ICS Advisory

SUBNET PowerSYSTEM Center

Release Date
Alert Code
ICSA-23-166-01

1. EXECUTIVE SUMMARY

  • CVSS v3 6.5
  • ATTENTION: Exploitable remotely/low attack complexity
  • Vendor: SUBNET Solutions Inc.
  • Equipment: PowerSYSTEM Center
  • Vulnerabilities: Cross-site Scripting, Authentication Bypass by Capture-replay

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to upload malicious scripts or perform a denial-of-service type attack.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of SUBNET PowerSYSTEM Center, a multi-function management platform, are affected:

  • PowerSYSTEM Center: 2020 U10 and prior

3.2 VULNERABILITY OVERVIEW

3.2.1 IMPROPER NEUTRALIZATION OF INPUT DURING WEB PAGE GENERATION ('CROSS-SITE SCRIPTING') CWE-79

SUBNET PowerSYSTEM Center versions 2020 U10 and prior contain a cross-site scripting vulnerability that may allow an attacker to inject malicious code into report header graphic files that could propagate out of the system and reach users who are subscribed to email notifications.

CVE-2023-32659 has been assigned to this vulnerability. A CVSS v3 base score of 6.5 has been calculated; the CVSS vector string is (AV:A/AC:L/PR:H/UI:R/S:C/C:H/I:N/A:L). 

3.2.2 AUTHENTICATION BYPASS BY CAPTURE-REPLAY CWE-294

SUBNET PowerSYSTEM Center versions 2020 U10 and prior are vulnerable to replay attacks which may result in a denial-of-service condition or a loss of data integrity.

CVE-2023-29158 has been assigned to this vulnerability. A CVSS v3 base score of 6.1 has been calculated; the CVSS vector string is (AV:A/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H).

3.3 BACKGROUND

  • CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
  • COUNTRIES/AREAS DEPLOYED: Worldwide
  • COMPANY HEADQUARTERS LOCATION: Canada

3.4 RESEARCHER

SUBNET Solutions reported these vulnerabilities to CISA.

4. MITIGATIONS

SUBNET Solutions has fixed these issues by enabling a file integrity check on uploaded images and anti-forgery tokens to prevent replay attacks. The fix was introduced in PowerSYSTEM Center update 12 as well as Update 8+Hotfix (both identified by release number 5.12.2305.10101, which can be located in Settings à Overview à Version).

SUBNET Solutions recommends users to follow the following workarounds:

  • Users should verify that SVG files do not contain HTML elements or scripts and validate that JPG and PNG files are not SVG files.
  • Users should verify network security rules to ensure that outbound connections to the internet are not possible.
  • If the above cannot be performed or notifications are not required, disable email notifications for reports from PowerSYSTEM Center.
  • Monitor user activity and ensure application control rules only allow preauthorized executables to run.
  • Deny users to run other executables on client access servers (PowerSYSTEM Center front end access point).

CISA recommends users take the following measures to protect themselves from social engineering attacks:

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploits specifically target these vulnerabilities.

This product is provided subject to this Notification and this Privacy & Use policy.

Vendor

  • SUBNET Solutions Inc.