WIN-911 2021

Monitor5.6ICS-CERT ICSA-22-053-03Feb 22, 2022

Attack VectorLocal

Auth RequiredLow

ComplexityLow

User InteractionRequired

Summary

WIN-911 2021 R1 and R2 contain a file permission misconfiguration in the application installation directory. The installed folders and subfolders grant write access to unprivileged user groups. An attacker with a local user account could exploit this misconfiguration to write malicious files to the application directory. When WIN-911 is launched or restarted, it would execute the attacker's code with the application's permissions, allowing arbitrary code execution in the WIN-911 context.

What this means

What could happen

An attacker with local access and low privileges could modify files in the WIN-911 installation directory and run code with the application's permissions, potentially disrupting alarm and notification functions in a water or electric utility control environment.

Who's at risk

Water utilities and electric utilities using WIN-911 2021 R1 or R2 for alarm management, notification, and event handling in their SCADA or process monitoring systems. This affects administrators and operators whose engineering workstations or alarm servers run WIN-911.

How it could be exploited

An attacker with a local user account on the system running WIN-911 could write to misconfigured directories within the application installation folder. The attacker could replace or inject malicious code that executes when the WIN-911 application runs, gaining the same privileges as the WIN-911 process.

Prerequisites

Local user account on the machine running WIN-911 2021 R1 or R2
Write access to application installation directory due to misconfigured permissions
Ability to replace or inject code files before application restart
User interaction to launch or restart the application

Low complexity exploitationNo authentication required beyond local system accessRequires user interaction (application restart)No public exploit availableNot remotely exploitable

Exploitability

Low exploit probability (EPSS 0.0%)

Affected products (2)

2 pending

ProductAffected VersionsFix Status

2021 R1: 5.21.105.21.10No fix yet

2021 R2: 5.21.175.21.17No fix yet

Remediation & Mitigation

0/4

Do now

0/1

HARDENINGRestrict user group write permissions to WIN-911 installation directories and subfolders

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXApply WIN-911 hotfix that removes write access for user group on affected directory subfolders

HARDENINGEnsure WIN-911 application runs under a dedicated service account with minimal privileges, not under a standard user account

Long-term hardening

0/1

HARDENINGLimit local user account access to systems running WIN-911 through host-based access controls

CVEs (2)

CVE-2022-23922 CVE-2022-23104

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/3d053ccd-8ad0-473a-831f-84320e5a1474