US Agency for Cybersecurity and Safety of Infrastructure (CISA) on this Tuesday icsa-23-080-02 Contains information about 13 vulnerabilities in Infrasuite Device Master from Delta Electronics – real -time monitoring software for monitoring devices. Problems affect all versions of the program up to 1.0.5.
“Successful operation of these vulnerabilities can allow an unauthorized attacker to access file and accounting data, increase privileges and remotely execute arbitrary code” – says in the message CISA.
In the upper part of the list is the vulnerability of cve-2023-1133 (Evaluation CVSS: 9, 9, 9, 9, 9 8), which arises due to the fact that Infrasuite Device Master accepts unverified UDP packets and semerializes their contents, thereby allowing a remote unauthorized attacker to perform arbitrary code.
Two other vulnerabilities of the deserialization, cve-2023-1139 (estimate of CVSS: 8.8 ) and cve-2023-1145 (7.8 score) can also be used for remote code execution.
Another set of vulnerabilities described in detail in the recommendations under the identifier icsa-23- 080-06 refers to Thinmanager Thinserver from Rockwell Automation and affects the following versions of software for controlling a thin client and a remote desktop (RDP):
- 6.x – 10.x
- 11.0.0 – 11.0.5
- 11.1.0 – 11.1.5
- 11.2.0 – 11.2 .6
- 12.0.0 – 12.0.4
- 12.1.0 – 12.1.5 and
- 13.0.0 – 13.0.1
The most serious of the problems are two vulnerabilities of circling the track, tracking as cve-2023-28755 (CVSS: 9.8) and cve-2023-28756 (CVSS: 7, 7, 7, 7, 7, 7, 7, 7, 7. 5) that can allow a remote unauthorized attacker to download arbitrary files into the directory where Thinserver.exe is installed.
What is even more alarming, the attacker can use cve-2023-28755 for the rewriting of the existing executable Files by Trojan versions, which can also lead to remote code execution.