They have been disclosed critical vulnerabilities safety in six different Automatic Tank Gauging (ATG) systems from five different manufacturers, which could expose them to remote attacks.
“These vulnerabilities [sugli ATG] pose significant real-world risks, as they could be exploited by cybercriminals to cause widespread harm, including physical harm, environmental hazards, and economic losses“, ha declared Pedro Umbelino, Bitsight researcher, in a report published last week.
The overview of attacks on ATG systems
Making matters worse, the analysis found that thousands of ATG systems are exposed to the Internet, making them an attractive target for malicious criminals seeking to orchestrate destructive attacks against gas stations, hospitals, airports, military bases and other critical infrastructure.
ATGs are sensor systems designed to monitor the level of a storage tank (e.g., a fuel tank) over time with the aim of detecting leaks and parameters; exploitation of security flaws in such systems could therefore have serious consequences, including denial of service (DoS) attacks and physical damage.
The eleven recently discovered vulnerabilities are of interest six ATG models, namely Maglink LX, Maglink LX4, OPW SiteSentinel, Proteus OEL8000, Alisonic Sibylla and Franklin TS-550. Eight of the eleven flaws are classified as critical in terms of severity:
- CVE-2024-45066 (CVSS score: 10.0) – Operating system command injection in Maglink LX
- CVE-2024-43693 (CVSS score: 10.0) – Operating system command injection in Maglink LX
- CVE-2024-43423 (CVSS score: 9.8) – Hardcoded credentials in Maglink LX4
- CVE-2024-8310 (CVSS score: 9.8) – Bypass authentication in OPW SiteSentinel
- CVE-2024-6981 (CVSS score: 9.8) – Bypass authentication in Proteus OEL8000
- CVE-2024-43692 (CVSS score: 9.8) – Bypass authentication in Maglink LX
- CVE-2024-8630 (CVSS score: 9.4) – SQL injection into Alisonic Sibylla
- CVE-2023-41256 (CVSS score: 9.1) – Authentication bypass in Maglink LX (duplicate of a previously reported vulnerability)
- CVE-2024-41725 (CVSS score: 8.8) – Cross-site scripting (XSS) in Maglink LX
- CVE-2024-45373 (CVSS score: 8.8) – Privilege escalation in Maglink LX4
- CVE-2024-8497 (CVSS score: 7.5) – Arbitrary reading of files in Franklin TS-550
“All these vulnerabilities [sugli ATG] they allow you to gain full administrative privileges on the device application and, in some cases, even full access to the operating system,” Umbelino said. “The most damaging attack is to make devices operate in a way that could cause physical damage to their components or connected components.”
Not just ATG: vulnerabilities discovered in OpenPLC, Riello NetMan 204 and AJCloud
In addition to the ATC vulnerabilities, security flaws have also been discovered in the open-source solution OpenPLC, including a serious stack-based buffer overflow bug (CVE-2024-34026, CVSS score: 9.0) that could be exploited to gain access to remote code execution.
“Sending an ENIP request with an unsupported command code, a valid encapsulation header, and at least 500 total bytes can write beyond the bounds of the allocated log_msg buffer and corrupt the stack“, ha stated Cisco Talos. “Depending on the security measures in place on the host in question, further exploitation may be possible.”
Another group of security flaws affects the Riello NetMan 204 network communication card used in its uninterrupted power systems (UPS), which could allow attackers to take control of the UPS and even manipulate the collected log data.
- CVE-2024-8877 – SQL injection into three API endpoints (/cgi-bin/db_datalog_w.cgi, /cgi-bin/db_eventlog_w.cgi, and /cgi-bin/db_multimetr_w.cgi) which allows arbitrary data modification
- CVE-2024-8878 – Unauthenticated password reset via the /recoverpassword.html endpoint which could be leveraged to obtain the netmanid ID from the device, from which the password reset recovery code can be calculated.
“By entering the recovery code in ‘/recoverpassword.html’, your login credentials are reset to admin:admin“, ha stated Thomas Weber of CyberDanube, pointing out that this could allow the attacker to hijack the device and shut it down.
Both vulnerabilities have not yet been patched, requiring users to restrict access to devices in critical environments until a fix is available.
Also of note are several critical vulnerabilities in the AJCloud IP camera management platform, which, if successfully exploited, could lead to the exposure of sensitive user data and provide attackers with full remote control of any camera connected to the smart cloud service home.
“A built-in P2P command, which intentionally provides arbitrary write access to a key configuration file, can be exploited to permanently disable cameras or facilitate remote code execution by triggering a buffer overflow“Elastic Security Labs said, declaring that its efforts to contact the Chinese company have been unsuccessful to date.
CISA warns that in addition to ATG attacks, there are also ongoing attacks against OT networks
Since not only ATGs are involved, the development comes as the Cybersecurity and Infrastructure Security Agency (CISA) of the United States has reported an increase in threats to Internet-accessible OT and ICS systemsincluding those in the Water and Wastewater Systems (WWS) sector.
“Exposed and vulnerable OT/ICS systems could allow cyber threat actors to use default credentials, conduct brute force attacks or use other unsophisticated methods to access these devices and cause damage“, ha declared CISA.
In February, the US government has sanctioned six officials associated with Iran’s intelligence agency for attacks on critical infrastructure entities in the United States and other countries.
These attacks have involved targeting and compromising Israeli Unitronics Vision series programmable logic controllers (PLCs), exposed publicly on the Internet through the use of default passwords.
Industrial cybersecurity company Claroty subsequently open-sourced two tools called PCOM2TCP and PCOMClient that allow users to extract forensic information from Unitronics-integrated HMIs/PLCs.
“PCOM2TCP allows users to convert PCOM serial messages to PCOM TCP messages and vice versa“, ha stated. “The second tool, called PCOMClient, allows users to connect to their Unitronics Vision/Samba PLCs, interrogate them, and extract forensic information from the PLCs.”
Additionally, Claroty warned that the excessive use of remote access solutions in OT environments – between four and sixteen – creates new security and operational risks for organizations.
“55% of organizations have implemented four or more remote access tools that connect OT to the outside world, a worrying percentage of companies that have large, complex and expensive attack surfaces to manage”ha observed the company: “Engineers and asset managers should actively seek to eliminate or minimize the use of low-security remote access tools in the OT environment, especially those with known vulnerabilities or lacking essential security features like multi-factor authentication (MFA).“
What do you think about this attack on aTG and others
#ATG #critical #vulnerabilities #fuel #stations