Significant Flaws in Tank Level Monitor Systems Make Gas Stations Susceptible to Remote Intrusions
Several crucial vulnerabilities have come to light in six distinct Automated Tank Level Monitor (ATG) systems produced by five different companies which could potentially render them susceptible to off-site intrusions.
“The existence of these vulnerabilities presents notable risks in practical scenarios, as they could be manipulated by malevolent agents to generate extensive harm, including physical destruction, environmental threats, and economic liabilities,” as stated by Bitsight researcher Pedro Umbelino mentioned in a recent publication.
What exacerbates the situation is the revelation that a significant number of ATG units are exposed on the web, thus making them a potential target for malicious entities looking to execute disruptive and harmful assaults on fuel stations, medical facilities, aviation centers, military installations, and other vital infrastructure locales.
ATGs are sensor mechanisms devised to oversee the level of a storage tank (e.g., fuel container) over an interval to detect leaks and ascertain variables. The exploitation of security weaknesses in such mechanisms could lead to severe repercussions, encompassing denial-of-service (DoS) attacks and physical harm.
The identified 11 novel vulnerabilities impact six ATG editions, including Maglink LX, Maglink LX4, OPW SiteSentinel, Proteus OEL8000, Alisonic Sibylla, and Franklin TS-550. Of these, eight out of the 11 flaws are deemed critical in their severity –
- CVE-2024-45066 (CVSS score: 10.0) – OS command injection in Maglink LX
- CVE-2024-43693 (CVSS score: 10.0) – OS command injection in Maglink LX
- CVE-2024-43423 (CVSS score: 9.8) – Hard-coded credentials in Maglink LX4
- CVE-2024-8310 (CVSS score: 9.8) – Authentication bypass in OPW SiteSentinel
- CVE-2024-6981 (CVSS score: 9.8) – Authentication bypass in Proteus OEL8000
- CVE-2024-43692 (CVSS score: 9.8) – Authentication bypass in Maglink LX
- CVE-2024-8630 (CVSS score: 9.4) – SQL injection in Alisonic Sibylla
- CVE-2023-41256 (CVSS score: 9.1) – Authentication bypass in Maglink LX (a duplicate of a previously disclosed flaw)
- CVE-2024-41725 (CVSS score: 8.8) – Cross-site scripting (XSS) in Maglink LX
- CVE-2024-45373 (CVSS score: 8.8) – Privilege escalation in Maglink LX4
- CVE-2024-8497 (CVSS score: 7.5) – Arbitrary file read in Franklin TS-550
“All these vulnerabilities grant full administrator rights to the device application and, in some scenarios, total access to the operating system,” Umbelino remarked. “The most severe attack involves configuring the devices in a manner that could bring about physical harm to their components or linked entities.”
Defects Detected in OpenPLC, Riello NetMan 204, and AJCloud
Additionally, security loopholes have been unearthed in the open-source OpenPLC solution, inclusive of a critical stack-based buffer overflow flaw (CVE-2024-34026, CVSS score: 9.0) that could be utilized to achieve remote code execution.
“Through dispatching an ENIP request with an unsupported command code, a valid encapsulation header, and not less than 500 overall bytes, it’s plausible to overwrite the limits of the allocated log_msg buffer and tamper with the stack,” Cisco Talos noted. “Depending on the security measures enacted on the target host, further exploitation could be feasible.”
Another batch of security deficiencies pertain to the Riello NetMan 204 network communications card employed in its Uninterruptible Power Supply (UPS) products that could allow bad actors to seize control of the UPS and even manipulate the recorded log data.
- CVE-2024-8877 – SQL injection in three API endpoints /cgi-bin/db_datalog_w.cgi, /cgi-bin/db_eventlog_w.cgi, and /cgi-bin/db_multimetr_w.cgi allowing for unauthorized data alterations
- CVE-2024-8878 – Password reset without authentication via the endpoint /recoverpassword.html which could be misused to obtain the netmanid from the device, thereby inferring the recovery code for changing the password
“Inserting the recovery code in ‘/recoverpassword.html’ resets the login credentials to admin:admin,” informed CyberDanube’s Thomas Weber stated, stressing the potential of enabling the attacker to take over the device and power it down.
Both vulnerabilities persist without patches, highlighting the need for users to restrict access to the devices in critical settings until a fix is issued.
Further, several crucial security vulnerabilities in the AJCloud IP camera management platform, if successfully exploited, could result in the exposure of sensitive user data and afford assailants with complete remote management of any camera linked to the intelligent home cloud service.
“A built-in P2P directive, intentionally providing unbridled write access to a vital configuration file, can be exploited to either permanently incapacitate cameras or execute remote code operations by initiating a buffer overflow,” relayed Elastic Security Labs disclosed, underlining the failed attempts to communicate with the Chinese firm to date.
CISA Alerts About Ongoing Attacks on OT Networks
In this context, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has cautioned against escalating threats towards web-accessible operational technology (OT) and industrial control systems (ICS) gadgets, among them those in the Water and Wastewater Systems (WWS) Sector.
“Exposed and vulnerable OT/ICS systems may pave the way for cybercriminals to exploit default login credentials, execute brute-force assaults, or utilize other rudimentary methods to infiltrate these devices and trigger damage,” CISA highlighted.
Back in February, the U.S. government imposed penalties on six individuals linked to the Iranian intelligence service for their involvement in cyber attacks on vital infrastructure entities in the United States and other nations.
These incidents revolved around the exploitation of Israeli-manufactured Unitronics Vision Series programmable logic controllers (PLCs) that are openly accessible on the internet owing to their use of default credentials.
The cybersecurity firm Claroty has now released two publicly available utilities named PCOM2TCP and PCOMClient, which offer users the capability to retrieve forensic data from Unitronics-integrated HMIs/PLCs.
“PCOM2TCP allows users to convert serial PCOM communications to TCP PCOM messages and vice versa,” a statement from the company explained. “On the other hand, PCOMClient permits users to establish a connection with their Unitronics Vision/Samba series PLC, interact with it, and extract forensic details from the PLC.”
Moreover, Claroty has cautioned about the excessive use of remote access solutions in operational technology (OT) environments – with installations ranging from four to sixteen – which brings about fresh security and operational hazards for organizations.
“55% of organizations utilize four or more remote access tools that link OT systems to the external environment, representing a concerning percentage of enterprises with expansive and intricate attack surfaces that are cumbersome and costly to manage,” the report highlighted.
“Engineers and asset managers are urged to actively work towards eliminating or reducing the reliance on insecure remote access tools within the OT setting, especially those with known vulnerabilities or lacking crucial security features like Multi-Factor Authentication (MFA).”
About Author
