For providers

CISA has added one new vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. CVE-2023-5631 Roundcube Webmail Persistent Cross-Site Scripting (XSS) Vulnerability These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise. Note: To view other newly added vulnerabilities in the catalog, click on the arrow in the "Date Added to Catalog" column—which will sort by descending dates. Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information. Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.

View CSAF 1. EXECUTIVE SUMMARY CVSS v3 7.5 ATTENTION: Exploitable remotely/low attack complexity/public exploits are available Vendor: Centralite Equipment: Pearl Thermostat Vulnerability: Allocation of Resources Without Limits or Throttling 2. RISK EVALUATION Successful exploitation of this vulnerability could allow an attacker to cause a denial of service on the affected product. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following versions Centralite Pearl Thermostat are affected: Pearl Thermostat: version 0x04075010 3.2 Vulnerability Overview 3.2.1 ALLOCATION OF RESOURCES WITHOUT LIMITS OR THROTTLING CWE-770 A vulnerability in Centralite Pearl Thermostat 0x04075010 allows attackers to cause a denial of service (DoS) via a crafted Zigbee message. CVE-2023-24678 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.8 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). 3.3 BACKGROUND CRITICAL INFRASTRUCTURE SECTORS: Commercial Facilities, Communications COUNTRIES/AREAS DEPLOYED: Worldwide COMPANY HEADQUARTERS LOCATION: United States 3.4 RESEARCHER Xiaoyue Ma ( xma9@gmu.edu), Lannan "Lisa" Luo ( lluo4@gmu.edu) and Qiang Zeng ( zeng@gmu.edu) of George Mason University reported this vulnerability. 4. MITIGATIONS Centralite has not responded to requests to work with CISA to mitigate this vulnerability. Users of affected versions of Centralite Pearl Thermostat are invited to contact Centralite customer support for additional information. CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as: Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet. Locate control system networks and remote devices behind firewalls and isolating them from business networks. When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies. CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets. Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies. Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. 5. UPDATE HISTORY October 26, 2023: Initial Publication

View CSAF 1. EXECUTIVE SUMMARY CVSS v3 7.5 ATTENTION: Exploitable remotely/low attack complexity Vendor: Rockwell Automation Equipment: FactoryTalk View Site Edition Vulnerability: Improper Input Validation 2. RISK EVALUATION Successful exploitation of this vulnerability could cause the product to become unavailable and require a restart to recover resulting in a denial-of-service condition. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS Rockwell Automation reports that the following versions of FactoryTalk View Site Edition are affected: FactoryTalk View Site Edition: V11.0 3.2 Vulnerability Overview 3.2.1 IMPROPER INPUT VALIDATION CWE-20 FactoryTalk View Site Edition V11.0 insufficiently validates user input, which could potentially allow threat actors to send malicious data bringing the product offline. If exploited, the product would become unavailable and require a restart to recover resulting in a denial-of-service condition. CVE-2023-46289 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). 3.3 BACKGROUND CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing COUNTRIES/AREAS DEPLOYED: Worldwide COMPANY HEADQUARTERS LOCATION: United States 3.4 RESEARCHER Rockwell Automation reported this vulnerability to CISA. 4. MITIGATIONS Rockwell Automation has provided patches for these versions v11.0 & v12.0 & v13.0. Rockwell Automation encourages users of the affected software to apply the risk mitigations if possible. Additionally, they encourage users to implement their suggested security best practices to minimize the risk For more information, see Rockwell Automation's security advisory. CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as: Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet. Locate control system networks and remote devices behind firewalls and isolating them from business networks. When remote access is required, use more secure methods, such as virtual private networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies. CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets. Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies. Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. 5. UPDATE HISTORY October 26, 2023: Initial Publication

View CSAF 1. EXECUTIVE SUMMARY CVSS v3 9.8 ATTENTION: Exploitable remotely/low attack complexity/public exploits are available Vendor: Sielco Equipment: PolyEco1000 Vulnerabilities: Session Fixation, Improper Restriction of Excessive Authentication Attempts, Improper Access Control 2. RISK EVALUATION Successful exploitation of these vulnerabilities could allow an attacker to escalate privileges, access restricted pages, or hijack sessions. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following versions of Sielco PolyEco1000, a FM transmitter, are affected: PolyEco1000: CPU:2.0.6 FPGA:10.19 PolyEco1000: CPU:1.9.4 FPGA:10.19 PolyEco1000: CPU:1.9.3 FPGA:10.19 PolyEco500: CPU:1.7.0 FPGA:10.16 PolyEco300: CPU:2.0.2 FPGA:10.19 PolyEco300: CPU:2.0.0 FPGA:10.19 3.2 Vulnerability Overview 3.2.1 SESSION FIXATION CWE-384 Sielco PolyEco1000 is vulnerable to a session hijack vulnerability due to the cookie being vulnerable to a brute force attack, lack of SSL, and the session being visible in requests. CVE-2023-0897 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.8 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H). 3.2.2 IMPROPER RESTRICTION OF EXCESSIVE AUTHENTICATION ATTEMPTS CWE-307 Sielco PolyEco1000 uses a weak set of default administrative credentials that can be easily guessed in remote password attacks and gain full control of the system. CVE-2023-5754 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.1 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N). 3.2.3 IMPROPER ACCESS CONTROL CWE-284 Sielco PolyEco1000 is vulnerable to an attacker escalating their privileges by modifying passwords in POST requests. CVE-2023-46661 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.8 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). 3.2.4 IMPROPER ACCESS CONTROL CWE-284 Sielco PolyEco1000 is vulnerable to an information disclosure vulnerability due to improper access control enforcement. An unauthenticated remote attacker can exploit this via a specially crafted request to gain access to sensitive information. CVE-2023-46662 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). 3.2.5 IMPROPER ACCESS CONTROL CWE-284 Sielco PolyEco1000 is vulnerable to an attacker bypassing authorization and accessing resources behind protected pages. The application interface allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. CVE-2023-46663 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). 3.2.6 IMPROPER ACCESS CONTROL CWE-284 Sielco PolyEco1000 is vulnerable to an improper access control vulnerability when the application provides direct access to objects based on user-supplied input. As a result of this vulnerability attackers can bypass authorization and access resources behind protected pages. CVE-2023-46664 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). 3.2.7 IMPROPER ACCESS CONTROL CWE-284 Sielco PolyEco1000 is vulnerable to an authentication bypass vulnerability due to an attacker modifying passwords in a POST request and gain unauthorized access to the affected device with administrative privileges. CVE-2023-46665 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.8 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). 3.3 BACKGROUND CRITICAL INFRASTRUCTURE SECTORS: Communications COUNTRIES/AREAS DEPLOYED: Worldwide COMPANY HEADQUARTERS LOCATION: Italy 3.4 RESEARCHER CISA discovered a public proof of concept as authored by Gjoko Krstic of ZeroScience. 4. MITIGATIONS Sielco has not responded to requests to work with CISA to mitigate these vulnerabilities. Users of affected versions of Sielco PolyEco FM Transmitter are invited to contact Sielco customer support for additional information. CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as: Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet. Locate control system networks and remote devices behind firewalls and isolating them from business networks. When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies. CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets. Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies. Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. CISA also recommends users take the following measures to protect themselves from social engineering attacks: Do not click web links or open attachments in unsolicited email messages. Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams. Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks. 5. UPDATE HISTORY October 26, 2023: Initial Publication

CISA released nine Industrial Control Systems (ICS) advisories on October 26, 2023. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS. ICSA-23-299-01 Dingtian DT-R002 ICSA-23-299-02 Centralite Pearl Thermostat ICSA-23-299-03 Ashlar-Vellum Cobalt, Graphite, Xenon, Argon, Lithium ICSA-23-299-04 Rockwell Automation Arena ICSA-23-299-05 Rockwell Automation FactoryTalk View Site Edition ICSA-23-299-06 Rockwell Automation FactoryTalk Services Platform ICSA-23-299-07 Sielco PolyEco FM Transmitter ICSA-23-299-08 Sielco Radio Link and Analog FM Transmitters ICSMA-23-194-01 BD Alaris System with Guardrails Suite MX (Update A) CISA encourages users and administrators to review the newly released ICS advisories for technical details and mitigations.

View CSAF 1. EXECUTIVE SUMMARY CVSS v3 7.8 ATTENTION: Low attack complexity Vendor: Ashlar-Vellum Equipment: Cobalt, Graphite, Xenon, Argon, Lithium, and Cobalt Share Vulnerabilities: Out-of-Bounds Write, Heap-based Buffer Overflow, Out-of-Bounds Read 2. RISK EVALUATION Successful exploitation of these vulnerabilities could allow an attacker to execute arbitrary code. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following Ashlar-Vellum products are affected: Cobalt: v12 SP0 Build (1204.77) and prior Graphite: v13.0.48 and prior Xenon: v12 SP0 Build (1204.77) and prior Argon: v12 SP0 Build (1204.77) and prior Lithium: v12 SP0 Build (1204.77) and prior 3.2 Vulnerability Overview 3.2.1 OUT-OF-BOUNDS WRITE CWE-787 In Ashlar-Vellum Cobalt, Xenon, Argon, Lithium, and Cobalt Share v12 SP0 Build (1204.77), the affected applications lack proper validation of user-supplied data when parsing XE files. This could lead to an out-of-bounds write. An attacker could leverage this vulnerability to execute arbitrary code in the context of the current process. CVE-2023-39427 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is ( AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H). 3.2.2 OUT-OF-BOUNDS READ CWE-125 In Ashlar-Vellum Graphite v13.0.48, the affected application lacks proper validation of user-supplied data when parsing VC6 files. This could lead to an out-of-bounds read. An attacker could leverage this vulnerability to execute arbitrary code in the context of the current process. CVE-2023-39936 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is ( AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H). 3.3 BACKGROUND CRITICAL INFRASTRUCTURE SECTORS: Multiple COUNTRIES/AREAS DEPLOYED: Worldwide COMPANY HEADQUARTERS LOCATION: United States 3.4 RESEARCHER Michael Heinzl reported these vulnerabilities to CISA. 4. MITIGATIONS Ashlar-Vellum recommends users apply the following mitigations to help reduce risk: Install the latest version of Graphite Cobalt, Xenon, Lithium, and Argon share update v12 Build (1204.78). Only open files from trusted sources. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies. CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets. Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies. Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. CISA also recommends users take the following measures to protect themselves from social engineering attacks: Do not click web links or open attachments in unsolicited email messages. Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams. Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks. No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time. These vulnerabilities are not exploitable remotely. 5. UPDATE HISTORY October 26, 2023: Initial Publication

View CSAF 1. EXECUTIVE SUMMARY CVSS v3 8.1 ATTENTION: Exploitable remotely Vendor: Rockwell Automation Equipment: FactoryTalk Services Platform Vulnerability: Improper Authentication 2. RISK EVALUATION Successful exploitation of this vulnerability could use a token to log into the system. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS Rockwell Automation reports that the following products are affected: FactoryTalk Services Platform: v2.74 3.2 Vulnerability Overview 3.2.1 Improper Authentication CWE-287 Due to inadequate code logic, a previously unauthenticated threat actor could potentially obtain a local Windows OS user token through the FactoryTalk Services Platform web service and then use the token to log in into FactoryTalk Services Platform. This vulnerability can only be exploited if the authorized user did not previously log in into the FactoryTalk Services Platform web service. CVE-2023-46290 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.1 has been calculated; the CVSS vector string is ( AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H). 3.3 BACKGROUND CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing COUNTRIES/AREAS DEPLOYED: Worldwide COMPANY HEADQUARTERS LOCATION: United States 3.4 RESEARCHER Rockwell Automation reported this vulnerability to CISA. 4. MITIGATIONS Rockwell Automation encourages users of the affected software to update to V2.80 or later, if possible. Additionally, they encourage customers to implement their suggested security best practices to minimize the risk of vulnerability. For more information see Rockwell Automation's security advisory. CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as: Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet. Locate control system networks and remote devices behind firewalls and isolating them from business networks. When remote access is required, use more secure methods, such as virtual private networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies. CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets. Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies. Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. This vulnerability has a high attack complexity. 5. UPDATE HISTORY October 26, 2023: Initial Publication

VMware released a security advisory for a vulnerability (CVE-2023-34048) affecting the VMware vCenter Server and (CVE-2023-34056) affecting [VMware Cloud Foundation]. A remote cyber actor could exploit these vulnerabilities to obtain information or take control of an affected system. CISA encourages users and administrators to review the VMware vCenter Server Out-of-Bounds Write Vulnerability VMSA-2023-0023 advisory and apply the necessary updates.

Put awareness training at the center of a strategy to secure employee devices.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.