-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Multiple 3rd Party Denial-of-Service Vulnerabilities in StationGuard and StationScout < 2.00 - ------------------------------------------------------------------------ Security Advisory ID: OSA-2 Release Date: 2023-11-22 Revision: 1.1 OMICRON Product Security Team | security@omicronenergy.com Summary - ------------------------------------------------------------------------ StationGuard device image 1.10.0056 and earlier and StationScout device image 1.30.0040 and earlier are affected by vulnerabilities in 3rd party components that may allow a remote attacker to cause a denial-of-service of the device. Specially crafted input (e.g., files, network packets, ...) could crash a process that will be automatically restarted. This can affect the reliable operation of the device while the attack persists. The affected services could for example prevent communication from/to StationGuard and StationScout and StationGuard could miss alerts during that time. Affected OMICRON Products - ------------------------------------------------------------------------ > StationGuard Image 1.00.0048 on all platforms > StationGuard Image 1.10.0056 on all platforms > StationScout Image 1.00.0011 on all platforms > StationScout Image 1.10.0017 on all platforms > StationScout Image 1.15.0024 on all platforms > StationScout Image 1.30.0040 on all platforms Vulnerability Classification - ------------------------------------------------------------------------ > CVE-2020-8265 > CWE-416: Use After Free > Base Score: 8.1 > Risk Class: High > Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H > CVE-2021-23840 > CWE-190: Integer Overflow or Wraparound > Base Score: 7.5 > Risk Class: High > Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H > CVE-2021-3449 > CWE-476: NULL Pointer Dereference > Base Score: 5.9 > Risk Class: MEDIUM > Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H > CVE-2021-22930 > CWE-416: Use After Free > Base Score: 7.5 > Risk Class: HIGH > Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C Security Advisory - ------------------------------------------------------------------------ Mitigation: OMICRON has released StationGuard device image version 2.00.0068 together with the Control Software version 2.0.69.0 and StationScout device image version 2.00.0056 together with desktop software version 2.0.82.0 which address the issues and fix the vulnerabilities. It is strongly recommended that customers currently using the affected versions install the latest update available on the customer portal (registration required) as soon as possible to ensure the security of their system. More information about StationGuard and StationScout, including the link to download them, can be found on https://www.omicronenergy.com/en/products/stationguard/ and https://www.omicronenergy.com/en/products/stationscout/ Workaround: Always use the latest version of StationGuard and StationScout. Furthermore, it is recommended to protect the TCP port 20499 against unauthorized access via firewall rules and/or VPN solutions. Only import files from trusted sources into StationScout and StationGuard. Acknowledgments - ------------------------------------------------------------------------ None. -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEkPJvkWGGIuqv8Qag8BT0uMcuyBgFAmVdlAEACgkQ8BT0uMcu yBhgOw//YFmo4zYaJt+9JwYvT9tZrRvAJi4hb5vV/0So4R53jPZly8K8FoUJ8f6D 54rrqM5NnqSZAMywL8QBIMvzATmC/4y09ZB72wQfCkQZ7avgND4BWgojpvrukFHO ZpoGJ5MdxRpAkO2OuhPyhg4SmReqMwhnMnurnZKcJkd6e3GOJqi/v0cx6MvhW/x5 Ipfg5YeqGww3xWNhJ9uhmOarjQm2XModwtEI18vJyBWvQj5qR3kHoBN9k/5JiIYr XHZk43DAUDKUVj1sPUR3uG04HhB+tI81QyMPHXa2nV7EiuQNwnWw40lr4OJlQAwH lBmdMGhPJ+SL/bqyK8TGzPeSlf33HNqk4C5tLTH34ZXe9JRtKgPxhMznqjYL+acs u/yt0OiQ0Dwlsjwf6qLIaNHQmD29Grv4EgI0yw2tVZ/pDF9TbfOugybZmmD0UvCP IYJA+k+QImzOnGN0mwxkMqV20kGYNRc5OgA3NZx0xTW5NAnoFRn9ndtSTeKt/VHa pvUWxJz4r7qOijh1f6lxxj2TpXZGbRdV3GoBQ0WuAAXCnCZxPNMkzsbRlhVvLc33 JkiAYNk+y6ZdJ6HIPLQI9dMlVoeE7WgZFnLcGNC5o2JzBUxQreP+3Oi7JidL7wkC QYKW8GAtW/15LoqbdN5jCMiadh3z/1k4zJ76REW4U9JseNG/R0w= =iYRx -----END PGP SIGNATURE-----