SUBNET PowerSYSTEM Center
1. EXECUTIVE SUMMARY
- CVSS v3 6.5
- ATTENTION: Exploitable remotely/low attack complexity
- Vendor: SUBNET Solutions Inc.
- Equipment: PowerSYSTEM Center
- Vulnerabilities: Cross-site Scripting, Authentication Bypass by Capture-replay
2. RISK EVALUATION
Successful exploitation of these vulnerabilities could allow an attacker to upload malicious scripts or perform a denial-of-service type attack.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following versions of SUBNET PowerSYSTEM Center, a multi-function management platform, are affected:
- PowerSYSTEM Center: 2020 U10 and prior
3.2 VULNERABILITY OVERVIEW
SUBNET PowerSYSTEM Center versions 2020 U10 and prior contain a cross-site scripting vulnerability that may allow an attacker to inject malicious code into report header graphic files that could propagate out of the system and reach users who are subscribed to email notifications.
SUBNET PowerSYSTEM Center versions 2020 U10 and prior are vulnerable to replay attacks which may result in a denial-of-service condition or a loss of data integrity.
- CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
- COUNTRIES/AREAS DEPLOYED: Worldwide
- COMPANY HEADQUARTERS LOCATION: Canada
SUBNET Solutions reported these vulnerabilities to CISA.
SUBNET Solutions has fixed these issues by enabling a file integrity check on uploaded images and anti-forgery tokens to prevent replay attacks. The fix was introduced in PowerSYSTEM Center update 12 as well as Update 8+Hotfix (both identified by release number 5.12.2305.10101, which can be located in Settings à Overview à Version).
SUBNET Solutions recommends users to follow the following workarounds:
- Users should verify that SVG files do not contain HTML elements or scripts and validate that JPG and PNG files are not SVG files.
- Users should verify network security rules to ensure that outbound connections to the internet are not possible.
- If the above cannot be performed or notifications are not required, disable email notifications for reports from PowerSYSTEM Center.
- Monitor user activity and ensure application control rules only allow preauthorized executables to run.
- Deny users to run other executables on client access servers (PowerSYSTEM Center front end access point).
CISA recommends users take the following measures to protect themselves from social engineering attacks:
- Do not click web links or open attachments in unsolicited email messages.
- Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
- Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.
CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
No known public exploits specifically target these vulnerabilities.