CISA Issues Warnings Regarding Critical Security Vulnerabilities in Industrial Control Systems

On Tuesday, the United States Cybersecurity and Infrastructure Security Agency (CISA) issued eight advisories regarding critical flaws in Delta Electronics and Rockwell Automation equipment used in Industrial Control Systems (ICS).

InfraSuite Device Master, Delta Electronics’ real-time device monitoring software, is currently affected by 13 critical security vulnerabilities that impact all versions before 1.0.5.

“Successful exploitation of these vulnerabilities may allow an unauthenticated attacker to gain access to files and credentials, escalate privileges, and remotely execute arbitrary code,” according to CISA.

At the top of the list is CVE-2023-1133 (CVSS score: 9.8), a critical flaw in InfraSuite Device Master that allows unverified UDP packets to be accepted and their content to be deserialized. This vulnerability could be exploited by an unauthenticated attacker to remotely execute arbitrary code with potentially devastating consequences.

CVE-2023-1139 (CVSS score: 8.8) and CVE-2023-1145 (CVSS score: 7.8) deserialization flaws could also be weaponized to obtain remote code execution, according to CISA.

The critical flaws in InfraSuite Device Master were first discovered by Piotr Bazydlo and an anonymous security researcher, who promptly reported them to CISA.

In addition, another set of vulnerabilities has been identified in certain versions of Rockwell Automation’s ThinManager ThinServer thin client and remote desktop protocol (RDP) server management software.

• 6.x – 10.x
• 11.0.0 – 11.0.5
• 11.1.0 – 11.1.5
• 11.2.0 – 11.2.6
• 12.0.0 – 12.0.4
• 12.1.0 – 12.1.5, and
• 13.0.0 – 13.0.1

Two of the most severe vulnerabilities found in Rockwell Automation’s ThinManager ThinServer thin client and RDP server management software are CVE-2023-28755 (CVSS score: 9.8) and CVE-2023-28756 (CVSS score: 7.5), which are path traversal flaws that could allow an unauthorized remote attacker to upload any file to the directory where ThinServer.exe is located, with the potential for devastating consequences.

The implications of CVE-2023-28755 are particularly alarming, as attackers could exploit this vulnerability to replace legitimate executable files with malicious versions, resulting in the potential for remote code execution and other serious consequences.

“Successful exploitation of these vulnerabilities could potentially allow an attacker to perform remote code execution on the target system/device or crash the software,” according to CISA.

To protect against these vulnerabilities, it is strongly recommended that users update to one of the following versions of ThinManager ThinServer: 11.0.6, 11.1.6, 11.2.7, 12.0.5, 12.1.6, or 13.0.2. If you are currently using ThinManager ThinServer versions 6.x – 10.x, please note that these versions have been retired, and you must upgrade to a supported version immediately.

As a temporary mitigation, it is recommended to restrict remote access to port 2031/TCP to only known thin clients and ThinManager servers.
Notably, this latest advisory follows a previous warning from CISA issued over six months ago regarding a high-severity buffer overflow vulnerability in Rockwell Automation ThinManager ThinServer (CVE-2022-38742, CVSS score: 8.1) that could enable attackers to execute arbitrary code remotely.