icsa-23-348-15
Vulnerability from csaf_cisa
Published
2023-12-14 07:00
Modified
2024-01-04 07:00
Summary
Unitronics Vision and Samba Series (Update A)
Notes
Legal Notice
All information products included in https://us-cert.cisa.gov/ics are provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see https://us-cert.cisa.gov/tlp/.
Risk evaluation
Successful exploitation of this vulnerability could allow an unauthenticated attacker to take administrative control of Unitronics Vision and Samba series systems and use a default administrative password.
Critical infrastructure sectors
Water and Wastewater
Countries/areas deployed
Worldwide
Company headquarters location
Israel
Recommended Practices
CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:
Recommended Practices
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.
Recommended Practices
Require multifactor authentication for all remote access to the OT network, including from the IT network and external networks.
Recommended Practices
CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
Recommended Practices
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
Recommended Practices
CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.
Recommended Practices
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.
Recommended Practices
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
Recommended Practices
Known public exploitations specifically targeting this vulnerability have been reported to CISA.
{
"document": {
"acknowledgments": [
{
"organization": "CISA",
"summary": "becoming aware of active exploitation for this vulnerability."
}
],
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Disclosure is not limited",
"tlp": {
"label": "WHITE",
"url": "https://us-cert.cisa.gov/tlp/"
}
},
"lang": "en-US",
"notes": [
{
"category": "legal_disclaimer",
"text": "All information products included in https://us-cert.cisa.gov/ics are provided \"as is\" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see https://us-cert.cisa.gov/tlp/.",
"title": "Legal Notice"
},
{
"category": "summary",
"text": "Successful exploitation of this vulnerability could allow an unauthenticated attacker to take administrative control of Unitronics Vision and Samba series systems and use a default administrative password.",
"title": "Risk evaluation"
},
{
"category": "other",
"text": "Water and Wastewater",
"title": "Critical infrastructure sectors"
},
{
"category": "other",
"text": "Worldwide",
"title": "Countries/areas deployed"
},
{
"category": "other",
"text": "Israel",
"title": "Company headquarters location"
},
{
"category": "general",
"text": "CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:",
"title": "Recommended Practices"
},
{
"category": "general",
"text": "When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.",
"title": "Recommended Practices"
},
{
"category": "general",
"text": "Require multifactor authentication for all remote access to the OT network, including from the IT network and external networks.",
"title": "Recommended Practices"
},
{
"category": "general",
"text": "CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.",
"title": "Recommended Practices"
},
{
"category": "general",
"text": "CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.",
"title": "Recommended Practices"
},
{
"category": "general",
"text": "CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.",
"title": "Recommended Practices"
},
{
"category": "general",
"text": "Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.",
"title": "Recommended Practices"
},
{
"category": "general",
"text": "Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.",
"title": "Recommended Practices"
},
{
"category": "general",
"text": "Known public exploitations specifically targeting this vulnerability have been reported to CISA.",
"title": "Recommended Practices"
}
],
"publisher": {
"category": "coordinator",
"contact_details": "central@cisa.dhs.gov",
"name": "CISA",
"namespace": "https://www.cisa.gov/"
},
"references": [
{
"category": "self",
"summary": "ICS Advisory ICSA-23-348-15 JSON",
"url": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/OT/white/2023/icsa-23-348-15.json"
},
{
"category": "self",
"summary": "ICSA Advisory ICSA-23-348-15 - Web Version",
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-23-348-15"
},
{
"category": "external",
"summary": "Recommended Practices",
"url": "https://www.cisa.gov/resources-tools/resources/ics-recommended-practices"
},
{
"category": "external",
"summary": "Recommended Practices",
"url": "https://www.cisa.gov/sites/default/files/publications/Cybersecurity_Best_Practices_for_Industrial_Control_Systems.pdf"
},
{
"category": "external",
"summary": "Recommended Practices",
"url": "https://www.cisa.gov/topics/industrial-control-systems"
},
{
"category": "external",
"summary": "Recommended Practices",
"url": "https://www.cisa.gov/uscert/ics/alerts/ICS-ALERT-10-301-01"
},
{
"category": "external",
"summary": "Recommended Practices",
"url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf"
},
{
"category": "external",
"summary": "Recommended Practices",
"url": "https://www.cisa.gov/uscert/ics/tips/ICS-TIP-12-146-01B"
}
],
"title": "Unitronics Vision and Samba Series (Update A)",
"tracking": {
"current_release_date": "2024-01-04T07:00:00.000000Z",
"generator": {
"engine": {
"name": "CISA CSAF Generator",
"version": "1.0.0"
}
},
"id": "ICSA-23-348-15",
"initial_release_date": "2023-12-14T07:00:00.000000Z",
"revision_history": [
{
"date": "2023-12-14T07:00:00.000000Z",
"legacy_version": "Initial",
"number": "1",
"summary": "Initial Publication"
},
{
"date": "2024-01-04T07:00:00.000000Z",
"legacy_version": "Update A",
"number": "2",
"summary": "Update A - Added additional equipment, product, mitigations, and a link to the Unitronics advisory. Adjusted risk evaluation statement."
}
],
"status": "final",
"version": "2"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c9.9.00",
"product": {
"name": "Unitronics VisiLogic: \u003c9.9.00",
"product_id": "CSAFPID-0001"
}
}
],
"category": "product_name",
"name": "VisiLogic"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c12.38",
"product": {
"name": "Unitronics OS: \u003c12.38",
"product_id": "CSAFPID-0002"
}
}
],
"category": "product_name",
"name": "OS"
}
],
"category": "vendor",
"name": "Unitronics"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2023-6448",
"cwe": {
"id": "CWE-1188",
"name": "Insecure Default Initialization of Resource"
},
"notes": [
{
"category": "summary",
"text": "Unitronics Vision Series PLCs and HMIs use default administrative passwords. An unauthenticated attacker with network access to a PLC or HMI can take administrative control of the system.",
"title": "Vulnerability Summary"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001",
"CSAFPID-0002"
]
},
"references": [
{
"category": "external",
"summary": "web.nvd.nist.gov",
"url": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-6448"
},
{
"category": "external",
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "Unitronics has patched this vulnerability in VisiLogic version 9.9.00 and recommends all users update to the latest version. Please see Unitronics\u0027 update log for more information.",
"product_ids": [
"CSAFPID-0001"
],
"url": "https://downloads.unitronicsplc.com/Sites/plc/Visilogic/Version_Changes-Bug_Reports/VisiLogic%209.9.00%20Version%20changes.pdf"
},
{
"category": "mitigation",
"details": "For users who cannot update to the latest version, CISA urges organizations to:",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002"
]
},
{
"category": "mitigation",
"details": "Change all default passwords on PLCs and HMIs and use a strong password. Ensure the Unitronics PLC default password \"1111\" is not in use.",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002"
]
},
{
"category": "mitigation",
"details": "Set a password on PCOM-enabled sockets.",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002"
]
},
{
"category": "mitigation",
"details": "Control remote enabled PCOM operations using SDW10 roles.",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002"
]
},
{
"category": "mitigation",
"details": "Disconnect the PLC from the open internet. If remote access is necessary, control network access to the PLC.",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002"
]
},
{
"category": "mitigation",
"details": "Implement a Firewall/VPN in front of the PLC to control network access to the remote PLC. A VPN or gateway device can enable multifactor authentication for remote access even if the PLC does not support multifactor authentication. Unitronics also has a secure cellular based longhaul transport device that is secure to their cloud services.",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002"
]
},
{
"category": "mitigation",
"details": "Use an allowlist of IPs for access.",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002"
]
},
{
"category": "mitigation",
"details": "Back up the logic and configurations on any Unitronics PLCs to enable fast recovery. Become familiar with the process for factory resetting and deploying configurations to a device in the event of being hit by ransomware.",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002"
]
},
{
"category": "mitigation",
"details": "If possible, utilize a TCP port that is different than the default port TCP 20256. Cyber actors are actively targeting TCP 20256 after identifying it through network probing as a port associated to Unitronics PLC. Once identified, they leverage scripts specific to PCOM/TCP to query and validate the system, allowing for further probing and connection. If available, use PCOM/TCP filters to parse out the packets.",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002"
]
},
{
"category": "mitigation",
"details": "Keep Unitronics and other PLC devices updated with the latest versions by the manufacturer.",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002"
]
},
{
"category": "mitigation",
"details": "Confirm third-party vendors are applying the above recommended countermeasures to mitigate exposure of these devices and all installed equipment.",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002"
]
},
{
"category": "mitigation",
"details": "CISA and WWS Sector partners have developed numerous tools and resources that water utilities can use to increase their cybersecurity. Please visit:",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002"
]
},
{
"category": "mitigation",
"details": "CISA: Water and Wastewater Cybersecurity",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002"
],
"url": "https://www.cisa.gov/water"
},
{
"category": "mitigation",
"details": "EPA: Cybersecurity for the Water Sector",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002"
],
"url": "https://www.epa.gov/waterriskassessment/epa-cybersecurity-water-sector"
},
{
"category": "mitigation",
"details": "WaterISAC: Resource Center",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002"
],
"url": "https://www.waterisac.org/resources"
},
{
"category": "mitigation",
"details": "American Water Works Association: Cybersecurity and Guidance",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002"
],
"url": "https://www.awwa.org/Resources-Tools/Resource-Topics/Risk-Resilience/Cybersecurity-Guidance"
},
{
"category": "mitigation",
"details": "More information can be found by viewing the Unitronics advisory.",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002"
],
"url": "https://downloads.unitronicsplc.com/Sites/plc/Technical_Library/Unitronics-Cybersecurity-Advisory-2023-001-CVE-2023-6448.pdf"
},
{
"category": "mitigation",
"details": "CISA has also provided further guidance in the following CSA.",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002"
],
"url": "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-335a"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-0001",
"CSAFPID-0002"
]
}
]
}
]
}
Loading...
Loading...
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.