Security News > 2023 > March > CISA Alerts on Critical Security Vulnerabilities in Industrial Control Systems
The U.S. Cybersecurity and Infrastructure Security Agency has released eight Industrial Control Systems advisories on Tuesday, warning of critical flaws affecting equipment from Delta Electronics and Rockwell Automation.
"Successful exploitation of these vulnerabilities could allow an unauthenticated attacker to obtain access to files and credentials, escalate privileges, and remotely execute arbitrary code," CISA said.
Top of the list is CVE-2023-1133, a critical flaw that arises from the fact that InfraSuite Device Master accepts unverified UDP packets and deserializes the content, thereby allowing an unauthenticated remote attacker to execute arbitrary code.
Piotr Bazydlo and an anonymous security researcher have been credited with discovering and reporting the shortcomings to CISA. Another set of vulnerabilities relates to Rockwell Automation's ThinManager ThinServer and affects the following versions of the thin client and remote desktop protocol server management software -.
"Successful exploitation of these vulnerabilities could allow an attacker to potentially perform remote code execution on the target system/device or crash the software," CISA noted.
The disclosure arrives more than six months after CISA alerted of a high-severity buffer overflow vulnerability in Rockwell Automation ThinManager ThinServer that could result in arbitrary remote code execution.
News URL
https://thehackernews.com/2023/03/cisa-alerts-on-critical-security.html
Related news
- CISA Warns of Critical Fortinet Flaw as Palo Alto and Cisco Issue Urgent Security Patches (source)
- HPE Issues Critical Security Patches for Aruba Access Point Vulnerabilities (source)
- CISA: Network switch RCE flaw impacts critical infrastructure (source)
- Two simple give-me-control security bugs found in Optigo network switches used in critical manufacturing (source)
- Zero-Day Alert: Three Critical Ivanti CSA Vulnerabilities Actively Exploited (source)
- Researchers Uncover Major Security Vulnerabilities in Industrial MMS Protocol Libraries (source)
- CISA says critical Fortinet RCE flaw now exploited in attacks (source)
- CISA adds fresh Ivanti vuln, critical Fortinet bug to hall of shame (source)
- The Rise of Zero-Day Vulnerabilities: Why Traditional Security Solutions Fall Short (source)
- CISA proposes new security requirements to protect govt, personal data (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-03-27 | CVE-2023-1133 | Deserialization of Untrusted Data vulnerability in Deltaww Infrasuite Device Master 00.00.01A/00.00.02A Delta Electronics InfraSuite Device Master versions prior to 1.0.5 contain a vulnerability in which the Device-status service listens on port 10100/ UDP by default. | 9.8 |