The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued eight Industrial Control Systems (ICS) advisories, highlighting critical flaws in equipment from Delta Electronics and Rockwell Automation.
Delta Electronics’ InfraSuite Device Master, a real-time device monitoring software, contains 13 security vulnerabilities.
One critical flaw, CVE-2023-1133, enables an unauthenticated attacker to execute arbitrary code remotely. Two additional deserialization flaws, CVE-2023-1139 and CVE-2023-1145, also allow remote code execution.
CISA advised users to update to version 1.0.5 of InfraSuite Device Master or to limit remote access of port 2031/TCP to known thin clients and ThinManager servers.
Additionally, Rockwell Automation’s ThinManager ThinServer was also found to contain vulnerabilities in versions 6.x – 10.x, and versions 11.0.0 – 11.0.5, 11.1.0 – 11.1.5, 11.2.0 – 11.2.6, 12.0.0 – 12.0.4, 12.1.0 – 12.1.5, and 13.0.0 – 13.0.1.
The most severe of these issues are two path traversal flaws, CVE-2023-28755 and CVE-2023-28756, that allow unauthenticated remote attackers to upload arbitrary files to the directory where ThinServer.exe is installed.
At the same time, an attacker could overwrite existing executable files with trojanized versions, leading to remote code execution.
Users are advised to update to supported versions of ThinManager ThinServer or limit remote access of port 443/TCP to known thin clients and ThinManager servers.
Piotr Bazydlo and an anonymous security researcher identified and reported the issues to CISA. The agency advised users to update to the latest versions of the affected software to mitigate potential threats.
The disclosure of these vulnerabilities comes more than six months after CISA alerted the public to a high-severity buffer overflow vulnerability, CVE-2022-38742, in Rockwell Automation ThinManager ThinServer.
Finally, this vulnerability could result in arbitrary remote code execution.
