CVE-2023-6028 in Runtimeinfo

Summary

by MITRE • 02/05/2024

A reflected cross-site scripting (XSS) vulnerability exists in the SVG version of System Diagnostics Manager of B&R Automation Runtime versions <= G4.93 that enables a remote attacker to execute arbitrary JavaScript code in the context of the attacked user’s browser session.

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Analysis

by VulDB Data Team • 02/06/2024

The vulnerability identified as CVE-2023-6028 represents a critical reflected cross-site scripting flaw within the SVG implementation of B&R Automation Runtime's System Diagnostics Manager component. This security weakness affects versions up to and including G4.93, creating a significant attack surface that remote adversaries can exploit to compromise user browser sessions. The vulnerability manifests specifically within the SVG rendering functionality of the diagnostics manager, where user-supplied input is not properly sanitized before being reflected back to the browser context. This allows attackers to inject malicious JavaScript code that executes within the victim's browser session with the privileges of the authenticated user.

The technical exploitation of this vulnerability follows the standard reflected XSS attack pattern where an attacker crafts a malicious URL containing JavaScript payload and delivers it to a victim through social engineering or other means. When the victim clicks the malicious link, the SVG-based diagnostics manager processes the input without adequate sanitization, causing the browser to execute the injected script in the context of the current session. This creates a persistent threat where attackers can steal session cookies, perform actions on behalf of users, or redirect victims to malicious sites. The vulnerability falls under CWE-79 which specifically addresses cross-site scripting flaws, and aligns with ATT&CK technique T1566.001 for initial access through spearphishing attachments or links.

The operational impact of this vulnerability extends beyond simple script execution as it fundamentally compromises the integrity of user sessions within the automation environment. An attacker could leverage this vulnerability to gain unauthorized access to industrial control systems, potentially leading to operational technology disruptions or even physical safety hazards in critical infrastructure environments. The remote nature of the attack means that threat actors do not require physical access to the system or network, making the vulnerability particularly dangerous in industrial settings where network security may be less robust. Organizations using B&R Automation Runtime systems face significant risk of unauthorized access and potential compromise of their industrial control processes.

Mitigation strategies for CVE-2023-6028 should prioritize immediate patching of affected B&R Automation Runtime versions to the latest available releases that contain fixed SVG processing logic. Network administrators should implement strict input validation controls at the perimeter and consider implementing web application firewalls to filter suspicious requests targeting the diagnostics manager. Organizations should also conduct comprehensive security assessments of their industrial environments to identify potential secondary impacts from successful exploitation. The vulnerability demonstrates the importance of proper input sanitization in web-based industrial interfaces and highlights the need for robust security practices in operational technology environments where traditional web security measures may be insufficient. Additionally, implementing content security policies and disabling unnecessary SVG functionality can provide additional defense-in-depth measures against similar vulnerabilities in the future.

Reservation

11/08/2023

Disclosure

02/05/2024

Moderation

accepted

CPE

ready

EPSS

0.00368

KEV

no

Activities

very low

Sources

Want to stay up to date on a daily basis?

Enable the mail alert feature now!