us-cert

1. EXECUTIVE SUMMARY CVSS v3 10.0  ATTENTION: Exploitable remotely/low attack complexity Vendor: Mitsubishi Electric Corporation Equipment: MELSEC Series CPU module Vulnerabilities: Classic Buffer Overflow 2. RISK EVALUATION Successful exploitation of this vulnerability could allow a remote attacker to cause a denial-of-service condition or execute malicious code on a target product by sending specially crafted packets. The attacker needs to understand the internal structure of products to execute malicious code. Therefore, it is difficult to execute malicious code. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS Mitsubishi Electric reports this vulnerability affects the following MELSEC Series CPU module:   MELSEC iQ-F Series FX5U-xMy/z x=32,64,80, y=T,R, z=ES,DS,ESS,DSS: Serial number 17X**** or later, version 1.220 and later  MELSEC iQ-F Series FX5UC-xMy/z x=32,64,96, y=T, z=D,DSS: Serial number 17X**** or later, version 1.220 and later  MELSEC iQ-F Series FX5UC-32MT/DS-TS, FX5UC-32MT/DS...

1. EXECUTIVE SUMMARY CVSS v3 8.1  ATTENTION: Exploitable remotely/low attack complexity Vendor: Hitachi Energy Equipment: AFS65x, AFS67x, AFR67x and AFF66x series products Vulnerabilities: Use After Free 2. RISK EVALUATION Successful exploitation of these vulnerabilities could allow an attacker to disclose sensitive information or lead to a Denial-of-Service (DoS).   3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following versions of Hitachi Energy’s AFS65x, AFS67x, AFR67x and AFF66x series products, are affected:  AFS660/665S, AFS660/665C, AFS670v2: Firmware 7.1.05 and earlier  AFS670/675, AFR67x: Firmware 9.1.07 and earlier  AFF660/665: Firmware 03.0.02 and earlier  AFS65x: All versions   3.2 VULNERABILITY OVERVIEW 3.2.1 USE AFTER FREE CWE-416  The libexpat library is incorporated in the AFS, AFR and AFF products family. Versions of libexpat before 2.4.9 have a use-after-free in the do-Content function in xmlparse.c. Successful exploitation of this vulnerability could lead to disclo...

1. EXECUTIVE SUMMARY CVSS v3 7.8  ATTENTION: Low attack complexity Vendor: Horner Automation Equipment: Cscape, Cscape EnvisionRV Vulnerabilities: Stack-based Buffer Overflow, Out-of-bounds Read, Use After Free, Access of Uninitialized Pointer, Improper Restriction of Operations within the Bounds of a Memory Buffer 2. RISK EVALUATION Successful exploitation of these vulnerabilities could allow an attacker to disclose information and to execute arbitrary code.  3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following versions of Horner Automation’s Cscape are affected:  Cscape: v9.90 SP8  Cscape EnvisionRV: v4.70  3.2 VULNERABILITY OVERVIEW 3.2.1 STACK-BASED BUFFER OVERFLOW CWE-121  The affected application lacks proper validation of user-supplied data when parsing project files (e.g., CSP). This could lead to a stack-based buffer overflow. An attacker could leverage this vulnerability to execute arbitrary code in the context of the current process.  CVE-2023-29503 has been assigned to ...

1. EXECUTIVE SUMMARY CVSS v3 10.0  ATTENTION: Exploitable remotely/low attack complexity Vendor: Johnson Controls Inc. Equipment: OpenBlue Enterprise Manager Data Collector Vulnerabilities: Improper Authentication, Exposure of Sensitive Information to an Unauthorized Actor 2. RISK EVALUATION Successful exploitation of these vulnerabilities could allow an attacker, under certain circumstances, to make application programming interface (API) calls to the OpenBlue Enterprise Manager Data Collector, which do not require authentication and may expose sensitive information to an unauthorized user. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following Johnson Controls products are affected:  OpenBlue Enterprise Manager Data Collector: Firmware versions prior to 3.2.5.75 3.2 VULNERABILITY OVERVIEW 3.2.1 IMPROPER AUTHENTICATION CWE-287 Under certain circumstances, API calls to the OpenBlue Enterprise Manager Data Collector do not require authentication. CVE-2023-2024 has been assigned to thi...

1. EXECUTIVE SUMMARY CVSS v3 7.5  ATTENTION: Exploitable remotely/low attack complexity Vendor: Mitsubishi Electric Equipment: WS0-GETH00200 Vulnerabilities: Active Debug Code 2. RISK EVALUATION Successful exploitation of this vulnerability could allow an attacker to bypass authentication and log in by connecting to the module via telnet to reset the module or, if certain conditions are met, either disclose or tamper with the module's configuration, or rewrite the firmware. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following versions of Mitsubishi Electric MELSEC WS Series, an ethernet interface module, are affected: WS0-GETH00200: All versions 3.2 VULNERABILITY OVERVIEW 3.2.1 ACTIVE DEBUG CODE CWE-489  In the affected products, the hidden telnet function is enabled by default when shipped from the factory. An authentication bypass vulnerability could allow a remote unauthenticated attacker to log into the affected module by connecting to it via telnet.  CVE-2023-1618 has been ass...

1. EXECUTIVE SUMMARY CVSS v3 9.8 ATTENTION: Exploitable remotely/low skill level to exploit Vendor: Rockwell Automation Equipment: FactoryTalk Diagnostics Vulnerabilities: Deserialization of Untrusted Data 2. UPDATE OR REPOSTED INFORMATION This updated advisory is a follow-up to the original advisory titled ICSA-20-051-02-Rockwell Automation FactoryTalk Diagnostics (Update A) that was published February 20, 2020, on the ICS webpage at cisa.gov/ICS. 3. RISK EVALUATION Successful exploitation of this vulnerability could allow a remote unauthenticated attacker to execute arbitrary code with SYSTEM level privileges. 4. TECHNICAL DETAILS 4.1 AFFECTED PRODUCTS The following versions of FactoryTalk Diagnostic software, a subsystem of the FactoryTalk Service Platform, are affected: FactoryTalk Diagnostics software: Versions 2.00 to 6.11 4.2 VULNERABILITY OVERVIEW 4.2.1 DESERIALIZATION OF UNTRUSTED DATA CWE-502  Factory Talk Diagnostics exposes a .NET Remoting endpoint via RNADiagnosticsSrv.exe...

1. EXECUTIVE SUMMARY CVSS v3 6.7  ATTENTION: Public exploits are available Vendor: Hitachi Energy Equipment: MicroSCADA Pro/X SYS600 Products Vulnerabilities: Permissions, Privileges, and Access Controls 2. RISK EVALUATION Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected product. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following versions of Hitachi Energy’s MicroSCADA Pro/X SYS600 products are affected: SYS600: 9.4 FP2 Hotfix 5 and earlier SYS600: 10.1.1 and earlier 3.2 VULNERABILITY OVERVIEW 3.2.1 PERMISSIONS, PRIVILEGES, AND ACCESS CONTROLS CWE-264   The ActiveBar ActiveX control distributed in ActBar.ocx 1.0.3.8 in SYS600 product does not properly restrict the SetLayoutData method, which could allow attackers to execute arbitrary code via a crafted data argument. CVE-2011-1207 has been assigned to this vulnerability. A CVSS v3 base score of 6.7 has been calculated; the CVSS vector string is (AV:L/AC:H/PR:L/UI:R/S:...

1. EXECUTIVE SUMMARY CVSS v3 7.5 ATTENTION: Exploitable remotely/low attack complexity/public exploits are available Vendor: Carlo Gavazzi Equipment: Powersoft Vulnerabilities: Path Traversal 2. RISK EVALUATION Successful exploitation of this vulnerability could allow an attacker to access and retrieve any file from the server.  3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following versions of Carlo Gavazzi Powersoft, an energy management software, are affected: Powersoft: Versions 2.1.1.1 and prior 3.2 VULNERABILITY OVERVIEW 3.2.1 IMPROPER LIMITATION OF A PATHNAME TO A RESTRICTED DIRECTORY ('PATH TRAVERSAL') CWE-22 Carlo Gavazzi Powersoft versions 2.1.1.1 and prior have a directory traversal vulnerability that can allow an attacker to access and retrieve any file through specially crafted GET requests to the server. CVE-2017-20184 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)...

1. EXECUTIVE SUMMARY CVSS v3 8.6 ATTENTION: Exploitable remotely/low attack complexity Vendor: Snap One Equipment: OvrC Cloud, OvrC Pro Devices Vulnerabilities: Improper Input Validation, Observable Response Discrepancy, Improper Access Control, Cleartext Transmission of Sensitive Information, Insufficient Verification of Data Authenticity, Open Redirect, Use of Hard-coded Credentials, Hidden Functionality 2. RISK EVALUATION Successful exploitation of these vulnerabilities could allow an attacker to impersonate and claim devices, execute arbitrary code, and disclose information about the affected device. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following Snap One component is affected: OvrC Pro version 7.1 3.2 VULNERABILITY OVERVIEW 3.2.1 IMPROPER INPUT VALIDATION CWE-20 The Hub in the Snap One OvrC cloud platform is a device used to centralize and manage nested devices connected to it. A vulnerability exists in which an attacker could impersonate a hub and send device requests t...

1. EXECUTIVE SUMMARY CVSS v3 7.0 ATTENTION: Exploitable remotely/low attack complexity Vendor: Rockwell Equipment: ArmorStart Vulnerabilities: Improper Input Validation 2. RISK EVALUATION Successful exploitation of these vulnerabilities could allow a malicious user to view and modify sensitive data or make the web page unavailable. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following versions of Rockwell ArmorStart are affected: ArmorStart ST281E: Version 2.004.06 and later ArmorStart ST284E: All versions ArmorStart ST280E: All versions 3.2 VULNERABILITY OVERVIEW 3.2.1 IMPROPER INPUT VALIDATION CWE-20  A cross site scripting vulnerability was discovered that could potentially allow a malicious user to view and modify sensitive data or make the web page unavailable. User interaction, such as a phishing attack, is required for successful exploitation of this vulnerability. CVE-2023-29031 has been assigned to this vulnerability. A CVSS v3 base score of 7.0 has been calculated; the CVS...