Delta Electronics InfraSuite Device Master

Plan PatchCVSS 9.8ICS-CERT ICSA-24-303-03Oct 29, 2024

Delta Electronics

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Delta Electronics InfraSuite Device Master versions 1.0.12 and earlier contain a deserialization vulnerability (CWE-502) that allows unauthenticated remote attackers to execute arbitrary code on the device. The vulnerability requires only network access to the affected service; no authentication or user interaction is needed.

What this means

What could happen

An attacker can remotely take full control of the InfraSuite Device Master without credentials, potentially running arbitrary commands that could alter device configurations, disrupt communications with managed infrastructure devices, or exfiltrate sensitive configuration data.

Who's at risk

Water authorities and municipal utilities using Delta Electronics InfraSuite Device Master for remote infrastructure device management, including those managing PLCs, RTUs, and distributed IO devices across multiple facility locations.

How it could be exploited

An attacker with network access to the InfraSuite Device Master can send a specially crafted message containing malicious serialized objects that the device deserializes without validation. The device then executes the attacker's code with full privileges, giving the attacker complete control of the device and any systems it manages.

Prerequisites

Network access to the InfraSuite Device Master service port
No authentication credentials required
No user interaction required

Remotely exploitableNo authentication requiredLow complexityHigh CVSS (9.8)Deserialization vulnerabilityAffects device management infrastructure

Exploitability

Some exploitation risk — EPSS score 1.5%

Affected products (1)

ProductAffected VersionsFix Status

InfraSuite Device Master: <=1.0.12≤ 1.0.121.0.13

Remediation & Mitigation

0/4

Do now

0/1

WORKAROUNDRestrict network access to the InfraSuite Device Master to only authorized management networks; block all direct internet access

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpdate InfraSuite Device Master to version 1.0.13 or later

HARDENINGIf remote access to the Device Master is required, route it through a VPN concentrator and keep the VPN software updated to the latest version

Long-term hardening

0/1

HARDENINGIsolate the InfraSuite Device Master on a separate network segment behind a firewall, preventing direct access from your business network

CVEs (1)

CVE-2024-10456

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/faef29e3-a6f5-4597-a93c-c8d227f9e61f

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.