Subnet Solutions Inc. PowerSYSTEM Center

Plan PatchCVSS 7.5ICS-CERT ICSA-24-277-02Oct 1, 2024

Subnet SolutionsEnergy

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Subnet Solutions PowerSYSTEM Center versions 5.21.x and earlier contain multiple vulnerabilities (CVE-2020-28168, CVE-2023-45857, CVE-2021-3749) that allow remote attackers to bypass proxy controls, create denial-of-service conditions, or view sensitive HTTP headers and XSRF tokens used to prevent cross-site request forgery attacks. The vulnerabilities stem from server-side request forgery, insufficient rate limiting, and inadequate access controls on developer tools.

What this means

What could happen

An attacker could bypass the proxy to access internal resources, create a denial-of-service condition that stops PowerSYSTEM Center availability, or steal sensitive information like XSRF tokens and HTTP headers to manipulate operations.

Who's at risk

Energy sector operators using Subnet Solutions PowerSYSTEM Center for power system monitoring and control. This affects organizations running version 5.21.x or earlier of the 2020 product line.

How it could be exploited

An attacker with network access to PowerSYSTEM Center could exploit request forgery or server-side request forgery vulnerabilities to bypass the proxy (CVE-2020-28168, CVE-2023-45857), perform HTTP header inspection via browser developer tools (CVE-2023-45857, CVE-2021-3749), or send malformed requests to trigger a denial-of-service condition.

Prerequisites

Network access to PowerSYSTEM Center on the internet-facing interface or internal network
For CVE-2023-45857 and CVE-2021-3749, ability to interact with the PowerSYSTEM Center web interface and open browser developer tools

remotely exploitableno authentication requiredlow complexity attackproxy bypass possiblesensitive information disclosuredenial of service capability

Exploitability

Some exploitation risk — EPSS score 8.9%

Public Proof-of-Concept (PoC) on GitHub (4 repositories)

Affected products (1)

ProductAffected VersionsFix Status

PowerSYSTEM Center: <=PSC_2020_v5.21.x≤ PSC 2020 v5.21.x2020 Update 22

Remediation & Mitigation

0/4

Do now

0/2

WORKAROUNDRestrict outbound connections from the PowerSYSTEM Center security zone to external websites to prevent proxy bypass exploitation

HARDENINGDisable browser Developer Tools (F12) access for PowerSYSTEM Center Client Access Server users to prevent viewing of HTTP headers and XSRF tokens

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate PowerSYSTEM Center to 2020 Update 22 or later (access via Settings > Overview > Version or contact Subnet Solutions Customer Service)

Long-term hardening

0/1

HARDENINGPlace PowerSYSTEM Center behind a firewall and restrict network access to authorized hosts only

CVEs (3)

CVE-2020-28168 CVE-2021-3749 CVE-2023-45857

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/28c0c7ba-c912-46d7-9a8f-fb5daae09fc6

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.