Executive Summary: Rapid Software LLC’s industrial automation platform, Rapid SCADA, has been found susceptible to multiple critical vulnerabilities, posing significant risks of remote code execution, unauthorized access, and privilege escalation. The Cybersecurity and Infrastructure Security Agency (CISA) issued an advisory detailing the potential exploits and urging immediate action.

Risk Evaluation: The identified vulnerabilities include path traversal, relative path traversal, local privilege escalation, open redirect, use of hard-coded credentials, plaintext storage of a password, and generation of error messages containing sensitive information. If exploited, these issues could allow attackers to compromise sensitive data, execute code remotely, perform phishing attacks, gain administrator credentials, and access internal code information.

Technical Details:

  1. Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’):
    • CVE: 2024-21852, CVSS v3: 8.8
    • Exploits a Zip Slip vulnerability to achieve remote code execution.
  2. Relative Path Traversal:
    • CVE: 2024-22096, CVSS v3: 6.5
    • Allows attackers to read arbitrary files from the system.
  3. Local Privilege Escalation through Incorrect Permission Assignment for Critical Resource:
    • CVE: 2024-22016, CVSS v3: 7.8
    • Any authenticated user may write directly to the Scada directory, facilitating privilege escalation.
  4. URL Redirection to Untrusted Site (‘Open Redirect’):
    • CVE: 2024-21794, CVSS v3: 5.4
    • May allow open redirects through the login page, redirecting users to malicious webpages.
  5. Use of Hard-Coded Credentials:
    • CVE: 2024-21764, CVSS v3: 9.8
    • The product employs hard-coded credentials, allowing unauthorized access.
  6. Plaintext Storage of a Password:
    • CVE: 2024-21869, CVSS v3: 6.2
    • Stores plaintext credentials in various locations, risking exposure to attackers with local access.
  7. Generation of Error Message Containing Sensitive Information:
    • CVE: 2024-21866, CVSS v3: 5.3
    • Responds with error messages containing sensitive data when receiving specific malformed requests.

Background:

  • Critical Infrastructure Sectors: Energy, Transportation
  • Countries/Areas Deployed: Worldwide
  • Company Headquarters Location: United States

Researcher: Noam Moshe of Claroty Research reported these vulnerabilities to CISA.

Mitigations: Rapid Software has not responded to CISA’s coordination attempts. Users are strongly advised to contact Rapid Software and update their Rapid SCADA systems. CISA recommends defensive measures such as minimizing network exposure, isolating control system networks, and using secure remote access methods like Virtual Private Networks (VPNs). Organizations are reminded to conduct impact analysis and risk assessment before implementing defensive measures.

Source:
https://www.cisa.gov/news-events/ics-advisories/icsa-24-011-03