CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
76.6%
--------- Begin Update A Part 1 of 3 ---------
--------- End Update A Part 1 of 3 ---------
This updated advisory is a follow-up to the advisory update titled ICSA-21-054-04 Ovarro TBox that was published March 23, 2021, to the ICS webpage on us-cert.cisa.gov. The original advisory was titled ICSA-21-054-04P Ovarro TBox and posted to the HSIN ICS library on February 23, 2021.
Successful exploitation of these vulnerabilities could result in remote code execution, which may cause a denial-of-service condition.
The following versions of TBox, a remote terminal unit (RTU), are affected:
The βipkβ package containing the configuration created by TWinSoft can be uploaded, extracted, and executed in the TBox, allowing malicious code execution.
CVE-2021-22646 has been assigned to this vulnerability. A CVSS v3 base score of 8.8 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
The TBox proprietary Modbus file access functions allow attackers to read, alter, or delete the configuration file.
CVE-2021-22648 has been assigned to this vulnerability. A CVSS v3 base score of 8.8 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
An attacker could use specially crafted invalid Modbus frames to crash the system.
CVE-2021-22642 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
An attacker can decrypt the login password by communication capture and brute force attacks.
CVE-2021-22640 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).
TWinSoft uses the custom hardcoded user βTWinSoftβ with a hardcoded key.
CVE-2021-22644 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).
--------- Begin Update A Part 2 of 3 ---------
An attacker may use TWinSoft and a malicious source project file (TPG) to extract files on machine executing TWinSoft, which could lead to code execution.
CVE-2021-22650 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).
--------- End Update A Part 2 of 3 ---------
Uri Katz of Claroty reported these vulnerabilities to CISA.
--------- Begin Update A Part 3 of 3 ---------
Ovarro recommends affected users update to 12.5 or later of TWinSoft to mitigate these vulnerabilities.
--------- End Update A Part 3 of 3 ---------
The latest version can be found on www.ovarro.com in the customer support section (service portal).
CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should:
CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on us-cert.cisa.gov. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage on us-cert.cisa.gov in the Technical Information Paper, ICS-TIP-12-146-01BβTargeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to CISA for tracking and correlation against other incidents.
No known public exploits specifically target these vulnerabilities.
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-22640
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-22640
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-22642
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-22644
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-22646
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-22648
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-22650
cisasurvey.gov1.qualtrics.com/jfe/form/SV_9n4TtB8uttUPaM6?product=https://www.cisa.gov/news-events/ics-advisories/icsa-21-054-04
cwe.mitre.org/data/definitions/23.html
cwe.mitre.org/data/definitions/321.html
cwe.mitre.org/data/definitions/400.html
cwe.mitre.org/data/definitions/522.html
cwe.mitre.org/data/definitions/732.html
cwe.mitre.org/data/definitions/94.html
gcc02.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.ovarro.com%2F&data=04%7C01%7Cjason.barkley%40inl.gov%7C29f3754bc6dd4402ebab08d8c9c192cb%7C4cf464b7869a42368da2a98566485554%7C0%7C0%7C637481180553128328%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=07Ao1ku8s1EGvG5MrYmwHvnrYZU0VcfQ1W7LQaTmPPU%3D&reserved=0
public.govdelivery.com/accounts/USDHSCISA/subscriber/new?topic_id=USDHSCISA_138
twitter.com/CISAgov
twitter.com/intent/tweet?text=Ovarro%20TBox%20%28Update%20A%29+https://www.cisa.gov/news-events/ics-advisories/icsa-21-054-04
us-cert.cisa.gov/ics
us-cert.cisa.gov/ics
us-cert.cisa.gov/ics/alerts/ICS-ALERT-10-301-01
us-cert.cisa.gov/ics/recommended-practices
us-cert.cisa.gov/ics/tips/ICS-TIP-12-146-01B
us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf
www.dhs.gov
www.dhs.gov/foia
www.dhs.gov/performance-financial-reports
www.facebook.com/CISA
www.facebook.com/sharer/sharer.php?u=https://www.cisa.gov/news-events/ics-advisories/icsa-21-054-04&title=Ovarro%20TBox%20%28Update%20A%29
www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
www.instagram.com/cisagov
www.linkedin.com/company/cybersecurity-and-infrastructure-security-agency
www.linkedin.com/sharing/share-offsite/?url=https://www.cisa.gov/news-events/ics-advisories/icsa-21-054-04
www.oig.dhs.gov/
www.usa.gov/
www.whitehouse.gov/
www.youtube.com/@cisagov
mailto:?subject=Ovarro%20TBox%20%28Update%20A%29&body=www.cisa.gov/news-events/ics-advisories/icsa-21-054-04