Significant Weaknesses in Tank Gauge Systems Put Gas Stations at Risk of Remote Breaches
A report published last week by Bitsight researcher Pedro Umbelino stated that critical vulnerabilities in six different Automatic Tank Gauge (ATG) systems from five manufacturers have been revealed, opening them up to potential remote breaches.
According to Umbelino, these vulnerabilities could be leveraged by malicious individuals to cause extensive harm, such as physical destruction, environmental dangers, and financial impacts.
The research also uncovered that numerous ATGs are accessible via the internet, making them an appealing target for bad actors seeking to carry out disruptive and damaging assaults on gas stations, hospitals, airports, military facilities, and other vital infrastructure sites.
ATGs function as sensor mechanisms crafted to supervise the levels in storage tanks like fuel tanks over time to identify leakages and other metrics. Exploiting security vulnerabilities in such systems could lead to severe outcomes, including denial-of-service (DoS) incidents and physical harm.
The latest discovery reveals a total of 11 vulnerabilities affecting various ATG models, including Maglink LX, Maglink LX4, OPW SiteSentinel, Proteus OEL8000, Alisonic Sibylla, and Franklin TS-550. Eight of these flaws are classified as critical in severity –
- CVE-2024-45066 (CVSS score: 10.0) – OS command injection in Maglink LX
- CVE-2024-43693 (CVSS score: 10.0) – OS command injection in Maglink LX
- CVE-2024-43423 (CVSS score: 9.8) – Hard-coded credentials in Maglink LX4
- CVE-2024-8310 (CVSS score: 9.8) – Authentication bypass in OPW SiteSentinel
- CVE-2024-6981 (CVSS score: 9.8) – Authentication bypass in Proteus OEL8000
- CVE-2024-43692 (CVSS score: 9.8) – Authentication bypass in Maglink LX
- CVE-2024-8630 (CVSS score: 9.4) – SQL injection in Alisonic Sibylla
- CVE-2023-41256 (CVSS score: 9.1) – Authentication bypass in Maglink LX (a duplicate of a previously disclosed flaw)
- CVE-2024-41725 (CVSS score: 8.8) – Cross-site scripting (XSS) in Maglink LX
- CVE-2024-45373 (CVSS score: 8.8) – Privilege escalation in Maglink LX4
- CVE-2024-8497 (CVSS score: 7.5) – Arbitrary file read in Franklin TS-550
“These vulnerabilities enable adversaries to gain complete administrator privileges over the device application, and some of them, full control of the operating system,” Umbelino remarked. “The most severe attack involves manipulating the devices to operate in ways that could result in physical harm to their own components or the connected elements.”
Weaknesses Detected in OpenPLC, Riello NetMan 204, and AJCloud
Not only were security flaws found in the open-source OpenPLC solution, including a critical stack-based buffer overflow vulnerability (CVE-2024-34026, CVSS score: 9.0) that could lead to remote code execution.
Cisco Talos indicated, “Sending an ENIP request with an unsupported command code, a valid encapsulation header, and at least 500 total bytes could overwrite the allocated log_msg buffer and corrupt the stack. Depending on the security measures in place on the host, further exploitation may be possible.”
There are additional security risks associated with the Riello NetMan 204 network communications card utilized in its Uninterruptible Power Supply (UPS) systems that might allow threat actors to seize control of the UPS and tamper with stored log data.
- CVE-2024-8877 – SQL injection in three API endpoints /cgi-bin/db_datalog_w.cgi, /cgi-bin/db_eventlog_w.cgi, and /cgi-bin/db_multimetr_w.cgi enabling arbitrary data changes
- CVE-2024-8878 – Unauthenticated password reset via the endpoint /recoverpassword.html that can be exploited to acquire the netmanid to calculate the recovery code for resetting the password
Commenting on the situation, CyberDanube’s Thomas Weber mentioned, “By entering the recovery code in ‘/recoverpassword.html,’ the login credentials are reset to admin:admin, potentially allowing the attacker to take control of the device and power it down.”
Since both vulnerabilities remain unaddressed, it is advisable for users to restrict access to these devices in critical environments until a fix is implemented.
Additionally, a variety of critical vulnerabilities have been detected in the AJCloud IP camera management platform which, if successfully taken advantage of, could result in the exposure of delicate user information and provide unauthorized control of any cameras connected to the smart home cloud service.
Elastic Security Labs emphasized, “A built-in P2P command intentionally granting arbitrary write access to a key configuration file may either permanently disable cameras or enable remote code execution by triggering a buffer overflow,” with attempts to contact the Chinese company remaining futile to date.
CISA Alerts About Ongoing Attacks on OT Networks
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) highlighted heightened risks to publicly accessible operational technology (OT) and industrial control systems (ICS) devices, especially within the Water and Wastewater Systems (WWS) Sector.
CISA warned, “Exposed and vulnerable OT/ICS systems could enable cyber threat actors to leverage default credentials, carry out brute force attacks, or employ other basic techniques to breach these devices and cause harm.”
During February, the U.S. government imposed penalties on six individuals linked to the Iranian intelligence agency for assaulting crucial infrastructure systems in the United States and various other nations.
These assaults consisted of targeting and infiltrating Israeli-made Unitronics Vision Series programmable logic controllers (PLCs) that are openly visible on the internet due to the use of default passwords.
The industrial cybersecurity firm, Claroty, has now made public two tools named PCOM2TCP and PCOMClient, which enable users to retrieve forensic data from Unitronics-integrated HMIs/PLCs.
“PCOM2TCP permits users to change serial PCOM messages into TCP PCOM messages and vice versa,” as per the statement released. “The secondary utility, PCOMClient, empowers users to interact with their Unitronics Vision/Samba series PLC, conduct queries, and extract forensic information from the PLC.”
In addition, Claroty has cautioned that the extensive utilization of remote connectivity solutions within operational technology (OT) environments, ranging between four and sixteen tools, introduces new security and operational hazards for entities.
“55% of entities have implemented four or more remote access tools connecting OT systems with the external world, a notably high percentage exposing companies to intricate and costly management of vulnerabilities,” as pointed out.
“Professionals and administrators should actively work towards abolishing or reducing the usage of low-security remote access solutions in the OT environment, especially those with identified vulnerabilities or lacking fundamental security attributes like multifactor authentication.”
About Author
