OTPulse
FeedAboutContact

Subnet Solutions Inc. PowerSYSTEM Center

Plan Patch7.8ICS-CERT ICSA-23-353-01Dec 19, 2023
Attack VectorLocal
Auth RequiredLow
ComplexityLow
User InteractionNone needed
Summary

PowerSYSTEM Center 2020 versions 5.0 through 5.16 contain an unquoted service path vulnerability in the pscagent.* service entries on the Device Communication Server. An attacker with local access to the DCS host could inject malicious code into the service path, which would execute with elevated privileges when the service starts or restarts, leading to arbitrary code execution and privilege escalation. This vulnerability does not affect remote access.

What this means
What could happen
An attacker with local access to the PowerSYSTEM Center Device Communication Server could execute arbitrary code and gain administrator privileges, allowing them to modify or stop energy management operations.
Who's at risk
Energy utility operators using PowerSYSTEM Center 2020 versions 5.0 through 5.16 should prioritize this issue. The vulnerability affects the Device Communication Server (DCS) that manages communications between the control center and field equipment. System administrators responsible for the DCS host machines need to apply mitigations immediately.
How it could be exploited
An attacker must first gain local access to the DCS host machine. They can then exploit the unquoted service path in the pscagent.* service registry entries to inject and execute malicious code with elevated privileges when the service restarts or runs.
Prerequisites
  • Local access to the PowerSYSTEM Center Device Communication Server host
  • Ability to write files to directories in the service path
  • Service restart or reboot to trigger execution
Local access required (not remotely exploitable)Requires user with local login privilegesUnquoted service path is a known Windows privilege escalation techniqueNo patch currently available (end-of-life product path unclear)
Exploitability
Low exploit probability (EPSS 0.1%)
Affected products (1)
ProductAffected VersionsFix Status
PowerSYSTEM Center 2020: >=v5.0.x|<=5.16.x≥ v5.0.x|≤ 5.16.xUpdate 17 or later
Remediation & Mitigation
0/5
Do now
0/2
WORKAROUNDEnable Application Allowlisting on all PowerSYSTEM Center DCS hosts to restrict executables to approved programs only
WORKAROUNDManually edit registry (HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services) to enclose pscagent.* ImagePath values in double quotes and restart the DCS host
Schedule — requires maintenance window
0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade PowerSYSTEM Center 2020 to Update 17 or later
Long-term hardening
0/2
HARDENINGIsolate PowerSYSTEM Center DCS hosts from the business network using firewalls and network segmentation
HARDENINGEnsure PowerSYSTEM Center devices are not accessible from the internet
View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/30a053ad-eaad-43ff-aedf-1c26029fb95d