CISA Lists New ICS Advisories, Exploited Vulnerabilities, and Patch Alerts

On June 22, 2023, CISA issued a series of important alerts, underscoring critical vulnerabilities present in industrial control systems (ICS) from vendors Advantech, SpiderControl, Econolite, and Mitsubishi.

In addition, CISA emphasized the significance of patching recent vulnerabilities identified in Apple, Juniper Networks, and the Internet Systems Consortium (ISC), and has added six other vulnerabilities to its Known Exploited Vulnerabilities Catalog. 

Refer to the subheadings for more information about these updates.

CISA Released Advisories for Industrial Control Systems: Advantech, SpiderControl, Econolite, Mitsubishi 

CISA issued four advisories on June 22, 2023, addressing security concerns and vulnerabilities in industrial control systems. The advisories cover Advantech, SpiderControl, Econolite, and Mitsubishi equipment. 

For Advantech’s monitoring application, R-SeeNet, versions 2.4.22 and earlier are affected by two vulnerabilities: CVE-2023-2611 and CVE-2023-3256. Exploiting these vulnerabilities could enable unauthorized access and file manipulation.

CVE-2023-2611 (CVSS score: 9.8, Critical) involves a hidden root-level user with an unchangeable password. CVE-2023-3256 (CVSS score: 8.8, High) allows low-level users to access and load local files.

SpiderControl’s SCADAWebServer versions 2.08 and earlier have a vulnerability tracked as CVE-2023-3329 (CVSS score: 4.9, Medium) resulting from improper pathname limitations. An attacker with administrative privileges can overwrite files, potentially causing Denial-of-Service (DoS). 

In Econolite EOS versions prior to 3.2.23, there is no password requirement for “READONLY” access to crucial files containing user data. CVE identifier CVE-2023-0451 (CVSS score: 7.5, High) is assigned to this vulnerability.

Mitsubishi Electric’s MELSEC iQ-F, iQ-R, Q, and L series are impacted by CVE-2023-0457 (CVSS score: 7.5), which allows plaintext storage of a password. 

Although Econolite primarily operates in the US and Canada, the other brands -Advantech, SpiderControl, and Mitsubishi Electric- deploy their ICS equipment globally. The advisories further detail that these vulnerabilities can be exploited remotely; thus, it is urgent to patch these systems.

CISA urges users and administrators to review the ICS advisories for further details and mitigation strategies.

CISA Orders to Patch Six New Exploited Vulnerabilities

CISA, on June 22, included six additional vulnerabilities in its Known Exploited Vulnerabilities (KEV) Catalog due to ongoing exploitation activities and ordered agencies to patch them until July 13, 2023. Here are the details on the vulnerabilities:

One of the vulnerabilities, CVE-2023-20887 (CVSS score: 9.8, Critical), impacts VMware Aria Operations for Networks. This vulnerability enables a malicious actor with network access to perform remote code execution.

Another vulnerability, CVE-2020-35730 (CVSS score: 6.1, Medium), affects Roundcube Webmail versions prior to 1.2.13, 1.3.x prior to 1.3.16, and 1.4.x prior to 1.4.10. The vulnerability allows an attacker to send a plain text email with JavaScript embedded in a mishandled link reference element, leading to a Cross-Site Scripting (XSS) attack. 

CVE-2020-12641 (CVSS score: 9.8, Critical) is a remote code execution vulnerability in Roundcube Webmail before version 1.4.4. Exploiting this flaw involves utilizing shell metacharacters within the configuration settings for im_convert_path or im_identify_path in rcube_image.php.

Additionally, CVE-2021-44026 (CVSS score: 9.8, Critical) affects Roundcube versions before 1.3.17 and 1.4.x before 1.4.12, making them susceptible to potential SQL injection attacks through search or search_params functionalities. 

Two more vulnerabilities included are CVE-2016-9079 (CVSS score: 7.5, High), impacting Mozilla Firefox, Firefox ESR, and Thunderbird, and CVE-2016-0165 (CVSS score: 7.8, High), affecting Microsoft Win32k. The former is a use-after-free vulnerability in SVG Animation, exploited in the wild by targeting Firefox and Tor Browser users on Windows. The latter is a privilege escalation vulnerability in the kernel-mode driver of various Microsoft Windows operating systems. 

These newly added vulnerabilities pose significant security risks, and organizations are advised to take necessary measures to address them as soon as possible.

CISA Identifies Exploitation of CVE-2017-9248 in US Government IIS Server

From November 2022 to early January 2023, CISA identified the exploitation of a critical .NET deserialization vulnerability tracked as CVE-2019-18935 (CVSS score: 9.8) in Progress Telerik user interface (UI) for ASP.NET AJAX. The vulnerability affected the Microsoft Internet Information Services (IIS) web server of the targeted agency, enabling interactive access and remote code execution.

According to CISA, the Telerik UI version 2013.2.717 also includes the following known vulnerabilities: CVE-2017-11357, CVE-2017-11317, and CVE-2017-9248.

In CISA’s latest update on June 15, 2023, they reported that analysis at another agency revealed the exploitation of CVE-2017-9248 in the IIS server. CISA analyzed three files, which contained web shells written in PHP, ASPX, and DLL formats.

The exploitation was carried out by unidentified APT actors and specifically targeted the Telerik UI for ASP.NET AJAX DialogHandler component.

For more details, see CISA’s analysis here.

Fixes Available for Apple, Juniper Networks, ISC Vulnerabilities 

Apple, Juniper Networks, and Internet Systems Consortium (ISC) have released security advisories to fix several vulnerabilities affecting their products. CISA strongly advises users and administrators to install the updates provided by the vendors to avoid exploitation.

Apple Fixes Potential Zero-Day Vulnerabilities to Prevent Infection of Devices

Apple has released security updates to fix a potential zero-day issue affecting multiple devices.

In June 2023, cybersecurity company Kaspersky uncovered the Triangulation Trojan. The malware is capable of infecting an entire device despite Apple’s strict restrictions on software downloads and app separation, which suggests the presence of a kernel-level zero-day vulnerability.

The vulnerabilities fixed by Apple are CVE-2023-32434, an integer overflow in kernel discovered by Kaspersky researchers, and CVE-2023-32439, a type confusion bug in WebKit. Both vulnerabilities have the potential to allow the execution of arbitrary code.

See CISA’s alert here.

Juniper Networks Fixes High-Severity Vulnerability In Junos OS

Juniper Networks has patched a high-severity vulnerability in Junos OS, and Junos OS Evolved, tracked as CVE-2023-0026 (CVSS score: 7.5). 

When a BGP update message contains a specific optional transitive attribute within an established BGP session, the session terminates with an update message error. Continuous receipt of a BGP update with the same attribute can lead to a DoS situation.

For more information, visit Juniper’s advisory for CVE-2023-0026.

Vulnerabilities in BIND9 DNS Server Software 

The Internet Systems Consortium (ISC) has issued security advisories to resolve three vulnerabilities in various versions of BIND 9, their Berkeley Internet Name Domain software. 

The vulnerabilities CVE-2023-2828, CVE-2023-2829, and CVE-2023-2911 are classified as high-severity, each with a CVSS score of 7.5. Successful exploitation of these vulnerabilities by a remote attacker could result in Denial-of-Service.

CVE-2023-2828 enables an attacker to exceed the cache size limit of a ‘named’ instance. 

CVE-2023-2829 leads to an unexpected termination of ‘named’ when synth-from-dnssec is enabled due to malformed NSEC records. DNS resolvers use NSEC (Next Secure Record) to verify the non-existence of specific record names and types during DNSSEC validation.

CVE-2023-2911 causes ‘named’ to terminate unexpectedly when the recursive-clients quota is exceeded and stale-answer-client-timeout is set to 0.

CISA urges users and administrators to carefully examine ISC advisories to resolve these vulnerabilities.

Prioritize Patches With SOCRadar

SOCRadar’s External Attack Surface Management (EASM) feature identifies your assets and maintains continuous monitoring, ensuring rapid detection of emerging security issues. By promptly issuing alerts, SOCRadar empowers organizations to proactively address potential risks and better prioritize patches.

Moreover, SOCRadar significantly enhances security measures by providing actionable intelligence through its Vulnerability Intelligence, enabling organizations to track the latest vulnerability trends and details.