CVE-2023-28384
📋 TL;DR
This vulnerability allows authenticated users in mySCADA myPRO systems to inject arbitrary operating system commands through vulnerable parameters. It affects industrial control systems using mySCADA myPRO versions 8.26.0 and earlier, potentially allowing attackers to execute commands with the privileges of the application.
💻 Affected Systems
- mySCADA myPRO
📦 What is this software?
Mypro by Myscada
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise allowing attackers to execute arbitrary commands with application privileges, potentially leading to complete control of the SCADA system, disruption of industrial processes, or lateral movement to other systems.
Likely Case
Authenticated attackers gaining command execution capabilities to steal sensitive data, modify system configurations, or disrupt SCADA operations.
If Mitigated
Limited impact if proper network segmentation, least privilege access controls, and command validation are implemented, restricting the blast radius.
🎯 Exploit Status
Exploitation requires authenticated access but command injection vulnerabilities are typically straightforward to exploit once authentication is obtained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 8.26.1 or later
Vendor Advisory: https://www.cisa.gov/news-events/ics-advisories/icsa-23-096-06
Restart Required: Yes
Instructions:
1. Download the latest version from mySCADA official sources. 2. Backup current configuration and data. 3. Install the update following vendor instructions. 4. Restart the myPRO service. 5. Verify the update was successful.
🔧 Temporary Workarounds
Network Segmentation
allIsolate myPRO systems from untrusted networks and implement strict firewall rules.
Access Control Hardening
allImplement strong authentication, multi-factor authentication, and least privilege access controls.
🧯 If You Can't Patch
- Implement strict input validation and sanitization for all user-supplied parameters
- Deploy application-level firewalls or WAFs with command injection detection rules
🔍 How to Verify
Check if Vulnerable:
Check the myPRO version in the application interface or configuration files. Versions 8.26.0 and earlier are vulnerable.Check Version:
Check the application interface or configuration files for version informationVerify Fix Applied:
Verify the version is 8.26.1 or later and test parameter inputs for command injection attempts.📡 Detection & Monitoring
Log Indicators:
- Unusual command execution patterns
- Multiple failed authentication attempts followed by successful login
- Suspicious parameter values containing shell metacharacters
Network Indicators:
- Unexpected outbound connections from myPRO systems
- Traffic to unusual ports or IP addresses
SIEM Query:
source="myPRO" AND (event_type="command_execution" OR parameter="*;*" OR parameter="*|*" OR parameter="*`*" OR parameter="*$(*" OR parameter="*&*" OR parameter="*>" OR parameter="*<*")