On October 3, 2024, the Cybersecurity and Infrastructure Security Agency (CISA) released an alert about vulnerabilities affecting Subnet Solutions Inc.'s PowerSYSTEM Center. This equipment is vital in sectors such as critical manufacturing and energy, and the vulnerabilities can expose organizations to significant risks, including unauthorized access and potential denial-of-service attacks.
CVSS Score: 5.9
Details: This vulnerability arises from the use of Axios NPM package 0.21.0, enabling attackers to manipulate requests to bypass controls and access restricted hosts. The CVSS vector string classifies it as moderately dangerous due to its requirements for exploitation.
CVSS Score: 7.5
Details: This issue pertains to performance degradation due to inefficient regular expressions, which can affect application responses and resources, increasing the surface for denial-of-service attacks.
CVSS Score: 6.5
Details: Affected versions of PowerSYSTEM Center inadvertently expose the confidential XSRF-TOKEN through HTTP headers in requests. This could lead attackers to manipulate requests from authenticated users, exposing sensitive functionalities.
For further information on cybersecurity best practices and guidelines, refer to CISA’s resources, and consider signing up for regular updates to stay ahead in the ever-evolving field of cybersecurity.
Source: CISA Subnet Solutions Inc. PowerSYSTEM Center
1. Executive Summary
- CVSS score: 7.5
- Vulnerability types:
- Server-Side Request Forgery (SSRF)
- Inefficient Regular Expression Complexity
- Cross-Site Request Forgery (CSRF)
- Exploitation possibility: Potential for remote exploitation with low attack complexity.
2. Risk Evaluation
The identified vulnerabilities can enable attackers to bypass security measures designed to protect sensitive data. Such exploitation may lead to three significant issues:- Bypassing Proxies: Attackers can redirect traffic to internal resources, sidestepping firewall rules.
- Denial-of-Service Conditions: Exploitation can overwhelm services, leading to downtime.
- Access to Sensitive Information: Breach of confidentiality can expose critical data, risking both compliance and reputation.
3. Technical Details
3.1 Affected Products
The vulnerabilities primarily target:- PowerSYSTEM Center versions: PSC 2020 v5.21.x and prior
3.2 Vulnerability Overview
3.2.1 Server-Side Request Forgery (SSRF)
CVE-ID: CVE-2020-28168CVSS Score: 5.9
Details: This vulnerability arises from the use of Axios NPM package 0.21.0, enabling attackers to manipulate requests to bypass controls and access restricted hosts. The CVSS vector string classifies it as moderately dangerous due to its requirements for exploitation.
3.2.2 Inefficient Regular Expression Complexity
CVE-ID: CVE-2021-3749CVSS Score: 7.5
Details: This issue pertains to performance degradation due to inefficient regular expressions, which can affect application responses and resources, increasing the surface for denial-of-service attacks.
3.2.3 Cross-Site Request Forgery (CSRF)
CVE-ID: CVE-2023-45857CVSS Score: 6.5
Details: Affected versions of PowerSYSTEM Center inadvertently expose the confidential XSRF-TOKEN through HTTP headers in requests. This could lead attackers to manipulate requests from authenticated users, exposing sensitive functionalities.
3.3 Background Information
- Critical Infrastructure Sectors: Primarily impacts critical manufacturing and energy sectors.
- Deployment Areas: The product is used globally, with headquarters in Canada.
3.4 Reporting and Responsible Disclosures
Subnet Solutions Inc. proactively reported these vulnerabilities to CISA to mitigate risks and streamline the remediation process.4. Mitigations
Recommended Actions
- Update to PowerSYSTEM Center 2020 Update 22:
- Accessible via the settings menu (
Settings > Overview > Version). - A direct contact with Customer Service at Subnet Solutions Inc. is advisable for assistance.
- Accessible via the settings menu (
- Disabling Previous UI Extensions:
- Users should consider disabling any outdated UI extensions that may exploit vulnerabilities.
- Limit Outbound Network Requests:
- For vulnerabilities CVE-2020-28168 and CVE-2023-45857, restrict outbound connections to external resources.
- Restrict Developer Tools Access:
- Disable or limit access to the F12 Developer Tools to mitigate CSRF risks.
CISA Recommendations
- Minimize network exposure for control systems to prevent unauthorized internet access.
- Utilize firewalls and isolate control systems from business networks.
- For remote access, implement secure methods like VPNs, always updated to the latest versions.
5. Update History
The initial publication of these vulnerability findings and recommendations was made on October 3, 2024. Continuous monitoring and updates are crucial for maintaining cybersecurity resilience.Final Thoughts
Implementing the mitigations listed, along with staying informed about updates on vulnerabilities can significantly improve the security posture of organizations using the PowerSYSTEM Center. By proactively addressing potential weaknesses, companies can safeguard their critical infrastructures from emerging cyber threats.For further information on cybersecurity best practices and guidelines, refer to CISA’s resources, and consider signing up for regular updates to stay ahead in the ever-evolving field of cybersecurity.
Source: CISA Subnet Solutions Inc. PowerSYSTEM Center