On Tuesday, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued eight Industrial Control Systems (ICS) advisories, warning of major flaws, such as CVE-2023-1133, in Delta Electronics’ and Rockwell Automation’s equipment. In particular, Delta Electronics’ InfraSuite Device Master, a real-time device monitoring software, has 13 security vulnerabilities, all versions prior to 1.0.5 being affected.
If these vulnerabilities are exploited, an unauthorized attacker can easily access files and credentials, gain escalated privileges, and remotely execute arbitrary code, CISA stated.
CVE-2023-1133 Technical Overview
The most serious vulnerability is CVE-2023-1133 (CVSS score: 9.8), which occurs as the software accepts unverified UDP packets and deserializes the content, thus giving a remote, unauthenticated attacker the ability to execute arbitrary code.
The Device-status service in Delta Electronics InfraSuite Device Master versions prior to 1.0.5 contain a vulnerability that listens on port 10100/ UDP without verifying the UDP packets it receives. This allows an unauthenticated attacker to deserialize the content of these packets and remotely execute arbitrary code.
CISA Warns about Other Vulnerabilities in Rockwell Automation ThinManager ThinServer
CISA has warned that two other deserialization flaws, CVE-2023-1139 (CVSS score: 8.8) and CVE-2023-1145 (CVSS score: 7.8), could be used to gain remote code execution. These vulnerabilities were discovered and reported to CISA by Piotr Bazydlo and an anonymous security researcher.
Rockwell Automation’s ThinManager ThinServer is vulnerable to two path traversal flaws, categorized as CVE-2023-28755 (CVSS score: 9.8) and CVE-2023-28756 (CVSS score: 7.5). These vulnerabilities affect versions 6.x to 10.x, 11.0.0 to 11.0.5, 11.1.0 to 11.1.5, 11.2.0 to 11.2.6, 12.0.0 to 12.0.4, 12.1.0 to 12.1.5, and 13.0.0 to 13.0.1.
The more severe of these issues is that an unauthenticated remote attacker could upload arbitrary files to the directory where the ThinServer.exe is installed. They could also weaponize CVE-2023-28755 to overwrite existing executable files with malicious versions, potentially leading to remote code execution.
CISA has warned that the exploitation of these vulnerabilities could give an attacker the ability to execute remote code on the target system or cause the software to crash. To protect against potential security risks, users should upgrade to any of the versions 11.0.6, 11.1.6, 11.2.7, 12.0.5, 12.1.6, or 13.0.2. Additionally, since ThinManager ThinServer versions 6.x to 10.x are no longer supported, users should upgrade to a newer version. As a precaution, it is suggested that remote access of port 2031/TCP is limited to known thin clients and ThinManager servers.
What Is a Deserialization Vulnerability?
Unsafe Deserialization, also known as Insecure Deserialization, is a security vulnerability that occurs when an application deserializes malformed and untrusted data input. If exploited, this vulnerability can be used to take control of the application’s logic flow and potentially execute malicious code.
Issues of Unsafe Deserialization can occur when a malicious individual is able to pass malicious data into data provided by a user, which is then deserialized. This can lead to arbitrary object injection into the application, potentially changing how it was meant to function.