OTPulse

Digital Alert Systems DASDEC

MonitorCVSS 4.7ICS-CERT ICSA-22-326-02Nov 22, 2022
Attack path
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionRequired
Summary

Digital Alert Systems DASDEC contains cross-site scripting and other vulnerabilities that could allow an attacker to craft malicious alerts. If exploited, the compromised DASDEC system would issue false emergency alerts to all connected broadcast and cable sites. CVE-2019-18265 is patched in Version 4.1 or later. CVE-2022-40204 is unfixed and the vendor has indicated a future patch will address it, but no timeline or version is specified. All versions prior to 4.1 lack the remediation for at least one of these vulnerabilities.

What this means
What could happen
An attacker could craft a malicious alert that causes the DASDEC system to issue false emergency alerts to connected broadcast or cable sites, disrupting normal operations and potentially causing public alarm.
Who's at risk
Broadcast and cable emergency alert operators who use Digital Alert Systems DASDEC (versions before 4.1) to distribute emergency alerts to multiple sites should prioritize this issue. This affects the reliability of the Emergency Alert System (EAS) or similar emergency notification infrastructure at any station or network operations center running vulnerable DASDEC versions.
How it could be exploited
An attacker with network access to the DASDEC system could send a specially crafted alert message (likely via web interface due to CWE-79 cross-site scripting). The compromised DASDEC system would then distribute false alerts to all connected broadcast and cable sites that rely on it for emergency alerting.
Prerequisites
  • Network access to DASDEC system (not internet-accessible if properly firewalled)
  • User interaction may be required (CWE-79 suggests XSS, which typically requires a user to click a link or visit a malicious page)
  • System must have broadcast or cable sites connected downstream
remotely exploitablelow complexityno authentication required (likely)XSS vulnerability (CWE-79)affects critical alerting infrastructureone CVE unpatched in current versions
Exploitability
Unlikely to be exploited — EPSS score 0.7%
Affected products (2)
2 with fix
ProductAffected VersionsFix Status
DASDEC: <4.1<4.14.1
DASDEC: vers:all/*All versions4.1
Remediation & Mitigation
0/5
Do now
0/1
HARDENINGEnsure DASDEC is not accessible from the Internet; firewall the device to allow connections only from authorized internal networks and broadcast/cable sites
Schedule — requires maintenance window
0/4

Patching may require device reboot — plan for process interruption

HOTFIXUpdate DASDEC to Version 4.1 or later to remediate CVE-2019-18265
HOTFIXMonitor for updates to DASDEC addressing CVE-2022-40204 (no patch currently available; check vendor website regularly)
HARDENINGIsolate the DASDEC system and all connected broadcast/cable alert distribution infrastructure on a separate network segment from business networks and general IT systems
HARDENINGIf remote access to DASDEC is required for management or updates, use a VPN with current patches and strong authentication; document all remote access points
View full CISA ICS-CERT advisory
API: /api/v1/advisories/c0edda23-6957-4219-a034-822e24f9bb5c

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.

Digital Alert Systems DASDEC | CVSS 4.7 - OTPulse