us-cert

1. EXECUTIVE SUMMARY CVSS v3 8.6 ATTENTION: Exploitable remotely/low attack complexity Vendor: Snap One Equipment: OvrC Cloud, OvrC Pro Devices Vulnerabilities: Improper Input Validation, Observable Response Discrepancy, Improper Access Control, Cleartext Transmission of Sensitive Information, Insufficient Verification of Data Authenticity, Open Redirect, Use of Hard-coded Credentials, Hidden Functionality 2. RISK EVALUATION Successful exploitation of these vulnerabilities could allow an attacker to impersonate and claim devices, execute arbitrary code, and disclose information about the affected device. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following Snap One component is affected: OvrC Pro version 7.1 3.2 VULNERABILITY OVERVIEW 3.2.1 IMPROPER INPUT VALIDATION CWE-20 The Hub in the Snap One OvrC cloud platform is a device used to centralize and manage nested devices connected to it. A vulnerability exists in which an attacker could impersonate a hub and send device requests t...

1. EXECUTIVE SUMMARY CVSS v3 9.8  ATTENTION: Exploitable remotely/low attack complexity Vendor: Siemens Equipment: Third-party components libexpat and libcurl in SINEC NMS Vulnerabilities: Expected Behavior Violation, Improper Validation of Syntactic Correctness of Input, Stack-based Buffer Overflow, Use After Free, Double Free, Cleartext Transmission of Sensitive Information 2. RISK EVALUATION Successful exploitation these vulnerabilities could allow an attacker to impact SINEC NMS confidentiality, integrity, and availability.  3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following products are affected: Third-Party components used in SINEC NMS: All versions prior to V1.0.3.1 3.2 VULNERABILITY OVERVIEW 3.2.1 EXPECTED BEHAVIOR VIOLATION CWE-440 When doing HTTP(S) transfers, libcurl might erroneously use the read callback (`CURLOPT_READFUNCTION`) to ask for data to send—even when the `CURLOPT_POSTFIELDS` option has been set—if the same handle previously was used to issue a `PUT` reque...

1. EXECUTIVE SUMMARY CVSS v3 9.9  ATTENTION: Exploitable remotely/low attack complexity Vendor:  Siemens Equipment: Siveillance Video Vulnerabilities: Deserialization of Untrusted Data 2. RISK EVALUATION Successful exploitation of these vulnerabilities could allow an authenticated remote attacker to execute code on the affected system.  3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS Siemens reports these vulnerabilities affect the following IP video management software:  Siveillance Video 2020 R2: all versions prior to V20.2 HotfixRev14 Siveillance Video 2020 R3: all versions prior to V20.3 HotfixRev12 Siveillance Video 2021 R1: all versions prior to V21.1 HotfixRev12 Siveillance Video 2021 R2: all versions prior to V21.2 HotfixRev8 Siveillance Video 2022 R1: all versions prior to V22.1 HotfixRev7 Siveillance Video 2022 R2: all versions prior to V22.2 HotfixRev5 Siveillance Video 2022 R3: all versions prior to V22.3 HotfixRev2 Siveillance Video 2023 R1: all versions prior to V23.1 HotfixRe...

1. EXECUTIVE SUMMARY CVSS v3 8.4  ATTENTION: Exploitable from adjacent network/low attack complexity Vendor: Siemens Equipment: SCALANCE W1750D Vulnerabilities: Improper Input Validation 2. RISK EVALUATION Successful exploitation of this vulnerability could allow an attacker to disclose sensitive information or steal the unsuspecting user’s session.  3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following products from Siemens are affected:  SCALANCE W1750D (JP) (6GK5750-2HX01-1AD0): All versions SCALANCE W1750D (ROW) (6GK5750-2HX01-1AA0): All versions SCALANCE W1750D (USA) (6GK5750-2HX01-1AB0): All versions 3.2 VULNERABILITY OVERVIEW 3.2.1 IMPROPER INPUT VALIDATION CWE-20 The IEEE 802.11 specifications through 802.11ax allow physically proximate attackers to intercept (possibly cleartext) target-destined frames by spoofing a target’s MAC address, sending Power Save frames to the access point, and then sending other frames to the access point (e.g., authentication frames or re-associa...

1. EXECUTIVE SUMMARY CVSS v3 9.4 ATTENTION: Exploitable remotely/low attack complexity Vendor: Rockwell Automation Equipment: Kinetix 5500 EtherNet/IP Servo Drive Vulnerabilities: Improper Access Control 2. RISK EVALUATION Successful exploitation of this vulnerability could create a denial-of-service condition or allow attackers unauthorized access to the device. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following versions of Kinetix 5500 EtherNet/IP Servo Drive, an industrial control router, are affected: Kinetix 5500 devices manufactured between May 2022 and January 2023: Version 7.13 3.2 VULNERABILITY OVERVIEW 3.2.1 IMPROPER ACCESS CONTROL CWE-284 Rockwell Automation Kinetix 5500 devices manufactured between May 2022 and January 2023 running Version 7.13 have telnet and file transfer protocol (FTP) ports open by default. This could allow an attacker access to the device. CVE-2023-1834 has been assigned to this vulnerability. A CVSS v3 base score of 9.4 has been assigned; the CV...

1. EXECUTIVE SUMMARY CVSS v3 9.8  ATTENTION: Exploitable remotely/low attack complexity Vendor: SDG Technologies Equipment: PnPSCADA Vulnerabilities: SQL Injection 2. RISK EVALUATION Successful exploitation of this vulnerability could allow an attacker to interact with the database and retrieve critical data. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following versions of SDG PnPSCADA products are affected: PnPSCADA (cross platforms): v2.* 3.2 VULNERABILITY OVERVIEW 3.2.1 IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS USED IN AN SQL COMMAND ('SQL INJECTION') CWE-89 The PnPSCADA system, a product of SDG Technologies CC, is afflicted by a critical unauthenticated error-based PostgreSQL Injection vulnerability. Present within the hitlogcsv.jsp endpoint, this security flaw permits unauthenticated attackers to engage with the underlying database seamlessly and passively. Consequently, malicious actors could gain access to vital information, such as Industrial Control System (ICS) and OT d...

1. EXECUTIVE SUMMARY CVSS v3 7.5 ATTENTION: Exploitable remotely/low attack complexity Vendor: Rockwell Automation Equipment: ThinManager Vulnerabilities: Inadequate Encryption Strength 2. RISK EVALUATION Successful exploitation of this vulnerability could allow an attacker to decrypt traffic sent between the client and server application programming interface (API), resulting in unauthorized access to information. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following versions of ThinManager, a software management platform, are affected: ThinManager: Versions 13.0 to 13.0.1 3.2 VULNERABILITY OVERVIEW 3.2.1 INADEQUATE ENCRYPTION STRENGTH CWE-326 The affected product allows the use of medium-strength ciphers. If the client requests an insecure cipher, then a malicious actor could decrypt traffic sent between the client and server API. CVE-2023-2443 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (/AV:N/AC:L/PR:N/UI:N/...

1. EXECUTIVE SUMMARY CVSS v3 9.9 ATTENTION: Exploitable remotely/low attack complexity Vendor: Siemens Equipment: SCALANCE LPE9403 Vulnerabilities: Command Injection, Creation of Temporary File with Insecure Permissions, Path Traversal, Heap-based Buffer Overflow 2. RISK EVALUATION Successful exploitation these vulnerabilities could allow an attacker to gain access to the device as root or create a denial-of-service condition.  3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following products from Siemens are affected:  SCALANCE LPE9403 (6GK5998-3GS00-2AC2): Versions prior to 2.1 3.2 VULNERABILITY OVERVIEW 3.2.1 IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS USED IN A COMMAND ('COMMAND INJECTION') CWE-77 The web-based management of affected devices does not properly validate user input, making it susceptible to command injection. This could allow an authenticated remote attacker to access the underlying operating system as root. CVE-2023-27407 has been assigned to this vulnerability. A C...

1. EXECUTIVE SUMMARY CVSS v3 7.8 ATTENTION: Low attack complexity Vendor: Siemens Equipment: Solid Edge Vulnerabilities: NULL Pointer Dereference, Out-of-bounds Read, Improper Restriction of Operations within the Bounds of a Memory Buffer 2. RISK EVALUATION Successful exploitation of these vulnerabilities could allow an attacker to execute arbitrary code or crash the application. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following Siemens products are affected: Solid Edge SE2023: All versions prior to V223.0 Update 3 Solid Edge SE2023: All versions prior to V223.0 Update 2 3.2 VULNERABILITY OVERVIEW 3.2.1 NULL POINTER DEREFERENCE CWE-476  STEPTools v18SP1 ifcmesh library (v18.1) is affected due to a null pointer dereference, which could allow an attacker to deny application usage when reading a specially constructed file, resulting in an application crash.  CVE-2023-0973 has been assigned to this vulnerability. A CVSS v3 base score of 2.2 has been assigned; the CVSS vector string ...

1. EXECUTIVE SUMMARY CVSS v3 10.0  ATTENTION: Exploitable remotely/low attack complexity Vendor: Teltonika Equipment: Remote Management System and RUT model routers Vulnerabilities: Observable Response Discrepancy, Improper Authentication, Server-Side Request Forgery, Cross-site Scripting, Inclusion of Web Functionality from an Untrusted Source, External Control of System of Configuration Setting, OS Command Injection 2. RISK EVALUATION Successful exploitation of these vulnerabilities could expose sensitive device information and device credentials, enable remote code execution, expose connected devices managed on the network, and allow impersonation of legitimate devices. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following Teltonika products are affected: Remote Management System (RMS): Versions prior to 4.10.0 (affected by CVE-2023-32346, CVE-2023-32347, CVE-2023-32348, CVE-2023-2587, CVE-2023-2588) Remote Management System (RMS): Versions prior to 4.14.0 (affected by CVE-2023-2...