in the DB Server component, allows for exploitation under network conditions with low difficulty but requires high privileges.

Mitigation: Upgrading the affected software eliminates the vulnerability.

3. CVE-2023-44373: Improper Neutralization of Special Elements – Siemens

CVE-2023-44373 refers to a vulnerability in Siemens devices where input fields are not properly sanitized, allowing an authenticated remote attacker with administrative privileges to inject code or gain root shell access by exploiting improper neutralization of special elements, essentially enabling a command injection attack due to missing server-side input validation. The affected devices include Siemens RUGGEDCOM and SCALANCE M-800/S615 family.

Mitigation: Update to the latest firmware version, specifically version 3.0.2 or higher.

4. CVE-2024-45032: Authorization Bypass – Siemens Industrial Edge Management

Siemens Industrial Edge Management Pro and Industrial Edge Management Virtual have identified a critical vulnerability in the Device Token Handler component. This flaw allows attackers to bypass authorization. The vulnerability has a CVSS score of 10.0, indicating its severity. Exploitation is feasible over a network with low difficulty, requiring no permissions or user interaction.

Mitigation: Upgrading the affected systems is necessary to mitigate this issue.

• Industrial Edge Management Pro: Version 1.9.5 and later
• Industrial Edge Management Virtual: Version 2.3.1-1 and later

5. CVE-2023-46850: Use after free – Siemens

This vulnerability in OpenVPN (versions 2.6.0 to 2.6.6) is a use-after-free issue, potentially leading to undefined behavior, memory leaks, or remote code execution when network buffers are sent to a remote peer. The CVSS score is 9.8, indicating a critical severity. Exploitation requires network access but no special permissions or user interactions.

Mitigation: The most effective way to mitigate CVE-2023-46850 is to install the latest software updates from Siemens, containing the necessary fixes.

6. CVE-2024-33698: Heap-based Buffer Overflow – Siemens User Management Components

CVE-2024-33698 is a critical vulnerability in several Siemens products, including SIMATIC Information Server 2022 and 2024, SIMATIC PCS neo, SINEC NMS, and Totally Integrated Automation Portal. The issue resides in the User Management Components (UMC) and is classified as a heap-based buffer overflow. This vulnerability has a CVSS score of 9.8, indicating its high severity. Exploiting this vulnerability requires network access but no special permissions or user interaction.

Mitigation and Workaround: Siemens has identified the following specific workarounds and mitigations that customers can apply to reduce the risk:

• CVE-2024-33698:
  • Filter the ports 4002 and 4004 to only accept connections to/from the IP addresses of machines that run UMC and are part of the UMC network, e.g., with an external firewall
  • In addition, if no RT server machines are used, port 4004 can be filtered completely

Product-specific remediations or mitigations can be found in the section Affected Products and Solution.

7. CVE-2023-45852: Command Injection – Viessmann Climate Solutions SE

CVE-2023-45852 is a command injection vulnerability in the Viessmann Vitogate 300 firmware (version 2.1.3.0). An unauthenticated attacker can exploit this vulnerability by injecting shell metacharacters into the ipaddr parameter in the JSON data for the put method in the /cgi-bin/vitogate.cgi endpoint. This allows the attacker to bypass authentication and execute arbitrary commands, potentially compromising the system. The vulnerability has a CVSS score of 9.8, indicating a critical severity level. No user interaction or specific permissions are required to exploit this flaw, and it can be exploited over a network with low difficulty.

Mitigation: Update to the latest version to fix the issue.

8. CVE-2023-5222: Use of Hardcoded Credentials – Viessmann Climate Solutions SE 

A critical vulnerability (CVSS score: 9.8) exists in Viessmann Vitogate 300 firmware up to version 2.1.3.0, specifically in the isValidUser function of the /cgi-bin/vitogate.cgi component within the Web Management Interface. This vulnerability is due to use of hard-coded password, making it exploitable over the network with low difficulty and no user interaction or permissions required. Public exploit details are available. The vendor has not responded to disclosure attempts.

Conclusion

The vulnerability severity distribution for ICS vulnerabilities shows a predominance of critical and high-severity issues in products belonging to known ICS vendors. The majority of affected products come from vendors like Siemens and Rockwell Automation. This calls for a prompt response to mitigate potential impacts on industrial control systems.

Organizations must prioritize patching these vulnerabilities, implement robust security measures, and follow recommended best practices to protect their ICS environments from potential threats. Regular updates, security monitoring, and proactive risk management are essential for maintaining the integrity and security of critical infrastructure.

Recommendations for Mitigation

• Implement network segmentation to separate ICS networks from corporate and internet networks. Use firewalls and demilitarized zones (DMZs) to control traffic and limit exposure.
• Apply multi-factor authentication for ICS system access. Limit user permissions based on the principle of least privilege to minimize potential damage.
• Keep all ICS hardware and software updated with the latest patches to protect against known vulnerabilities. Regular patching is crucial for maintaining system security.
• Deploy comprehensive security monitoring tools to detect and alert suspicious activities. Maintain detailed logs for forensic investigations and incident response.
• Develop a robust incident response plan tailored to ICS environments. Regularly test and update the plan to ensure effective response to security incidents.
• Train personnel on ICS-specific security risks and best practices. Awareness of potential threats and social engineering attacks is essential for maintaining security.
• Use secure remote access methods such as VPNs and strong encryption. Minimize direct remote access and monitor remote sessions for potential threats.
• Continuously review and update security policies to adapt to evolving threats and changes in the ICS environment. Ensure alignment with industry best practices and regulatory requirements.
• Conduct vulnerability assessments and penetration testing to identify and address weaknesses in ICS systems. Regular assessments are vital for proactive security management.