A vulnerability has been identified in **NSA GRASSMARLIN** that could allow attackers to disclose sensitive information. The vulnerability stems from Improper Restriction of XML External Entity Reference. ### Vulnerability Details * **Affected Software:** NSA GRASSMARLIN vers:all/* * **CVSS v3 Score:** 5.5 * **Vulnerability:** Improper Restriction of XML External Entity Reference The vulnerability, if successfully exploited, could allow an attacker to disclose sensitive information. ### Background * **Critical Infrastructure Sectors:** Information Technology * **Countries/Areas Deployed:** Worldwide * **Company Headquarters Location:** United States ### Recommended Mitigations **CISA** recommends users take the following defensive measures to minimize the risk of exploitation: * Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet. * Locate control system networks and remote devices behind firewalls and isolate them from business networks. * When remote access is required, use more secure methods, such as Virtual Private Networks (**VPNs**), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices. * Organizations should perform proper impact analysis and risk assessment prior to deploying defensive measures. **CISA** also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several **CISA** products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies. **CISA** encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets. Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies. Organizations observing suspected malicious activity should follow established internal procedures and report findings to **CISA** for tracking and correlation against other incidents. **CISA** also recommends users take the following measures to protect themselves from social engineering attacks: * Do not click web links or open attachments in unsolicited email messages. * Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams. * Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks. No known public exploitation specifically targeting this vulnerability has been reported to **CISA** at this time. ### Acknowledgements **Grady DeRosa** reported this vulnerability to **CISA**.