Most attacks now follow the same path: criminals breach an organization’s
security and steal whatever they can, then deploy some form of ransomware. The
stolen documents are then used to extort money from the organization.
As it turns out, the Montgomery General Hospital incident highlighted the
importance of some measures against such attacks, even when cri
Successful exploitation of these vulnerabilities could allow an attacker to gain full access to the underlying operating system of the device or cause a denial-of-service condition.
The following versions of Korenix Jetwave, are affected:
3.2.1 IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS USED IN A COMMAND (‘COMMAND INJECTION’) CWE-77
Korenix JetWave 4200 Series 1.3.0 and JetWave 3000 Series 1.6.0 are vulnerable to command injection. An attacker could modify the file_name parameter to execute commands as root.
CVE-2023-23294 has been assigned to this vulnerability. A CVSS v3 base score of 8.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
3.2.2 IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS USED IN A COMMAND (‘COMMAND INJECTION’) CWE-77
Korenix Jetwave 4200 Series 1.3.0 and JetWave 3000 Series 1.6.0 are vulnerable to command injection via /goform/formSysCmd. An attacker could modify the sysCmd parameter to execute commands as root.
CVE-2023-23295 has been assigned to this vulnerability. A CVSS v3 base score of 8.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
3.2.3 UNCONTROLLED RESOURCE CONSUMPTION CWE-400
Korenix JetWave 4200 Series 1.3.0 and JetWave 3200 Series 1.6.0 are vulnerable to a possible denial-of-service condition via /goform/formDefault. When logged in, a user could issue a POST request so that the underlying binary exits. The web-service then becomes unavailable and cannot be accessed until a user reboots the device.
CVE-2023-23296 has been assigned to this vulnerability. A CVSS v3 base score of 6.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).
Thomas Weber of CyberDanube reported these vulnerabilities to Korenix.
Korenix recommends all users update their JetWave products to the latest firmware:
According to Korenix, users should visit Korenix and navigate to the appropriate Korenix JetWave product page, found in the “Wireless” section on the site, and download the latest firmware.
For more information, see Korenix’s Security Advisory.
CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. Specifically, users should:
CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
No known public exploits specifically target these vulnerabilities.
Successful exploitation of this vulnerability could allow an authenticated attacker to overwrite, delete, or create files.
The following versions of Industrial Control Links ScadaFlex II SCADA Controllers are affected:
3.2.1 EXTERNAL CONTROL OF FILE NAME OR PATH CWE-73
On ICL ScadaFlex II SCADA Controller SC-1 and SC-2 devices, unauthenticated remote attackers can overwrite, delete, or create files. This allows an attacker to execute critical file CRUD operations on the device that can potentially allow system access and impact availability.
CVE-2022-25359 has been assigned to this vulnerability. A CVSS v3 base score of 9.1 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H).
CISA discovered a public proof-of-concept (PoC) as authored by Gjoko Krstic of Zero Science Lab.
Industrial Control Links has relayed that they are closing their business. This product may be considered end-of-life; continued supported for this product may be unavailable.
CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should:
CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
Successful exploitation of these vulnerabilities could allow an authenticated user to inject arbitrary operating system commands.
The following versions of myPRO HMI/SCADA systems are affected:
3.2.1 OS COMMAND INJECTION CWE-78
mySCADA myPRO versions 8.26.0 and prior has parameters which an authenticated user could exploit to inject arbitrary operating system commands.
CVE-2023-28400 has been assigned to this vulnerability. A CVSS v3 base score of 9.9 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).
3.2.2 OS COMMAND INJECTION CWE-78
mySCADA myPRO versions 8.26.0 and prior has parameters which an authenticated user could exploit to inject arbitrary operating system commands.
CVE-2023-28716 has been assigned to this vulnerability. A CVSS v3 base score of 9.9 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).
3.2.3 OS COMMAND INJECTION CWE-78
mySCADA myPRO versions 8.26.0 and prior has parameters which an authenticated user could exploit to inject arbitrary operating system commands.
CVE-2023-28384 has been assigned to this vulnerability. A CVSS v3 base score of 9.9 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).
3.2.4 OS COMMAND INJECTION CWE-78
mySCADA myPRO versions 8.26.0 and prior has parameters which an authenticated user could exploit to inject arbitrary operating system commands.
CVE-2023-29169 has been assigned to this vulnerability. A CVSS v3 base score of 9.9 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).
3.2.5 OS COMMAND INJECTION CWE-78
mySCADA myPRO versions 8.26.0 and prior has parameters which an authenticated user could exploit to inject arbitrary operating system commands.
CVE-2023-29150 has been assigned to this vulnerability. A CVSS v3 base score of 9.9 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).
Michael Heinzl publicly disclosed these vulnerabilities on the internet.
mySCADA recommends users upgrade to version 8.29.0 or higher. For more information, contact mySCADA technical support. mySCADA will also send security advice by email to all registered users.
CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. Specifically, users should:
CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
CISA also recommends users take the following measures to protect themselves from social engineering attacks:
Known public exploits specifically target these vulnerabilities. These vulnerabilities are exploitable remotely. These vulnerabilities have low attack complexity.
Successful exploitation of these vulnerabilities could allow an attacker to disclose information or execute arbitrary code.
The following versions of JTEKT ELECTRONICS Kostac PLC Programming Software are affected:
3.2.1 OUT-OF-BOUNDS READ CWE-125
When a specially crafted project file is opened, out-of-bounds read occurs when processing a comment block in stage information because the end of data cannot be verified.
CVE-2023-22419 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).
3.2.2 OUT-OF-BOUNDS READ CWE-125
When a specially crafted project file is opened, out-of-bounds read occurs because buffer size used by the PLC program instructions is insufficient.
CVE-2023-22421 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).
3.2.3 USE AFTER FREE CWE-416
When the maximum number of columns to place the PLC program is out of specification by opening a specially crafted project file, a process accesses memory that has already been freed.
CVE-2023-22424 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).
Michael Heinzl reported these vulnerabilities to JPCERT/CC.
JTEKT ELECTRONICS recommends users to download the following updates:
This version not only addresses the vulnerability, but also takes measures to prevent crafted project files from being opened. Project files saved with Version 1.6.9.0 or earlier can be re-saved with Version 1.6.10.0 or above to enable this tamper-proof feature. Project files saved with Version 1.6.10.0 or above cannot be opened with Version 1.6.9.0 or earlier.
For more information, see JTEKT ELECTRONICS’ Update Notice.
CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. Specifically, users should:
CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
CISA also recommends users take the following measures to protect themselves from social engineering attacks:
No known public exploits specifically target these vulnerabilities. These vulnerabilities are not exploitable remotely.
CISA released seven Industrial Control Systems (ICS) advisories on April 6, 2023. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS.
CISA encourages users and administrators to review the newly released ICS advisories for technical details and mitigations.
Successful exploitation of these vulnerabilities could allow an attacker to take remote control of the product.
The following versions of Hitachi Energy’s MicroSCADA SDM600, a data management tool, are affected:
3.2.1 UNRESTRICTED UPLOAD OF FILE WITH DANGEROUS TYPE CWE-434
A vulnerability exists in the affected SDM600 versions file permission validation. An attacker could exploit the vulnerability by gaining access to the system and uploading a specially crafted message to the system node, which could result in arbitrary code execution.
CVE-2022-3682 has been assigned to this vulnerability. A CVSS v3 base score of 9.9 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).
3.2.2 IMPROPER AUTHORIZATION CWE-285
A vulnerability exists in the affected SDM600 versions application programmable interface (API) web services authorization validation implementation. An attacker successfully exploiting the vulnerability could read sensitive data directly from an insufficiently protected or restricted data store.
CVE-2022-3683 has been assigned to this vulnerability. A CVSS v3 base score of 7.7 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N).
3.2.3 IMPROPER RESOURCE SHUTDOWN OR RELEASE CWE-404
A vulnerability exists in an SDM600 endpoint. An attacker could exploit this vulnerability by running multiple parallel requests, causing the SDM600 web services to become busy, rendering the application unresponsive.
CVE-2022-3684 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
3.2.4 IMPROPER PRIVILEGE MANAGEMENT CWE-269
A vulnerability exists in the affected SDM600 versions software. The software operates at a privilege level higher than the minimum level required. An attacker successfully exploiting this vulnerability could escalate privileges.
CVE-2022-3685 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H).
3.2.5 IMPROPER AUTHORIZATION CWE-285
A vulnerability exists in the affected SDM600 versions API permission check mechanism. Successful exploitation could cause an unauthenticated user to gain access to device data, causing confidentiality and integrity issues.
CVE-2022-3686 has been assigned to this vulnerability. A CVSS v3 base score of 4.8 has been calculated; the CVSS vector string is (AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L).
Hitachi Energy reported these vulnerabilities to CISA.
Hitachi Energy recommends applying the following mitigations:
Hitachi Energy recommends the following security practices and firewall configurations to help protect a process control network from attacks originating from outside the network:
For more information, see Hitachi security advisory 8DBD000138.
CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
No known public exploits specifically target these vulnerabilities.
Successful exploitation of these vulnerabilities could allow an attacker to disclose information or execute arbitrary code.
The following versions of JTEKT ELECTRONICS Screen Creator Advance 2, a software program, are affected:
3.2.1 OUT-OF-BOUNDS WRITE CWE-787
When an out-of-specification error is detected, an out-of-bounds write may occur because there is no error handling process.
CVE-2023-22345 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).
3.2.2 OUT-OF-BOUNDS READ CWE-125
An out-of-bounds read may occur when processing template information because the end of data cannot be verified.
CVE-2023-22346 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).
3.2.3 OUT-OF-BOUNDS READ CWE-125
An Out-of-bounds read may occur when processing file structure information because the end of data cannot be verified.
CVE-2023-22347 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).
3.2.4 OUT-OF-BOUNDS READ CWE-125
An out-of-bounds read may occur when processing screen management information because the end of data cannot be verified.
CVE-2023-22349 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).
3.2.5 OUT-OF-BOUNDS READ CWE-125
An out-of-bounds read may occur when processing parts management information because the end of data cannot be verified.
CVE-2023-22350 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).
3.2.6 OUT-OF-BOUNDS READ CWE-125
An out-of-bounds read may occur when processing control management information because the end of data cannot be verified.
CVE-2023-22353 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).
3.2.7 USE AFTER FREE CWE-416
When an error is detected, an out-of-bounds write may occur because there is no error handling process.
CVE-2023-22360 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).
Michael Heinzl reported these vulnerabilities to JPCERT/CC.
JTEKT ELECTRONICS recommends users to download the following updates:
For more information, see JTEKT ELECTRONICS’ Update Notice.
CISA recommends users take the following measures to protect themselves from social engineering attacks:
CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
No known public exploits specifically target these vulnerabilities. These vulnerabilities are not exploitable remotely.
Ransomware gang Money Message claims to have hacked the Taiwanese multinational IT corporation MSI (Micro-Star International). Ransomware gang Money Message announced to have hacked the Taiwanese multinational IT corporation MSI (Micro-Star International). Micro-Star International AKA MSI designs, manufactures, and sells motherboards and graphics cards for customers in the United States, Canada, and internationally. MSI is headquartered in Taipei, […]
The post Money Message ransomware group claims to have hacked IT giant MSI appeared first on Security Affairs.
