(I)IoT Security News
Exploit, ICS, IoT Security

APSystems Altenergy Power Control

1. EXECUTIVE SUMMARY

2. RISK EVALUATION

​Successful exploitation of this vulnerability may allow remote code execution.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

​The following versions of Altenergy Power Control software are affected: 

3.2 VULNERABILITY OVERVIEW

3.2.1 ​IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS USED IN AN OS COMMAND (‘OS COMMAND INJECTION’) CWE-78

​OS command injection affects Altenergy Power Control software C1.2.5 via shell metacharacters in the index.php/management/set_timezone timezone parameter, because of set_timezone in models/management_model.php.

CVE-2023-28343 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated. The CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

3.3 BACKGROUND

3.4 RESEARCHER

​CISA discovered public proof of concept as authored by Ahmed Alroky and superzerosec.

4. MITIGATIONS

​APSystems has not responded to requests to work with CISA to mitigate this vulnerability. Users of the affected product are encouraged to contact APSystems support for additional information.

​CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should:

​CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

​CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

​Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

​Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

Source:
https://www.cisa.gov/news-events/ics-advisories/icsa-23-213-01

Related posts

Siemens Solid Edge File Parsing

(I) IoT
4 years ago

Capsule Technologies SmartLinx Neuron 2

(I) IoT
4 years ago

Four Cyber Security Risks and How to Address Them

IoT
6 years ago
Exit mobile version