Nozomi Networks Labs
Vulnerability Advisories
Vulnerability Advisories
Siemens PXC4.E16 Session Cookie Attribute Issues – CVE-2022-24045
The application, after a successful login, sets the session cookie on the browser via client-side JavaScript code, without applying any security attributes (such as “Secure”, “HttpOnly”, or “SameSite”). Any attempts to browse the application via unencrypted HTTP protocol would lead to the transmission of all his/her session cookies in plaintext through the network. An attacker could then be able to sniff the network and capture sensitive information.
Siemens PXC4.E16 Lack of anti-Password Spraying and Credential Stuffing Mechanism – CVE-2022-24044
The login functionality of the application does not employ any countermeasures against Password Spraying attacks or Credential Stuffing attacks. An attacker could obtain a list of valid usernames on the device by exploiting the issue and then perform a precise Password Spraying or Credential Stuffing attack in order to obtain access to at least one account.
Siemens PXC4.E16 Username Enumeration through Response Timing – CVE-2022-24043
The login functionality of the application fails to normalize the response times of login attempts performed with wrong usernames with the ones executed with correct usernames. A remote unauthenticated attacker could exploit this side-channel information to perform a username enumeration attack and identify valid usernames.
Siemens PXC4.E16 Insufficient Session Expiration – CVE-2022-24042
The web application returns an AuthToken that does not expire at the defined auto logoff delay timeout. An attacker could be able to capture this token and re-use old session credentials or session IDs for authorization.
Siemens PXC4.E16 Weak PBKDF2 Default Cost Factor – CVE-2022-24041
The web application stores the PBKDF2 derived key of users passwords with a low iteration count. An attacker with user profile access privilege can retrieve the stored password hashes of other accounts and then successfully perform an offline cracking attack and recover the plaintext passwords of other users.
Siemens PXC4.E16 DoS through Insufficiently-Constrained PBKDF2 Cost Factor – CVE-2022-24040
The web application fails to enforce an upper bound to the cost factor of the PBKDF2 derived key during the creation or update of an account. An attacker with the user profile access privilege could cause a denial of service (DoS) condition through CPU consumption by setting a PBKDF2 derived key with a remarkably high cost effort and then attempting a login to the so-modified account.
Siemens PXC4.E16 XLS Injection – CVE-2022-24039
The “addCell” JavaScript function fails to properly sanitize user-controllable input before including it into the generated XML body of the XLS report document, such that it is possible to inject arbitrary content (e.g., XML tags) into the generated file. An attacker with restricted privileges, by poisoning any of the content used to generate XLS reports, could be able to leverage the application to deliver malicious files against higher-privileged users and obtain Remote Code Execution (RCE) against the administrator’s workstation.
uClibc, uClibc-ng libraries have monotonically increasing DNS transaction ID – CVE-2022-30295
The uClibc and uClibc-ng libraries are vulnerable to DNS cache poisoning due to the use of predictable DNS transaction IDs when making DNS requests. This vulnerability can allow an attacker to perform DNS cache poisoning attacks against a vulnerable environment.
Valmet DNA Remote Code Execution – CVE-2021-26726
A remote code execution vulnerability affecting a Valmet DNA service listening on TCP port 1517 allows an attacker to execute commands with SYSTEM privileges.
APC by Schneider Electric Network Management Cards (NMC) Exposure of Sensitive Information to an Unauthorized Actor – CVE-2021-22825
Philips IntelliBridge EC 40/EC 80 Hub unauthenticated administration interface – CVE-2021-33017
Specific paths of the administration interface are not protected by authentication.
Philips IntelliBridge EC 40/EC 80 Hub hardcoded credentials – CVE-2021-32993
Credentials for the administration interface are hardcoded in the application.
Philips Patient Information Center iX (PIC iX) and Efficia CM Series insecure communication – CVE-2021-43550
The patient data produced by Efficia CM Series monitors and consumed by the PIC iX workstation are encrypted with an insecure scheme.
Philips Patient Information Center iX (PIC iX) patient data backup hardcoded encryption key – CVE-2021-43552
The key used to encrypt patient data backups is hardcoded within the PIC iX workstation.
Philips Patient Information Center iX (PIC iX) denial of service – CVE-2021-43548
A network service running on the PIC iX workstation does not validate correctly the input received and upon parsing a malformed packet a workstation reboot can be triggered.
Schneider Electric Software Update Insufficient Entropy – CVE-2021-22799
An insufficient entropy vulnerability in SESU can allow an attacker to decrypt the SESU
proxy password from the registry.
APC by Schneider Electric Network Management Cards (NMC) Cross-Site Scripting (XSS) – CVE-2021-22814
A CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability exists which could cause arbritrary script execution when a malicious file is read and displayed.
MELSEC iQ-R Series Safety CPU authorization bypass – CVE-2021-20599
An unauthenticated remote attacker can obtain the credentials other than password and login to the CPU module
AXIS OS Improper Recipient Validation in Network Test Functionalities – CVE-2021-31987
A user controlled parameter related to SMTP test functionality is not correctly validated making it possible to bypass blocked network recipients.
AXIS OS SMTP Header Injection in Email Test Functionality – CVE-2021-31988
A user controlled parameter related to SMTP test functionality is not correctly validated making it possible to add the Carriage Return and Line Feed (CRLF) control characters and include arbitrary SMTP headers in the generated test email.
AXIS OS Heap-based Buffer Overflow – CVE-2021-31986
User controlled parameters related to SMTP notifications are not correctly validated. This can lead to a buffer overflow resulting in crashes and data leakage.
MELSEC iQ-R Series CPU login denial of service – CVE-2021-20598
A remote attacker can lockout registered users by continuously trying to login with an incorrect password.
MELSEC iQ-R Series CPU credentials leak – CVE-2021-20597
An attacker that can sniff the traffic when the password for an existing user is changed or a new user is registered can obtain the credentials required to login.
MELSEC iQ-R Series CPU Username Bruteforce – CVE-2021-20594
A remote attacker can exploit the authentication protocol to build a username bruteforcer that will reveal the list of registered users.
Annke N48PBB Stack-based Buffer Overflow – CVE-2021-32941
A parameter in the playback search HTTP request was found improperly handled by the server executable, such that it resulted possible to trigger a stack-based buffer overflow and obtain execution of arbitrarily defined code with the same privileges as the server user (root).
ThroughTek P2P protocol deobfuscation – CVE-2021-32934
The communication between ThroughTek servers, OEMs products embedding ThroughTek P2P library and client applications is obfuscated with a custom protocol that relies on an hardcoded key. By deobfuscating the protocol, is possible to access the cleartext content of the communication.
Mitsubishi Electric MELSEC iQ-R Series products – CVE-2021-20591
An attacker may prevent legitimate clients from connecting to an affected product by manipulating the link parameter or changing its state
Mitsubishi Electric recommends that users apply the suggested mitigation so an unauthorized user cannot stop the establishment of Ethernet communications between devices.
Siemens HMI out of bounds write over SNMP – CVE-2019-19276
Specially crafted packets sent to Port 161/UDP can cause an out of bounds write over the SNMP service requiring a cold restart in order to resume its functionality.
JTEKT TOYOPUC products – CVE-2021-27458
An attacker could prevent Ethernet communication from being established in the affected products by manipulating the link parameter or changing its state.
JTEKT Corporation recommends that users apply the suggested mitigation so an unauthorized user cannot stop the establishment of Ethernet communications between devices.
Reolink P2P protocol deobfuscation and credentials leak – CVE-2020-25173
The communication between Reolink NVR, P2P servers and applications is obfuscated with a custom protocol that relies on an hardcoded key. By deobfuscating the protocol, is possible to access the cleartext content of the communication. During the tests, this was observed to contain the P2P credentials.
Reolink P2P Video/audio Lack of Encryption and Stream Reconstruction – CVE-2020-25169
Reolink P2P video/audio stream is transmitted without any encryption. Any actor who can access the client/NVR traffic, as it traverses the Internet, can access its content with no confidentiality for the parties involved.
Mitsubishi Electric Multiple Factory Automation Engineering Software Products (Update A) – CVE-2020-14496
Successful exploitation of this vulnerability could allow an attacker to escalate privileges and execute malicious programs. This could cause a denial-of-service condition, and allow information to be disclosed, tampered with, and/or destroyed.
Schneider Electric Modicon Controllers Denial of Service – CVE-2018-7794
This vulnerability could cause a denial-of-service condition when reading data with invalid index using Modbus TCP.
Siemens SCALANCE X Switches Denial of Service – CVE-2019-10942
An attacker may send large message packages repeatedly to the telnet service, which may create a denial-of-service condition.
Mitsubishi Electric MELSEC-Q Series Ethernet Module Denial of Service – CVE-2019-10977
An attacker could send crafted TCP packets against the FTP service, forcing the target devices to enter an error mode and cause a denial-of-service condition.
Rockwell Automation CompactLogix 5370 Stack-based Buffer Overflow – CVE-2019-10952
An attacker could send a crafted HTTP/HTTPS request to render the web server unavailable and/or lead to remote code execution caused by a stack-based buffer overflow vulnerability.
Siemens SIMATIC S7 Denial of Service – CVE-2018-13815
An attacker could exhaust the available connection pool of an affected device by opening a sufficient number of connections to the device.
Rockwell Automation RSLinx Classic Denial of Service – CVE-2018-14827
A remote, unauthenticated threat actor may intentionally send specially-crafted Ethernet/IP packets to Port 44818, causing the software application to stop responding and crash. The user must restart the software to regain functionality.
Emerson DeltaV DCS Workstations Unauthorized Code Execution – CVE-2018-14791
Non-administrative users are able to change executable and library files on the affected products.
Emerson DeltaV DCS Workstations Unauthorized Code Execution – CVE-2018-14797
A specially-crafted DLL file may be placed in the search path and loaded as an internal and valid DLL. This may allow arbitrary code execution.
Emerson DeltaV DCS Workstations Unauthorized Code Execution – CVE-2018-14795
Improper path validation may allow an attacker to replace executable files.
Siemens SIMATIC STEP 7 and SIMATIC WinCC Unauthorized Code Execution – CVE-2018-11454
Improper file permissions in the default installation of TIA Portal may allow an attacker with local file system access to manipulate resources, which may be transferred to devices and executed there by a different user.
Siemens SIMATIC STEP 7 and SIMATIC WinCC Unauthorized Code Execution – CVE-2018-11453
Improper file permissions in the default installation of TIA Portal may allow an attacker with local file system access to insert specially-crafted files. This may prevent TIA Portal startup (denial-of-service) or lead to local code execution.
GE PACSystems CPE305/310, CPE330, CPE400, RSTi-EP CPE 100, CPU320/CRU320, RXi Denial of Service – CVE-2018-8867
The device does not properly validate input, which could allow a remote attacker to send specially-crafted packets. This may cause the device to become unavailable.
WAGO 750 Series Denial of Service – CVE-2018-8836
A remote attack may take advantage of an improper implementation of the 3-way handshake during a TCP connection, affecting the communications with commission and service tools. Specially-crafted packets may also be sent to Port 2455/TCP/IP, used in Codesys management software. This may result in a denial-of-service condition relating to communications with commissioning and service tools.
Emerson ControlWave Micro Process Automation Controller Denial of Service – CVE-2018-5452
A stack-based buffer overflow vulnerability caused by sending crafted packets on port 20547 could force the PLC to change its state into halt mode.
Schneider Electric Modicon M340 PLC – CVE-2017-6017
Successful exploitation of this vulnerability may render the device unresponsive. A physical reset of the PLC may be required.
Threat Intelligence
Curated and maintained by Nozomi Networks Labs, the Threat Intelligence™ service provides threat and vulnerability updates to Guardian, making it easy for IT/OT professionals to stay on top of current OT and IoT risks.
“Threat actors love finding new ways to attack critical infrastructure. We love finding new ways to detect their malware before damage occurs.”
© 2022 Nozomi Networks, Inc.
All Rights Reserved.