Important safety vulnerabilities have been disclosed in six completely different Computerized Tank Gauge (ATG) programs from 5 producers that would expose them to distant assaults.
“These vulnerabilities pose vital real-world dangers, as they may very well be exploited by malicious actors to trigger widespread harm, together with bodily harm, environmental hazards, and financial losses,” Bitsight researcher Pedro Umbelino stated in a report printed final week.
Making issues worse, the evaluation discovered that hundreds of ATGs are uncovered to the web, making them a profitable goal for malicious actors trying to stage disruptive and harmful assaults in opposition to fuel stations, hospitals, airports, navy bases, and different essential infrastructure amenities.
ATGs are sensor programs designed to observe the extent of a storage tank (e.g., gas tank) over a time period with the purpose of figuring out leakage and parameters. Exploitation of safety flaws in such programs might subsequently have severe penalties, together with denial-of-service (DoS) and bodily harm.
The newly found 11 vulnerabilities have an effect on six ATG fashions, specifically Maglink LX, Maglink LX4, OPW SiteSentinel, Proteus OEL8000, Alisonic Sibylla, and Franklin TS-550. Eight of the 11 flaws are rated essential in severity –
- CVE-2024-45066 (CVSS rating: 10.0) – OS command injection in Maglink LX
- CVE-2024-43693 (CVSS rating: 10.0) – OS command injection in Maglink LX
- CVE-2024-43423 (CVSS rating: 9.8) – Arduous-coded credentials in Maglink LX4
- CVE-2024-8310 (CVSS rating: 9.8) – Authentication bypass in OPW SiteSentinel
- CVE-2024-6981 (CVSS rating: 9.8) – Authentication bypass in Proteus OEL8000
- CVE-2024-43692 (CVSS rating: 9.8) – Authentication bypass in Maglink LX
- CVE-2024-8630 (CVSS rating: 9.4) – SQL injection in Alisonic Sibylla
- CVE-2023-41256 (CVSS rating: 9.1) – Authentication bypass in Maglink LX (a reproduction of a beforehand disclosed flaw)
- CVE-2024-41725 (CVSS rating: 8.8) – Cross-site scripting (XSS) in Maglink LX
- CVE-2024-45373 (CVSS rating: 8.8) – Privilege escalation in Maglink LX4
- CVE-2024-8497 (CVSS rating: 7.5) – Arbitrary file learn in Franklin TS-550
“All these vulnerabilities enable for full administrator privileges of the machine utility and, a few of them, full working system entry,” Umbelino stated. “Probably the most damaging assault is making the units run in a method that may trigger bodily harm to their parts or parts related to it.”
Flaws Found in OpenPLC, Riello NetMan 204, and AJCloud
Safety flaws have additionally been uncovered within the open-source OpenPLC answer, together with a essential stack-based buffer overflow bug (CVE-2024-34026, CVSS rating: 9.0) that may very well be exploited to realize distant code execution.
“By sending an ENIP request with an unsupported command code, a legitimate encapsulation header, and at the very least 500 whole bytes, it’s attainable to jot down previous the boundary of the allotted log_msg buffer and corrupt the stack,” Cisco Talos stated. “Relying on the safety precautions enabled on the host in query, additional exploitation may very well be attainable.”
One other set of safety holes concern the Riello NetMan 204 community communications card utilized in its Uninterruptible Energy Provide (UPS) programs that would allow malicious actors to take over management of the usand even tamper with the collected log information.
- CVE-2024-8877 – SQL injection in three API endpoints /cgi-bin/db_datalog_w.cgi, /cgi-bin/db_eventlog_w.cgi, and /cgi-bin/db_multimetr_w.cgi that enables for arbitrary information modification
- CVE-2024-8878 – Unauthenticated password reset by way of the endpoint /recoverpassword.html that may very well be abused to acquire the netmanid from the machine, from which the restoration code for resetting the password might be calculated
“Inputting the restoration code in ‘/recoverpassword.html’ resets the login credentials to admin:admin,” CyberDanube’s Thomas Weber stated, noting that this might grant the attacker the flexibility to hijack the machine and switch it off.
Each vulnerabilities stay unpatched, necessitating that customers restrict entry to the units in essential environments till a repair is made accessible.
Additionally of observe are a number of essential vulnerabilities within the AJCloud IP digital camera administration platform that, if efficiently exploited, might result in the publicity of delicate person information and supply attackers with full distant management of any digital camera related to the good house cloud service.
“A built-in P2P command, which deliberately supplies arbitrary write entry to a key configuration file, might be leveraged to both completely disable cameras or facilitate distant code execution via triggering a buffer overflow,” Elastic Safety Labs stated, stating its efforts to achieve the Chinese language firm have been unsuccessful thus far.
CISA Warns of Continued Assaults In opposition to OT Networks
The event comes because the U.S. Cybersecurity and Infrastructure Safety Company (CISA) flagged elevated threats to internet-accessible operational know-how (OT) and industrial management programs (ICS) units, together with these within the Water and Wastewater Programs (WWS) Sector.
“Uncovered and susceptible OT/ICS programs might enable cyber risk actors to make use of default credentials, conduct brute drive assaults, or use different unsophisticated strategies to entry these units and trigger hurt,” CISA stated.
Earlier this February, the U.S. authorities sanctioned six officers related to the Iranian intelligence company for attacking essential infrastructure entities within the U.S. and different nations.
These assaults concerned concentrating on and compromising Israeli-made Unitronics Imaginative and prescient Sequence programmable logic controllers (PLCs) which are publicly uncovered to the web via the usage of default passwords.
Industrial cybersecurity firm Claroty has since open-sourced two instruments referred to as PCOM2TCP and PCOMClient that enable customers to extract forensics info from Unitronics-integrated HMIs/PLCs.
“PCOM2TCP, permits customers to transform serial PCOM messages into TCP PCOM messages and vice versa,” it stated. “The second software, referred to as PCOMClient, permits customers to connect with their Unitronics Imaginative and prescient/Samba sequence PLC, question it, and extract forensic info from the PLC.”
Moreover, Claroty has warned that the extreme deployment of distant entry options inside OT environments – anyplace between 4 and 16 – creates new safety and operational dangers for organizations.
“55% of organizations deployed 4 or extra distant entry instruments that join OT to the skin world, a worrisome proportion of firms which have expansive assault surfaces which are complicated and costly to handle,” it famous.
“Engineers and asset managers ought to actively pursue to get rid of or decrease the usage of low-security distant entry instruments within the OT atmosphere, particularly these with recognized vulnerabilities or these missing important safety features corresponding to MFA.”