Six different automatic capacitance sensor (ATG) systems from five manufacturers were found to have critical security vulnerabilities that could expose them to remote attacks.
“These vulnerabilities pose a significant real-world risk as they can be exploited by attackers to cause widespread damage, including physical damage, environmental hazards, and economic losses,” Bitsight researcher Pedro Umbelino said in a report published last week.
To make matters worse, the analysis found that thousands of ATGs are exposed to the Internet, making them a lucrative target for attackers looking to launch disruptive and disruptive attacks on gas stations, hospitals, airports, military bases and other critical infrastructure.
ATGs are sensor systems designed to monitor the level in a storage tank (such as a fuel tank) over a period of time in order to determine leakage and parameters. Exploiting security flaws in such systems can have serious consequences, including denial of service (DoS) and physical damage.
11 newly discovered vulnerabilities to influence six ATG models namely Maglink LX, Maglink LX4, OPW SiteSentinel, Proteus OEL8000, Alisonic Sibylla and Franklin TS-550. Eight of the 11 flaws are rated as critical in severity –
- CVE-2024-45066 (CVSS score: 10.0) – OS command injection in Maglink LX
- CVE-2024-43693 (CVSS score: 10.0) – OS command injection in Maglink LX
- CVE-2024-43423 (CVSS score: 9.8) – Hardcoded credentials in Maglink LX4
- CVE-2024-8310 (CVSS score: 9.8) – Bypass authentication in OPW SiteSentinel
- CVE-2024-6981 (CVSS score: 9.8) – Authentication bypass in Proteus OEL8000
- CVE-2024-43692 (CVSS score: 9.8) – Authentication bypass in Maglink LX
- CVE-2024-8630 (CVSS score: 9.4) – SQL injection in Alisonic Sibylla
- CVE-2023-41256 (CVSS score: 9.1) – Authentication bypass in Maglink LX (duplicate of previously discovered bug)
- CVE-2024-41725 (CVSS score: 8.8) – Cross-site scripting (XSS) in Maglink LX
- CVE-2024-45373 (CVSS score: 8.8) – Escalation of Privilege in Maglink LX4
- CVE-2024-8497 (CVSS score: 7.5) – Arbitrary file read in Franklin TS-550
“All of these vulnerabilities allow full administrator rights to the device application and, some of them, full access to the operating system,” Umbellino said. “The most damaging attack is to force devices to operate in a way that could cause physical damage to their components or to components connected to them.”
Vulnerabilities found in OpenPLC, Riello NetMan 204 and AJCloud
The open source OpenPLC solution was also exposed to security flaws, including a critical stack buffer overflow bug (CVE-2024-34026, CVSS score: 9.0) that could be exploited for remote code execution.
“Sending an ENIP request with an unsupported command code, a valid encapsulation header, and at least 500 total bytes can write beyond the allocated log_msg buffer and corrupt the stack,” Cisco Talos said. said. “Depending on the security measures enabled on the host in question, further exploitation may be possible.”
Another set of security holes concerns the Riello NetMan 204 network communication card used in its uninterruptible power systems (UPS), which could allow attackers to take control of the UPS and even falsify the collected log data.
- CVE-2024-8877 – SQL injection in three API endpoints /cgi-bin/db_datalog_w.cgi, /cgi-bin/db_eventlog_w.cgi, and /cgi-bin/db_multimetr_w.cgi, which allows arbitrary data modification
- CVE-2024-8878 – Unauthenticated password reset via the /recoverpassword.html endpoint, which can be used to obtain a netmanid from a device, from which a password reset recovery code can be computed
“Entering the recovery code in ‘/recoverpassword.html’ resets the login credentials to admin:admin,” Thomas Weber of CyberDanube. saidnoting that this could allow an attacker to hijack the device and shut it down.
Both vulnerabilities remain unpatched, requiring users to restrict access to devices in critical environments until a fix is available.
It is also worth noting several critical vulnerabilities in the AJCloud An IP camera management platform that, if successfully exploited, can expose sensitive user data and provide attackers with full remote control over any camera connected to a smart home cloud service.
“The built-in P2P command, which intentionally provides arbitrary write access to the key configuration file, can be used to either permanently disable cameras or facilitate remote code execution by triggering a buffer overflow” – Elastic Security Labs saidsaying that his attempts to reach the Chinese company have so far been unsuccessful.
CISA warns of continued attacks on OT networks
The development comes after the US Cybersecurity and Infrastructure Security Agency (CISA) noted an increase in threats to Internet-accessible operational technology (OT) and industrial control systems (ICS) devices, including in the water and wastewater systems (WWS) sector.
“Open and vulnerable OT/ICS systems can allow cyber-threat actors to use default credentials, launch brute-force attacks, or use other unsophisticated methods to access and cause harm to these devices,” CISA said.
Earlier in February of this year, the US Govt sanctioned six officials linked to Iranian intelligence for attacks on critical infrastructure in the United States and other countries.
These attacks involved targeting and compromising Israeli-made Unitronics Vision Series programmable logic controllers (PLCs) that are exposed to the Internet through the use of default passwords.
Industrial cybersecurity company Claroty has since released two tools called PCOM2TCP and PCOMClient that allow users to extract forensic information from Unitronics integrated HMI/PLCs.
“PCOM2TCP allows users to convert serial PCOM messages to TCP PCOM messages and vice versa.” said. “A second tool called PCOMClient allows users to connect to Unitronics Vision/Samba series PLCs, query it and extract forensic information from the PLC.”
Additionally, Claroty cautions against over-deployment of in-house remote access solutions OT environment – anywhere from four to 16 – creates new security and operational risks for organizations.
“55% of organizations have deployed four or more remote access tools that connect OT to the outside world, a worrying percentage of companies that have extensive attack surfaces that are difficult and expensive to manage,” it said. noted.
“Engineers and asset managers should actively seek to eliminate or minimize the use of low-security remote access tools in OT environments, especially those that have known vulnerabilities or lack basic security features such as MFA.”
