PatchSiren cyber security CVE debrief
CVE-2023-45857 Subnet Solutions Inc. CVE debrief
CVE-2023-45857 is a medium-severity information disclosure vulnerability affecting Subnet Solutions Inc. PowerSYSTEM Center versions up to and including PSC_2020_v5.21.x. The vulnerability stems from the application's use of Axios 1.5.1, which inadvertently exposes the confidential XSRF-TOKEN cookie by including it in the HTTP X-XSRF-TOKEN header for every request made to any host. This behavior allows attackers to view sensitive cross-site request forgery tokens that should remain confidential. The CVSS 3.1 score of 6.5 reflects network attack vector, low attack complexity, no required privileges, user interaction required, unchanged scope, and high confidentiality impact with no integrity or availability impact. CISA published this advisory on October 1, 2024. The vendor has released PowerSYSTEM Center 2020 Update 22 to address this issue. For environments where immediate patching is not feasible, compensating controls include disabling previous UI extensions, limiting outbound connection requests from the PowerSYSTEM Center security zone to external websites, and restricting user access to browser developer tools to prevent observation and manipulation of HTTP headers containing the XSRF-TOKEN.
- Vendor
- Subnet Solutions Inc.
- Product
- PowerSYSTEM Center
- CVSS
- MEDIUM 6.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-10-01
- Original CVE updated
- 2024-10-01
- Advisory published
- 2024-10-01
- Advisory updated
- 2024-10-01
Who should care
Organizations operating Subnet Solutions PowerSYSTEM Center for industrial control system management, particularly those in critical infrastructure sectors. Security teams responsible for OT/ICS environments, system administrators managing PowerSYSTEM Center deployments, and compliance officers tracking CISA ICS advisories should prioritize assessment and remediation.
Technical summary
PowerSYSTEM Center versions through PSC_2020_v5.21.x incorporate Axios 1.5.1, which automatically includes the XSRF-TOKEN cookie value in the X-XSRF-TOKEN HTTP header for all outbound requests. This implementation leaks the anti-CSRF token to arbitrary hosts, undermining the token's confidentiality property and potentially enabling cross-site request forgery attacks if the token is captured by malicious actors. The vulnerability requires user interaction (typically browsing to an attacker-controlled resource) but can be exploited over the network with low complexity.
Defensive priority
medium
Recommended defensive actions
- Update PowerSYSTEM Center to version 2020 Update 22 or later by accessing Settings > Overview > Version, or contact Subnet Solutions Customer Service for assistance
- If immediate patching is not possible, disable usage of previous UI extensions as a temporary mitigation
- Limit outbound connection requests from the PowerSYSTEM Center security zone to external websites to reduce exposure
- Disable PowerSYSTEM Center Client Access Server users' ability to access browser F12 Developer Tools to prevent observation and manipulation of HTTP headers containing XSRF-TOKEN
- Review and apply CISA's ICS recommended practices for defense-in-depth security controls
- Monitor network traffic for unexpected outbound requests containing X-XSRF-TOKEN headers from PowerSYSTEM Center systems
Evidence notes
The vulnerability description and affected product versions are derived from CISA's CSAF-formatted advisory ICSA-24-277-02. The advisory specifically identifies PowerSYSTEM Center versions <=PSC_2020_v5.21.x as affected and attributes the root cause to Axios 1.5.1's handling of XSRF tokens.
Official resources
-
CVE-2023-45857 CVE record
CVE.org
-
CVE-2023-45857 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
CISA published advisory ICSA-24-277-02 on October 1, 2024, disclosing this vulnerability.