Delta Electronics InfraSuite Device Master
By Arthur Yamamoto on December 7, 2023
Executive summary
On Tuesday, November 28, 2023, the Cybersecurity and Infrastructure Security Agency (CISA) released an industrial control system advisory (ICSA-23-331-01) regarding multiple vulnerabilities of Delta Electronics’ InfraSuite Device Master software. InfraSuite Device Master allows a user to simplify and automate critical device monitoring. It enables users to observe the status of all devices, query event logs or history data, and assist users in taking appropriate action. Path Traversal, Deserialization of Untrusted Data, and an Exposed Dangerous Method or Function are the vulnerabilities mentioned. Successful exploitation of these vulnerabilities could allow an attacker to execute arbitrary code and obtain plaintext credentials remotely. Researchers working with Trend Micro Zero Day Initiative reported these vulnerabilities to CISA.
Background
On Tuesday, November 28, 2023, hir0ot and Piotr Bazydlo, working with Trend Micro Zero Day Initiative, reported multiple vulnerabilities of Delta Electronics’ InfraSuite Device Master software to CISA. The following Delta Electronics products are affected:
InfraSuite Device Master: Versions 1.0.7 and prior
The vulnerabilities identified were Path Traversal, Deserialization of Untrusted Data, and an Exposed Dangerous Method or Function. All vulnerabilities were assigned a common vulnerabilities and exposures (CVE) number. CVE-2023-46690, CVE-2023-47207, and CVE-2023-39226 respectively. The software is used worldwide in numerous services and sectors, most notably Critical Manufacturing.
Vulnerabilities
CVE-2023-46690 represents the path traversal vulnerability, allowing attackers to traverse the file system to access files or directories outside the restricted directory. It uses external input to construct a pathname that should be within a restricted directory. Still, it does not correctly sanitize ‘…/…//’ sequences that can resolve to a location beyond that restricted directory. This vulnerability allows an attacker to write to any file in any filesystem location, which could lead to remote code execution.
CVE-2023-47207 identifies a deserialization of untrusted data vulnerability. Deserialized data or code can often be modified without using the provided accessor functions if it does not use cryptography to protect itself. Furthermore, any cryptography would still be client-side security. In other words, it deserializes untrusted data without sufficiently verifying that the resulting data will be valid, which allows an unauthenticated attacker to execute code with local administrator privileges.
Lastly, CVE-2023-47207 describes an Exposed Dangerous Method or Function. This weakness can lead to a wide variety of resultant weaknesses, depending on the behavior of the exposed method. The software interface includes a dangerous method or function that is not properly restricted. An unauthenticated attacker can execute arbitrary code through a single UDP packet.
Significance
Malicious code execution can allow an attacker to gain access to the system and expose other systems, sensitive data, and valuable information assets and could potentially open the door to privilege escalation. Delta Electronics recommends updating its software to v1.0.10 or later. CISA also recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:
Minimize network exposure for all control system devices and/or systems, ensuring they are not internet accessible.
Locate control system networks and remote devices behind firewalls and isolate them from business networks.
References
Common weakness enumeration. CWE. (n.d.-a). https://cwe.mitre.org/data/definitions/35.html
Common weakness enumeration. CWE. (n.d.-b). https://cwe.mitre.org/data/definitions/502.html
Common weakness enumeration. CWE. (n.d.-c). https://cwe.mitre.org/data/definitions/749.html
Delta Electronics infrasuite device master: CISA. Cybersecurity and Infrastructure Security Agency CISA. (2023, November 28). https://www.cisa.gov/news-events/ics-advisories/icsa-23-331-01