us-cert

1. EXECUTIVE SUMMARY CVSS v3 7.2  ATTENTION: Exploitable remotely/low attack complexity Vendor: Advantech Equipment: WebAccess Node Vulnerabilities: Improper Control of Generation of Code ('Code Injection'), Unrestricted Upload of File with Dangerous Type 2. RISK EVALUATION Successful exploitation of these vulnerabilities could allow an attacker to arbitrarily overwrite files resulting in remote code execution. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following Advantech products are affected: WebAccess/SCADA versions 9.1.3 and prior 3.2 VULNERABILITY OVERVIEW 3.2.1 IMPROPER CONTROL OF GENERATION OF CODE ('CODE INJECTION') CWE-94 In Advantech WebAccss/SCADA v9.1.3 and prior, there is an arbitrary file overwrite vulnerability, which could allow an attacker to overwrite any file in the operating system (including system files), inject code into an XLS file, and modify the file extension, which could lead to arbitrary code execution. CVE-2023-32540 has been assigned to this vulnerab...

1. EXECUTIVE SUMMARY CVSS v3 7.3 ATTENTION: Low attack complexity Vendor: Advantech Equipment: WebAccess/SCADA Vulnerabilities: Insufficient Type Distinction 2. RISK EVALUATION Successful exploitation of this vulnerability could allow an attacker full control over the supervisory control and data acquisition (SCADA) server. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS Advantech reports this vulnerability affect the following WebAccess/SCADA product: WebAccess/SCADA: version 8.4.5 3.2 VULNERABILITY OVERVIEW 3.2.1 INSUFFICIENT TYPE DISTINCTION CWE-351  If an attacker can trick an authenticated user into loading a maliciously crafted .zip file onto Advantech WebAccess version 8.4.5, a web shell could be used to give the attacker full control of the SCADA server.  CVE-2023-2866 has been assigned to this vulnerability. A CVSS v3 base score of 7.3 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H).  3.3 BACKGROUND CRITICAL INFRASTRUCTURE SECTORS: Critical Man...

1. EXECUTIVE SUMMARY CVSS v3 9.8  ATTENTION: Exploitable remotely/low attack complexity Vendor: Moxa Equipment: MXsecurity Series Vulnerabilities: Command Injection and Use of Hard-Coded Credentials 2. RISK EVALUATION Successful exploitation of these vulnerabilities could allow an unauthorized user to bypass authentication or to execute arbitrary commands on the device. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS Moxa reports these vulnerabilities affect the following MXsecurity Series: MXsecurity Series: Software v1.0 3.2 VULNERABILITY OVERVIEW 3.2.1 COMMAND INJECTION CWE-77 A remote attacker, who has gained authorization privileges, could execute arbitrary commands on the device. CVE-2023-33235 has been assigned to this vulnerability. A CVSS v3 base score of 7.2 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H). 3.2.2 USE OF HARD-CODED CREDENTIALS CWE-798 An attacker could bypass authentication for web-based application programmable interfaces (APIs)...

1. EXECUTIVE SUMMARY CVSS v3 10.0  ATTENTION: Exploitable remotely/low attack complexity Vendor: Mitsubishi Electric Corporation Equipment: MELSEC Series CPU module Vulnerabilities: Classic Buffer Overflow 2. RISK EVALUATION Successful exploitation of this vulnerability could allow a remote attacker to cause a denial-of-service condition or execute malicious code on a target product by sending specially crafted packets. The attacker needs to understand the internal structure of products to execute malicious code. Therefore, it is difficult to execute malicious code. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS Mitsubishi Electric reports this vulnerability affects the following MELSEC Series CPU module:   MELSEC iQ-F Series FX5U-xMy/z x=32,64,80, y=T,R, z=ES,DS,ESS,DSS: Serial number 17X**** or later, version 1.220 and later  MELSEC iQ-F Series FX5UC-xMy/z x=32,64,96, y=T, z=D,DSS: Serial number 17X**** or later, version 1.220 and later  MELSEC iQ-F Series FX5UC-32MT/DS-TS, FX5UC-32MT/DS...

1. EXECUTIVE SUMMARY CVSS v3 8.1  ATTENTION: Exploitable remotely/low attack complexity Vendor: Hitachi Energy Equipment: AFS65x, AFS67x, AFR67x and AFF66x series products Vulnerabilities: Use After Free 2. RISK EVALUATION Successful exploitation of these vulnerabilities could allow an attacker to disclose sensitive information or lead to a Denial-of-Service (DoS).   3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following versions of Hitachi Energy’s AFS65x, AFS67x, AFR67x and AFF66x series products, are affected:  AFS660/665S, AFS660/665C, AFS670v2: Firmware 7.1.05 and earlier  AFS670/675, AFR67x: Firmware 9.1.07 and earlier  AFF660/665: Firmware 03.0.02 and earlier  AFS65x: All versions   3.2 VULNERABILITY OVERVIEW 3.2.1 USE AFTER FREE CWE-416  The libexpat library is incorporated in the AFS, AFR and AFF products family. Versions of libexpat before 2.4.9 have a use-after-free in the do-Content function in xmlparse.c. Successful exploitation of this vulnerability could lead to disclo...

1. EXECUTIVE SUMMARY CVSS v3 7.8  ATTENTION: Low attack complexity Vendor: Horner Automation Equipment: Cscape, Cscape EnvisionRV Vulnerabilities: Stack-based Buffer Overflow, Out-of-bounds Read, Use After Free, Access of Uninitialized Pointer, Improper Restriction of Operations within the Bounds of a Memory Buffer 2. RISK EVALUATION Successful exploitation of these vulnerabilities could allow an attacker to disclose information and to execute arbitrary code.  3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following versions of Horner Automation’s Cscape are affected:  Cscape: v9.90 SP8  Cscape EnvisionRV: v4.70  3.2 VULNERABILITY OVERVIEW 3.2.1 STACK-BASED BUFFER OVERFLOW CWE-121  The affected application lacks proper validation of user-supplied data when parsing project files (e.g., CSP). This could lead to a stack-based buffer overflow. An attacker could leverage this vulnerability to execute arbitrary code in the context of the current process.  CVE-2023-29503 has been assigned to ...

1. EXECUTIVE SUMMARY CVSS v3 9.8  ATTENTION: Exploitable remotely/low attack complexity Vendor: Hitachi Energy Equipment: RTU500 Series Vulnerabilities: Type Confusion, Observable Timing Discrepancy, Out-of-bounds Read, Infinite Loop, Classic Buffer Overflow 2. RISK EVALUATION Successful exploitation of these vulnerabilities could allow an attacker to crash the device being accessed or cause a denial-of-service condition.   3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following versions of Hitachi Energy’s RTU500 Series Product, are affected:  For CVE-2023-0286, CVE-2022-4304   RTU500 series CMU Firmware: version 12.0.1 through 12.0.15  RTU500 series CMU Firmware: version 12.2.1 through 12.2.12   RTU500 series CMU Firmware: version 12.4.1 through 12.4.12   RTU500 series CMU Firmware: version 12.6.1 through 12.6.9   RTU500 series CMU Firmware: version 12.7.1 through 12.7.6   RTU500 series CMU Firmware: version 13.2.1 through 13.2.6   RTU500 series CMU Firmware: version 13.3.1 through ...

1. EXECUTIVE SUMMARY CVSS v3 7.5 ATTENTION: Exploitable remotely/low attack complexity/public exploits are available Vendor: Carlo Gavazzi Equipment: Powersoft Vulnerabilities: Path Traversal 2. RISK EVALUATION Successful exploitation of this vulnerability could allow an attacker to access and retrieve any file from the server.  3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following versions of Carlo Gavazzi Powersoft, an energy management software, are affected: Powersoft: Versions 2.1.1.1 and prior 3.2 VULNERABILITY OVERVIEW 3.2.1 IMPROPER LIMITATION OF A PATHNAME TO A RESTRICTED DIRECTORY ('PATH TRAVERSAL') CWE-22 Carlo Gavazzi Powersoft versions 2.1.1.1 and prior have a directory traversal vulnerability that can allow an attacker to access and retrieve any file through specially crafted GET requests to the server. CVE-2017-20184 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)...

1. EXECUTIVE SUMMARY CVSS v3 10.0  ATTENTION: Exploitable remotely/low attack complexity Vendor: Johnson Controls Inc. Equipment: OpenBlue Enterprise Manager Data Collector Vulnerabilities: Improper Authentication, Exposure of Sensitive Information to an Unauthorized Actor 2. RISK EVALUATION Successful exploitation of these vulnerabilities could allow an attacker, under certain circumstances, to make application programming interface (API) calls to the OpenBlue Enterprise Manager Data Collector, which do not require authentication and may expose sensitive information to an unauthorized user. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following Johnson Controls products are affected:  OpenBlue Enterprise Manager Data Collector: Firmware versions prior to 3.2.5.75 3.2 VULNERABILITY OVERVIEW 3.2.1 IMPROPER AUTHENTICATION CWE-287 Under certain circumstances, API calls to the OpenBlue Enterprise Manager Data Collector do not require authentication. CVE-2023-2024 has been assigned to thi...

1. EXECUTIVE SUMMARY CVSS v3 7.5  ATTENTION: Exploitable remotely/low attack complexity Vendor: Mitsubishi Electric Equipment: WS0-GETH00200 Vulnerabilities: Active Debug Code 2. RISK EVALUATION Successful exploitation of this vulnerability could allow an attacker to bypass authentication and log in by connecting to the module via telnet to reset the module or, if certain conditions are met, either disclose or tamper with the module's configuration, or rewrite the firmware. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following versions of Mitsubishi Electric MELSEC WS Series, an ethernet interface module, are affected: WS0-GETH00200: All versions 3.2 VULNERABILITY OVERVIEW 3.2.1 ACTIVE DEBUG CODE CWE-489  In the affected products, the hidden telnet function is enabled by default when shipped from the factory. An authentication bypass vulnerability could allow a remote unauthenticated attacker to log into the affected module by connecting to it via telnet.  CVE-2023-1618 has been ass...