CVE-2021-42699: 
AzeoTech DAQFactory vulnerability analysis and mitigation

The vulnerability (CVE-2021-42699) affects AzeoTech DAQFactory software, specifically versions 18.1 Build 2347 and prior. The vulnerability involves the transmission of cookie information in cleartext over HTTP, which was discovered and reported to CISA by Sharon Brizinov of Claroty (ICS Advisory).

The vulnerability is classified as CWE-319 (Cleartext Transmission of Sensitive Information). It has been assigned a CVSS v3.1 base score of 5.7 MEDIUM with the vector string AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N. The vulnerability specifically relates to the transmission of cookie information over unencrypted HTTP connections, making it susceptible to network traffic capture (ICS Advisory).

If exploited, this vulnerability allows attackers to capture network traffic, obtain user cookies, and potentially take over user accounts. This affects systems in critical infrastructure sectors including Critical Manufacturing, Energy, and Water and Wastewater Systems, primarily deployed in the United States and Europe (ICS Advisory).

AzeoTech planned a new release of DAQFactory for early 2022 to address this vulnerability. In the interim, CISA recommends minimizing network exposure for all control system devices, ensuring they are not accessible from the Internet, locating control system networks and remote devices behind firewalls, and isolating them from the business network. When remote access is required, secure methods such as VPNs should be used, though VPNs should be kept updated due to their own potential vulnerabilities (ICS Advisory).