ICS Advisory: EFACEC UC 500E

Summary:

Vulnerability Alert: EFACEC UC 500E HMI

A total of four vulnerabilities have been identified in the EFACEC UC 500E Human-Machine Interface (HMI), which could allow an attacker to retrieve sensitive information, gain unauthorized access, or redirect users to malicious websites. The vulnerabilities include:

1. Cleartext Transmission of Sensitive Information (CVSS v3 score: 6.3)
2. Open Redirect (CVSS v3 score: 4.3)
3. Exposure of Sensitive Information to an Unauthorized Actor (CVSS v3 score: 5.3)
4. Improper Access Control (CVSS v3 score: 4.1)

These vulnerabilities affect the UC 500E version 10.1.0 and have been assigned CVE-2023-50703, CVE-2023-50704, CVE-2023-50705, and CVE-2023-50706. Aaru00f3n Flecha Menu00e9ndez of S21sec reported these vulnerabilities to CISA.

CISA recommends the following mitigations:

Minimize network exposure and use firewalls to isolate control systems
Use secure remote access methods, such as Virtual Private Networks (VPNs)
Perform impact analysis and risk assessment prior to deploying defensive measures
Implement recommended cybersecurity strategies for proactive defense of ICS assets

No known public exploitation of these vulnerabilities has been reported at this time. EFACEC has released UC 500E version 10.1.1 to mitigate these vulnerabilities.