Digital Alert Systems DASDEC

Monitor4.7ICS-CERT ICSA-22-326-02Nov 22, 2022

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionRequired

Summary

Digital Alert Systems DASDEC contains cross-site scripting and other vulnerabilities that could allow an attacker to craft malicious alerts. If exploited, the compromised DASDEC system would issue false emergency alerts to all connected broadcast and cable sites. CVE-2019-18265 is patched in Version 4.1 or later. CVE-2022-40204 is unfixed and the vendor has indicated a future patch will address it, but no timeline or version is specified. All versions prior to 4.1 lack the remediation for at least one of these vulnerabilities.

What this means

What could happen

An attacker could craft a malicious alert that causes the DASDEC system to issue false emergency alerts to connected broadcast or cable sites, disrupting normal operations and potentially causing public alarm.

Who's at risk

Broadcast and cable emergency alert operators who use Digital Alert Systems DASDEC (versions before 4.1) to distribute emergency alerts to multiple sites should prioritize this issue. This affects the reliability of the Emergency Alert System (EAS) or similar emergency notification infrastructure at any station or network operations center running vulnerable DASDEC versions.

How it could be exploited

An attacker with network access to the DASDEC system could send a specially crafted alert message (likely via web interface due to CWE-79 cross-site scripting). The compromised DASDEC system would then distribute false alerts to all connected broadcast and cable sites that rely on it for emergency alerting.

Prerequisites

Network access to DASDEC system (not internet-accessible if properly firewalled)
User interaction may be required (CWE-79 suggests XSS, which typically requires a user to click a link or visit a malicious page)
System must have broadcast or cable sites connected downstream

remotely exploitablelow complexityno authentication required (likely)XSS vulnerability (CWE-79)affects critical alerting infrastructureone CVE unpatched in current versions

Exploitability

Low exploit probability (EPSS 0.7%)

Affected products (2)

2 with fix

ProductAffected VersionsFix Status

DASDEC: <4.1<4.14.1

DASDEC: vers:all/*All versions4.1

Remediation & Mitigation

0/5

Do now

0/1

HARDENINGEnsure DASDEC is not accessible from the Internet; firewall the device to allow connections only from authorized internal networks and broadcast/cable sites

Schedule — requires maintenance window

0/4

Patching may require device reboot — plan for process interruption

HOTFIXUpdate DASDEC to Version 4.1 or later to remediate CVE-2019-18265

HOTFIXMonitor for updates to DASDEC addressing CVE-2022-40204 (no patch currently available; check vendor website regularly)

HARDENINGIsolate the DASDEC system and all connected broadcast/cable alert distribution infrastructure on a separate network segment from business networks and general IT systems

HARDENINGIf remote access to DASDEC is required for management or updates, use a VPN with current patches and strong authentication; document all remote access points

CVEs (2)

CVE-2019-18265 CVE-2022-40204

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/c0edda23-6957-4219-a034-822e24f9bb5c