CVE-2023-22807

Vulnerability

The LS ELECTRIC XBC-DN32U PLC running operating system version 01.80 exposes multiple vulnerabilities through its internal XGT protocol, as described by CISA [1]. The device is missing authentication for critical functions (CWE-306), which allows arbitrary mode changes (CVE-2023-22803) and creation of new users with elevated privileges (CVE-2023-22804) [1]. Additionally, improper access control (CWE-284) on the read prohibition feature (CVE-2023-22805) and cleartext transmission of sensitive information (CWE-319) allow an attacker to lock users out of reading data and obtain credentials [1]. The specific XBC-DN32U model with OS version 01.80 is affected [1].

Exploitation

An attacker can exploit these vulnerabilities remotely over the network with low attack complexity and no required authentication or user interaction [1]. By sending specially crafted packets over the XGT protocol to the PLC, the attacker can trigger the missing authentication for critical functions [1]. The attacker can then change the PLC's operating mode arbitrarily (e.g., stop execution or switch to programming mode) or create new user accounts to gain persistent control [1]. Furthermore, the lack of access control on the read prohibition feature allows the attacker to remotely disable read access, while cleartext transmission of credentials permits interception and reuse [1].

Impact

Successful exploitation of these vulnerabilities enables an attacker to completely take control of the PLC [1]. The attacker can stop the PLC, modify logic code, lock legitimate users out from reading data, and obtain credentials for persistence [1]. A denial-of-service condition can also be created [1]. The CVSS v3 base scores for the individual vulnerabilities range from 7.5 to 9.8, indicating critical severity with potential for high impact on integrity and availability [1].

Mitigation

LS ELECTRIC has not released a firmware update as of the publication date (2023-02-15) [1]. The CISA advisory recommends that users minimize network exposure for control devices, ensure they are not accessible from the internet, and place them behind firewalls isolated from business networks [1]. If remote access is required, VPNs with strong authentication and encryption should be used [1]. Organizations should also perform regular assessments of their ICS networks and review the ICS-CERT recommended practices [1].