-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Vulnerability in Update Process of StationScout and StationGuard < 2.21 - ------------------------------------------------------------------------ Security Advisory ID: OSA-5 Release Date: 2023-11-22 Revision: 1.1 OMICRON Product Security Team | security@omicronenergy.com Summary - ------------------------------------------------------------------------ A vulnerability has been identified in the firmware update process that allows a remote attacker to gain full control of the system. This can be achieved by utilizing a specially crafted firmware update file, which can inject malicious code and grant the attacker complete control over the targeted device. Affected OMICRON Products - ------------------------------------------------------------------------ This vulnerability affects the following OMICRON product(s): > StationGuard Image 1.00.0048 on all platforms > StationGuard Image 1.10.0056 on all platforms > StationGuard Image 2.00.0068 on all platforms > StationGuard Image 2.10.0073 on all platforms > StationGuard Image 2.20.0080 on all platforms > StationScout Image 1.00.0011 on all platforms > StationScout Image 1.10.0017 on all platforms > StationScout Image 1.15.0024 on all platforms > StationScout Image 1.20.0056 on all platforms > StationScout Image 1.30.0040 on all platforms > StationScout Image 2.00.0056 on all platforms > StationScout Image 2.10.0059 on all platforms > StationScout Image 2.20.0063 on all platforms Vulnerability Classification - ------------------------------------------------------------------------ > CVE-2023-28610 > CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') > Base Score: 10 > Risk Class: Critical > Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H Security Advisory - ------------------------------------------------------------------------ Mitigation: OMICRON has released StationGuard device image version 2.21.0081 and StationScout device image version 2.21.0064 which address the issue and fix the vulnerability. It is strongly recommended that customers currently using the affected versions install the latest update available on the customer portal (registration required) as soon as possible to ensure the security of their system. More information about StationGuard and StationScout, including the link to download them, can be found on https://www.omicronenergy.com/en/products/stationguard/ and https://www.omicronenergy.com/en/products/stationscout/ Acknowledgments - ------------------------------------------------------------------------ Hendrik Schwartke (OpenSource Security GmbH) -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEkPJvkWGGIuqv8Qag8BT0uMcuyBgFAmVdk8IACgkQ8BT0uMcu yBi2pxAAszQsYyERHIvxsXFoDeX3xs1tQHQlxErk4sy3pw8lJkLgFFItY1ttQty0 ZOGwRe5/a4y1wi3rvXvHsd0Y+ZeKsIJa03Fi2r5s2DUvgjKTjZ4F2LtYNg905mbQ 2r/ASutKMLFxcdJtlliY7H3+943wzxDxX82JPTzcP8urXP8jRhHo/ZVFDW7rTFPB 7Liu6Hj17/qCe8i2WCJskuDEF0MOGbF60plLvGP04XjxRomURIlHRcIXWc657/MH Xg0mZw0iUddLj6JLlLby40s/St6+hGGEaV1SC5OMCgoY1sWv6IoER1NvH3ZNzwZp kqQBdT3t1WDQn41firMWQ6ZYymLnTNONYovdED2/XZsGNFJ2KcpOw3JweJcYaXSr 4s1oGFxSQSFXkVoC72cfKZy833vMuBcqywZ9jUGsenRcfv8SJq2MKxbwsAwREEXG ErFbPGrDsM+AmwFAuI40D3e2sVOWK2WSc6SPyX121Kzu4Wu3knKgdvCWwThlkDpV Go5ZyOUa0H5wT1jrkxb6JmUaoLYbVHe3OeYRvhf3tR5QXsf7ky3yAickxIhpk5Xk P0rpX30ACbv7owR1yJhx745Xbj0OA0Xt/VWpnP5UCWrp4TKH9Gi9oUN5ScwX58x8 sOZAXm1B08Ypcu0BLgzboFUGNH1BVS8GNFUbmmBOout3UVSe/Os= =TZqB -----END PGP SIGNATURE-----