CISA releases security advisory regarding two ICS vulnerabilities

Target Industry

Industry sectors affiliated with critical national infrastructure (CNI).

Overview

The Cybersecurity and Infrastructure Security Agency (CISA) has released an advisory pertaining to two Industrial Control System (ICS) vulnerabilities.

The first relates to three Schneider Electric EcoStruxure Power Monitoring Expert and Power Operation Products systems and is tracked as CVE-2023-5391 (CVSSv3.1 score: 9.8). The second, tracked as CVE-2023-29464, has a lower CVSSv3.1 severity level of 8.2 and has been discovered within Rockwell FactoryTalk Linx systems.

Impact

• Successful exploitation of CVE-2023-5391 would almost certainly allow a threat actor to gain remote code execution capabilities on target systems.
• Successful exploitation of CVE-2023-29464 would almost certainly allow an unauthenticated threat actor to read data from memory via crafted malicious packets. It has been assessed to be highly likely that such compromise would result in a denial-of-service (DoS) to FactoryTalk Linx over the common industrial protocol.

Vulnerability Detection

Both ICS vendors have released security updates regarding the respective vulnerabilities. As such, previous product versions of the affected systems remain vulnerable to potential exploitation.

Affected Products

Schneider Electric (CVE-2023-5391):

• EcoStruxure Power Monitoring Expert: All versions prior to Hotfix-145271
• EcoStruxure Power Operation with Advanced Reports: All versions prior to application of Hotfix-145271
• EcoStruxure Power SCADA Operation with Advanced Reports: All versions prior to Hotfix-145271.

Rockwell Automation (CVE-2023-29464):

• FactoryTalk Linx: v6.20 and prior.

Containment, Mitigations & Remediations

It is strongly recommended that the mitigation strategies disclosed by both vendors are adhered to and applied as a matter of urgency. These have been outlined below:

Schneider Electric (CVE-2023-5391):

• EcoStruxure Power Monitoring Expert: A remediation of this vulnerability is available by contacting contact Schneider Electric’s Customer Care Center and can be applied to versions PME 2021, 2022, and 2023
• EcoStruxure Power Operation with Advanced Reports and EcoStruxure Power SCADA Operation with Advanced Reports: A remediation for this vulnerability is available by contacting Schneider Electric’s Customer Care Center and can be applied to versions EPO 2021 and 2022.

Further, it is also strongly recommended that the following Schneider Electric cyber security best practices are implemented:

• Locate control and safety system networks and remote devices behind firewalls and isolate them from the business network
• Install physical controls so that no unauthorised personnel can access industrial control components
• Place all controllers in locked cabinets and do not set them to “Program” mode
• Avoid connecting programming software to any network other than that intended for the system
• Scan all methods of mobile data exchange with the isolated network
• Do not allow mobile devices that have connected to any other network other the intended network to connect to the safety or control networks without proper sanitation
• Minimise network exposure for all control systems and ensure that they are not accessible from the internet
• Utilise secure methods, such as virtual private networks (VPNs) for remote access purposes.

Rockwell Automation (CVE-2023-29464):

It is strongly recommended that the following Rockwell Automation and CISA cyber security best practices mitigate against the risk of exploitation:

• Install the security patches for the respective versions
• Minimise network exposure for all control systems, ensuring they are not accessible from the internet
• Locate control system networks and remote devices behind firewalls and isolate them from business networks
• Utilise secure methods, such as VPNs for remote access purposes.

Indicators of Compromise

No specific Indicators of Compromise (IoCs) are available currently.

Threat Landscape

Schneider Electric and Rockwell Automation occupy a significant portion of the power conversion equipment manufacturing and industrial automation market shares, respectively. Products from both vendors are used extensively by organisations within industry sectors closely affiliated with CNI. Within this context, nation-state threat actors almost certainly view organisations with operational protocols involving these products as prime targets as they seek to compromise the critical infrastructure of these regions to meet state geopolitical objectives.

Threat Group

No attribution to specific threat actors or groups has been identified at the time of writing.

Mitre Methodologies

CVE-2023-5391 – Common Weakness Enumeration:
CWE-502 – Deserialization of Untrusted Data

CVE-2023-29464 – Common Weakness Enumeration:
CWE-20 – Improper Input Validation

Further Information

• CISA Advisory
• Schneider Electric Security Advisory