B&R Systems Diagnostics Manager

Monitor6.1ICS-CERT ICSA-23-068-02Mar 29, 2023

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionRequired

Summary

B&R Systems Diagnostics Manager (runtime versions >= 3.00 and <= C4.93) contains a cross-site scripting (XSS) vulnerability (CWE-79) that allows an attacker to execute arbitrary code within a user's browser session. Successful exploitation could lead to data exfiltration and unauthorized actions performed on behalf of the logged-in user.

What this means

What could happen

An attacker could inject malicious code into the Diagnostics Manager web interface to steal session credentials, alter system configuration, or exfiltrate operational data from manufacturing facilities using the SDM.

Who's at risk

Manufacturing facilities using B&R Systems Diagnostics Manager for plant diagnostics, monitoring, and control should evaluate this vulnerability. SDM is used to monitor and manage automation systems; compromise could affect visibility and control of production processes.

How it could be exploited

An attacker crafts a malicious hyperlink or embeds XSS payload in web content and tricks a user into clicking the link or visiting a page that references the SDM. The payload executes in the user's browser with the same privileges as the logged-in SDM user, allowing the attacker to capture credentials or modify settings.

Prerequisites

Network access to the SDM web interface
User must click a malicious link or visit attacker-controlled content
User must be authenticated to SDM or SDM must have default/weak authentication

remotely exploitablerequires user interaction (link click)low complexity attackaffects plant diagnostics and monitoring systemsno patch available for versions >= 3.00 and <= C4.93

Exploitability

Low exploit probability (EPSS 0.3%)

Affected products (2)

2 pending

ProductAffected VersionsFix Status

System Diagnostics Manager: runtime≥ 3.00No fix yet

System Diagnostics Manager: runtime≤ C4.93No fix yet

Remediation & Mitigation

0/6

Do now

0/3

WORKAROUNDDeactivate SDM when not in use to reduce attack surface

HARDENINGBlock access to SDM from untrusted networks and disable clicking external hyperlinks to SDM interfaces

HARDENINGDeploy external Web Application Firewall in front of SDM to filter malicious input

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate all SDM products to firmware version D4.93 or later

Long-term hardening

0/2

HARDENINGIsolate SDM and manufacturing control networks from the Internet and business networks using firewalls and network segmentation

HARDENINGUse VPN with strong authentication for any required remote access to SDM; ensure VPN software is kept current

CVEs (1)

CVE-2022-4286

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/8a3f6d7d-abd5-465d-8cc5-47fd9b0cb174