Critical security vulnerabilities have been disclosed in six different Automatic Tank Gauge (ATG) systems from five manufacturers that could expose them to remote attacks.
"These vulnerabilities pose significant real-world risks, as they could be exploited by malicious actors to cause widespread damage, including physical damage, environmental hazards, and economic losses," Bitsight researcher Pedro Umbelino said in a report published last week.
Making matters worse, the analysis found that thousands of ATGs are exposed to the internet, making them a lucrative target for malicious actors looking to stage disruptive and destructive attacks against gas stations, hospitals, airports, military bases, and other critical infrastructure facilities.
ATGs are sensor systems designed to monitor the level of a storage tank (e.g., fuel tank) over a period of time with the goal of determining leakage and parameters. Exploitation of security flaws in such systems could therefore have serious consequences, including denial-of-service (DoS) and physical damage.
The newly discovered 11 vulnerabilities affect six ATG models, namely Maglink LX, Maglink LX4, OPW SiteSentinel, Proteus OEL8000, Alisonic Sibylla, and Franklin TS-550. Eight of the 11 flaws are rated critical in severity -
- CVE-2024-45066 (CVSS score: 10.0) - OS command injection in Maglink LX
- CVE-2024-43693 (CVSS score: 10.0) - OS command injection in Maglink LX
- CVE-2024-43423 (CVSS score: 9.8) - Hard-coded credentials in Maglink LX4
- CVE-2024-8310 (CVSS score: 9.8) - Authentication bypass in OPW SiteSentinel
- CVE-2024-6981 (CVSS score: 9.8) - Authentication bypass in Proteus OEL8000
- CVE-2024-43692 (CVSS score: 9.8) - Authentication bypass in Maglink LX
- CVE-2024-8630 (CVSS score: 9.4) - SQL injection in Alisonic Sibylla
- CVE-2023-41256 (CVSS score: 9.1) - Authentication bypass in Maglink LX (a duplicate of a previously disclosed flaw)
- CVE-2024-41725 (CVSS score: 8.8) - Cross-site scripting (XSS) in Maglink LX
- CVE-2024-45373 (CVSS score: 8.8) - Privilege escalation in Maglink LX4
- CVE-2024-8497 (CVSS score: 7.5) - Arbitrary file read in Franklin TS-550
"All these vulnerabilities allow for full administrator privileges of the device application and, some of them, full operating system access," Umbelino said. "The most damaging attack is making the devices run in a way that might cause physical damage to their components or components connected to it."
Flaws Discovered in OpenPLC, Riello NetMan 204, and AJCloud
Security flaws have also been uncovered in the open-source OpenPLC solution, including a critical stack-based buffer overflow bug (CVE-2024-34026, CVSS score: 9.0) that could be exploited to achieve remote code execution.
"By sending an ENIP request with an unsupported command code, a valid encapsulation header, and at least 500 total bytes, it is possible to write past the boundary of the allocated log_msg buffer and corrupt the stack," Cisco Talos said. "Depending on the security precautions enabled on the host in question, further exploitation could be possible."
Another set of security holes concern the Riello NetMan 204 network communications card used in its Uninterruptible Power Supply (UPS) systems that could enable malicious actors to take over control of the UPS and even tamper with the collected log data.
- CVE-2024-8877 - SQL injection in three API endpoints /cgi-bin/db_datalog_w.cgi, /cgi-bin/db_eventlog_w.cgi, and /cgi-bin/db_multimetr_w.cgi that allows for arbitrary data modification
- CVE-2024-8878 - Unauthenticated password reset via the endpoint /recoverpassword.html that could be abused to obtain the netmanid from the device, from which the recovery code for resetting the password can be calculated
"Inputting the recovery code in '/recoverpassword.html' resets the login credentials to admin:admin," CyberDanube's Thomas Weber said, noting that this could grant the attacker the ability to hijack the device and turn it off.
Both vulnerabilities remain unpatched, necessitating that users limit access to the devices in critical environments until a fix is made available.
Also of note are several critical vulnerabilities in the AJCloud IP camera management platform that, if successfully exploited, could lead to the exposure of sensitive user data and provide attackers with full remote control of any camera connected to the smart home cloud service.
"A built-in P2P command, which intentionally provides arbitrary write access to a key configuration file, can be leveraged to either permanently disable cameras or facilitate remote code execution through triggering a buffer overflow," Elastic Security Labs said, stating its efforts to reach the Chinese company have been unsuccessful to date.
CISA Warns of Continued Attacks Against OT Networks
The development comes as the U.S. Cybersecurity and Infrastructure Security Agency (CISA) flagged increased threats to internet-accessible operational technology (OT) and industrial control systems (ICS) devices, including those in the Water and Wastewater Systems (WWS) Sector.
"Exposed and vulnerable OT/ICS systems may allow cyber threat actors to use default credentials, conduct brute force attacks, or use other unsophisticated methods to access these devices and cause harm," CISA said.
Earlier this February, the U.S. government sanctioned six officials associated with the Iranian intelligence agency for attacking critical infrastructure entities in the U.S. and other countries.
These attacks involved targeting and compromising Israeli-made Unitronics Vision Series programmable logic controllers (PLCs) that are publicly exposed to the internet through the use of default passwords.
Industrial cybersecurity company Claroty has since open-sourced two tools called PCOM2TCP and PCOMClient that allow users to extract forensics information from Unitronics-integrated HMIs/PLCs.
"PCOM2TCP, enables users to convert serial PCOM messages into TCP PCOM messages and vice versa," it said. "The second tool, called PCOMClient, enables users to connect to their Unitronics Vision/Samba series PLC, query it, and extract forensic information from the PLC."
Furthermore, Claroty has warned that the excessive deployment of remote access solutions within OT environments – anywhere between four and 16 – creates new security and operational risks for organizations.
"55% of organizations deployed four or more remote access tools that connect OT to the outside world, a worrisome percentage of companies that have expansive attack surfaces that are complex and expensive to manage," it noted.
"Engineers and asset managers should actively pursue to eliminate or minimize the use of low-security remote access tools in the OT environment, especially those with known vulnerabilities or those lacking essential security features such as MFA."