CVE-2023-29158

Summary

SUBNET PowerSYSTEM Center versions 2020 U10 and prior are vulnerable to replay attacks which may result in a denial-of-service condition or a loss of data integrity.

Affected Software

VendorProductVersion RangeStatus
SUBNET Solutions Inc.PowerSYSTEM Center0 <= 2020 U10affected

Weaknesses

  • CWE-294: CWE-294 Authentication Bypass by Capture-replay

Workarounds

SUBNET Solutions recommends users to follow the following workarounds:

  • Users should verify that SVG files do not contain HTML elements or scripts and validate that JPG and PNG files are not SVG files.
  • Users should verify network security rules to ensure that outbound connections to the internet are not possible.
  • If the above cannot be performed or notifications are not required, disable email notifications for reports from PowerSYSTEM Center.
  • Monitor user activity and ensure application control rules only allow preauthorized executables to run.
  • Deny users to run other executables on client access servers (PowerSYSTEM Center front end access point).

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References