Full Report
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) released on Friday four advisories concerning industrial control systems (ICS).... The post CISA reports security vulnerabilities in ICS equipment from Schneider Electric, Delta Electronics, Rockwell Automation appeared first on Industrial Cyber.
Analysis Summary
# Vulnerability: Multiple ICS Vulnerabilities in Schneider Electric, Delta Electronics, and Rockwell Automation Products
## CVE Details
- CVE ID: CVE-2024-10511
- CVSS Score: 5.3 (CVSS v3.1) / 6.3 (CVSS v4)
- CWE: Improper Authentication
- CVE ID: CVE-2024-11999
- CVSS Score: 8.8 (CVSS v3.1) / 8.7 (CVSS v4)
- CWE: Use of Unmaintained Third-Party Components
- CVE ID: CVE-2024-12834
- CVSS Score: 7.8 (CVSS v3.1) / 8.4 (CVSS v4)
- CWE: Buffer Copy without Size Limit (Implied by description of writing outside buffer)
- CVE ID: CVE-2024-12835
- CVSS Score: 7.8 (CVSS v3.1) / 8.4 (CVSS v4)
- CWE: Improper Input Validation (Implied by description of accepting wrong data type)
- CVE ID: CVE-2024-12836
- CVSS Score: 7.8 (CVSS v3.1) / 8.4 (CVSS v4)
- CWE: Improper Input Validation (Implied by description of accepting wrong data type)
- CVE ID: Unspecified (Use After Free, Out-of-bounds Write, Improper Initialization, Out-of-bounds Read, Dependency on Vulnerable Third-Party Component) in Rockwell Arena
- CVSS Score: Not explicitly detailed for the collective.
## Affected Systems
- **Products (Schneider Electric):** PowerChute Serial Shutdown, Harmony HMI (HMIST6, HMISTM6, HMIG3U, HMIG3X, HMISTO7 series with Ecostruxure Operator Terminal Expert runtime), Pro-face HMI (PFXST6000, PFXSTM6000, PFXSP5000, PFXGP4100 series with Pro-face BLUE runtime).
- **Products (Delta Electronics):** DRASimuCAD.
- **Products (Rockwell Automation):** Arena equipment.
- **Versions (Schneider Electric - CVE-2024-10511):** 1.2.0.301 and prior for PowerChute Serial Shutdown.
- **Versions (Schneider Electric - CVE-2024-11999):** All versions of listed Harmony and Pro-face HMI series.
- **Versions (Delta Electronics):** Affecting DRASimuCAD prior to the January update.
- **Versions (Rockwell Arena):** Prior to V16.20.06.
- **Configurations:** CVE-2024-10511 specifically affects deployment across the critical manufacturing sector where access is possible on the local network. CVE-2024-11999 exploitation requires an authenticated user to install malicious code.
## Vulnerability Description
1. **CVE-2024-10511 (Schneider Electric PowerChute Serial Shutdown):** An improper authentication flaw allows an attacker on the local network to repeatedly request the `/accessdenied` URL, leading to a denial of access to the web interface.
2. **CVE-2024-11999 (Schneider Electric HMIs):** Exploitation of unmaintained third-party components allows an authenticated user who installs malicious code into the HMI product to gain complete control of the device.
3. **CVE-2024-12834, 12835, 12836 (Delta Electronics DRASimuCAD):** These vulnerabilities allow the program to incorrectly handle specially crafted files, leading to out-of-bounds writes when the program attempts to accept data of the wrong type, potentially allowing overwrites outside the intended buffer.
4. **Rockwell Arena Vulnerabilities:** A collection of flaws (Use After Free, Out-of-bounds Write/Read, Improper Initialization, Dependency on Vulnerable Third-Party Component) could result in the execution of arbitrary code upon successful exploitation.
## Exploitation
- **Status (CVE-2024-10511):** Potential exploit noted, leading to DoS.
- **Status (CVE-2024-11999):** Described as "exploitable."
- **Status (Delta/Rockwell):** Details suggest high risk if crafted files or untrusted models are loaded.
- **Complexity (Varies):** CVE-2024-11999 is listed as having **Low** attack complexity.
- **Attack Vector (Varies):** Network (for HMI/Remote Access), Local Network (for PowerChute DoS).
## Impact
- **Confidentiality:** High potential risk, especially with Rockwell Arena (arbitrary code execution) and HMI compromise (control via malicious code).
- **Integrity:** High potential risk, especially with Delta DRASimuCAD (buffer writes) and Rockwell Arena (arbitrary code execution).
- **Availability:** Confirmed impact for CVE-2024-10511 (Denial of Access to web interface). Arbitrary code execution implies full availability loss in worst cases.
## Remediation
### Patches
- **Schneider Electric PowerChute Serial Shutdown:** Update to **Version 1.3**.
- **Delta Electronics DRASimuCAD:** Install the **new version released in January** (specific identifier not provided).
- **Rockwell Automation Arena:** Upgrade to **V16.20.06 or later**.
### Workarounds
- **General HMI Mitigation (Schneider Electric):**
* Minimize network exposure; ensure HMIs are not accessible from the public Internet or untrusted networks.
* Implement network segmentation using a firewall to block unauthorized access.
* Restrict usage of unverifiable portable media (USB, CD, etc.).
* Scan all mobile data exchange media for rootkits/verify digital signatures before use.
* Use secure communication protocols when exchanging files over the network.
* Ensure control components are behind firewalls isolating them from business networks.
* Install physical controls; place controllers in locked cabinets and never leave them in 'Program' mode.
- **Rockwell Arena Specific Workaround:**
* Do not load untrusted Arena model files.
* Hold the **control key down** when loading files to help prevent the VBA file stream from loading.
## Detection
- **Indicators of Compromise:** Detection is highly dependent on the vector. Look for unusual web access attempts on the `/accessdenied` URL (CVE-2024-10511). Look for evidence of unauthorized file uploads or arbitrary code execution originating from authenticated user sessions on HMI devices (CVE-2024-11999).
- **Detection Methods and Tools:** Network monitoring and IDS/IPS rules tailored to file format anomalies during loading/processing in Delta DRASimuCAD environments, and monitoring for unusual process behavior or arbitrary code execution on Arena servers.
## References
- CISA Advisory ICSA-25-010-01
- CISA Advisory ICSA-25-010-02
- CISA Advisory ICSA-24-345-06
- Vendor/CISA advisories concerning Delta Electronics DRASimuCAD vulnerabilities.