CISA
Control device security
Critical infrastructure
ICS Security Framework
Industrial Cyber Attacks
News
Vulnerabilities

CISA reveals ICS vulnerabilities in Dover Fueling, Phoenix Contact, Socomec hardware affecting critical infrastructure

September 08, 2023
CISA reveals ICS vulnerabilities in Dover Fueling, Phoenix Contact, Socomec hardware affecting critical infrastructure

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) rolled out on Thursday four ICS (industrial control systems) advisories, with timely information about current security issues, vulnerabilities, and exploits surrounding ICS. The notices cover the presence of hardware vulnerabilities in equipment from Dover Fueling, Phoenix Contact, and Socomec, deployed across the critical infrastructure sector. The agency updated an advisory addressing Delta Electronics’ CNCSoft-B DOPSoft equipment.

These ICS advisories follow two others released by CISA on Tuesday covering identification of vulnerabilities in equipment from Fujitsu, and a medical advisory addressing security issues in Softneta MedDream hardware. Users and administrators have been urged by the agency to review the newly released ICS advisories for technical details and mitigations. 

In a CISA advisory, the agency revealed the presence of exploitable remotely/low attack complexity vulnerabilities in Dover Fueling’s MAGLINK LX – Web Console Configuration equipment. These security loopholes include ‘authentication bypass using an alternate path or channel, ‘improper access control,’ and ‘path traversal.’ 

The agency outlined that ‘Successful exploitation of these vulnerabilities could allow an attacker to gain full access to the system.’ Soufian El Yadmani of Darktrace/ CSIRT.global reported these vulnerabilities to CISA.

“The affected product is vulnerable to authentication bypass that could allow an unauthorized attacker to obtain user access by leveraging the MAGLINK LX Web Console. CVE-2023-41256 has been assigned to this vulnerability. A CVSS v3 base score of 9.1 has been calculated,” the advisory disclosed. “The affected product could allow a guest user to elevate to admin privileges by leveraging the MAGLINK LX Web Console. CVE-2023-36497 has been assigned to this vulnerability. A CVSS v3 base score of 8.8 has been calculated.” 

The advisory added that the affected product is vulnerable to a path traversal attack, which could allow an attacker to access files stored on the system. “CVE-2023-38256 has been assigned to this vulnerability. A CVSS v3 base score of 6.8 has been calculated.” 

In 2023, Dover Fueling Solutions announced the end-of-life of MAGLINK LX 3 and released MAGLINK LX 4. However, MAGLINK LX 3 version 3.4.2.2.6 and MAGLINK LX 4 will help fix these vulnerabilities, the advisory added.

CISA said in another advisory that exploitable remotely/low attack complexity/public exploits are available in Phoenix Contact TC ROUTER and TC CLOUD CLIENT equipment. It added that ‘cross-site scripting’ and ‘XML entity expansion’ vulnerabilities have been detected. “Successful exploitation of these vulnerabilities could execute code in the context of the user’s browser or cause a denial of service.”

Used globally across the critical manufacturing sector, the Germany headquartered company reports that TC ROUTER 3002T-4G: versions prior to 2.07.2; TC ROUTER 3002T-4G ATT: versions prior to 2.07.2; TC ROUTER 3002T-4G VZW: versions prior to 2.07.2; TC CLOUD CLIENT 1002-4G: versions prior to 2.07.2; TC CLOUD CLIENT 1002-4G ATT: versions prior to 2.07.2; TC CLOUD CLIENT 1002-4G VZW: versions prior to 2.07.2; and CLOUD CLIENT 1101T-TX/TX: versions prior to 2.06.10 products are affected. 

“In PHOENIX CONTACT TC ROUTER and TC CLOUD CLIENT prior to version 2.07.2 as well as CLOUD CLIENT 1101T-TX/TX prior to version 2.06.10 an unauthenticated remote attacker could use a reflective XSS within the license viewer page of the devices in order to execute code in the context of the user’s browser,” according to the Phoenix Contact advisory. “CVE-2023-3526 has been assigned to this vulnerability. A CVSS v3 base score of 9.6 has been calculated.”

It added that “In PHOENIX CONTACT TC ROUTER and TC CLOUD CLIENT prior to version 2.07.2 as well as CLOUD CLIENT 1101T-TX/TX prior to version 2.06.10 an authenticated remote attacker with admin privileges could upload a crafted XML file which causes a denial of service. CVE-2023-3569 has been assigned to this vulnerability. A CVSS v3 base score of 4.9 has been calculated.”

A. Resanovic and S. Stockinger at St. Pölten UAS discovered these vulnerabilities. T. Weber of CyberDanube Security Research coordinated the vulnerabilities with Phoenix Contact, CISA added.

Phoenix Contact has made the following fixed versions available and encourages users to download the latest version, including TC ROUTER 3002T-4G; TC ROUTER 3002T-4G ATT; TC ROUTER 3002T-4G VZW; TC CLOUD CLIENT 1002-4G; TC CLOUD CLIENT 1002-4G ATT; TC CLOUD CLIENT 1002-4G VZW; and CLOUD CLIENT 1101T-TX/TX. The company recommends operating network-capable devices in closed networks or protected with a suitable firewall. 

In another advisory, CISA disclosed the presence of several vulnerabilities in Socomec equipment, affecting MODULYS GP (MOD3GP-SY-120K): Web firmware v01.12.1. These vulnerabilities include cross-site scripting (XSS), cross-site request forgery (CSRF), insecure storage of sensitive information, reliance on cookies without validation and integrity checking, code injection, and plaintext storage of a password. 

“Successful exploitation of these vulnerabilities could allow an attacker to execute malicious Javascript code, obtain sensitive information, or steal session cookies,” CISA identified. Aarón Flecha Menéndez reported these vulnerabilities to CISA.

It added that “Persistent cross-site scripting (XSS) in the web application of MOD3GP-SY-120K allows an authenticated remote attacker to introduce arbitrary JavaScript by injecting an XSS payload into the field MAIL_RCV. When a legitimate user attempts to access to the vulnerable page of the web application, the XSS payload will be executed. CVE-2023-38582 has been assigned to this vulnerability. A CVSS v3 base score of 6.3 has been calculated.” 

“Thanks to the weaknesses that the web application has at the user management level, an attacker could obtain the information from the headers that is necessary to create specially designed URLs and originate malicious actions when a legitimate user is logged into the web application,” CISA detailed. “CVE-2023-39446 has been assigned to this vulnerability. A CVSS v3 base score of 8.9 has been calculated.”

“Sending some requests in the web application of the vulnerable device allows information to be obtained due to the lack of security in the authentication process. CVE-2023-41965 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated,” the CISA advisory said. “Session management within the web application is incorrect and allows attackers to steal session cookies to perform a multitude of actions that the web app allows on the device. CVE-2023-41084 has been assigned to this vulnerability. A CVSS v3 base score of 10.0 has been calculated.”

Socomec reports that MODULYS GP (MOD3GP-SY-120K) is an ‘end-of-life’ product. Socomec recommends using MODULYS GP2 (M4-S-XXX) instead. MODULYS GP2 (M4-S-XXX) is not affected by the above vulnerabilities.

Earlier this week, CISA revealed the presence of the ‘use of hard-coded credentials’ vulnerability in Fujitsu Limited’s Real-Time Video Transmission Gear IP series. “Successful exploitation of this vulnerability could result in an attacker logging into the web interface using the obtained credentials. The attacker could initialize or reboot the products, terminating the video transmission,” it added.

The advisory added that “the credentials of Fujitsu Limited Real-time Video Transmission Gear “IP series” for factory testing may be obtained by reverse engineering and other methods. CVE-2023-38433 has been assigned to this vulnerability. A CVSS v3 base score of 5.9 has been assigned.”

Fujitsu Limited recommends updating the firmware to the latest version and placing the products on a secure network as a workaround.

CISA identified the presence of ‘exposed dangerous method or function’ and ‘plaintext storage of a password’ vulnerabilities in Softneta MedDream PACS v7.2.8.810 and prior equipment, deployed across global healthcare and public health sectors. “​Successful exploitation of these vulnerabilities could allow an attacker to obtain and leak plaintext credentials or remotely execute arbitrary code,” it added. 

“The affected product does not perform an authentication check and performs some dangerous functionality, which could result in unauthenticated remote code execution. CVE-2023-40150 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated,” according to CISA. “​The affected product stores usernames and passwords in plaintext. The plaintext storage could be abused by attackers to leak legitimate user’s credentials. CVE-2023-39227 has been assigned to this vulnerability. A CVSS v3 base score of 6.1 has been calculated.”

Noam Moshe of Claroty Research reported these vulnerabilities to CISA, the advisory disclosed. “​Softneta recommends users update to v7.2.9.820 of MedDream PACS Server or patch their current system using Fix-v230712,” it added.

Last week, CISA published four ICS (industrial control systems) advisories with timely information about current security issues, vulnerabilities, and exploits surrounding ICS. The notices cover hardware vulnerabilities in equipment from ARDEREG, GE Digital, PTC, and Digi International. Organizations have been advised to examine these ICS notices and execute necessary mitigation actions.

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

Related

Russian APT28 hackers exploit Outlook flaw to target Czech, German, Polish organizations
Russian APT28 hackers exploit Outlook flaw to target Czech, German, Polish organizations
North Korean hackers exploiting weak DMARC security policies to mask spearphishing efforts
North Korean hackers exploiting weak DMARC security policies to mask spearphishing efforts
Growing threat of malware and ransomware attacks continues to put industrial environments at risk
Growing threat of malware and ransomware attacks continues to put industrial environments at risk
CISA and FBI issue secure by design alert to urge manufacturers to remove directory traversal vulnerabilities
CISA and FBI issue secure by design alert to urge manufacturers to remove directory traversal vulnerabilities
GAO report indicates that NASA should update spacecraft acquisition policies and standards for cybersecurity
GAO report indicates that NASA should update spacecraft acquisition policies and standards for cybersecurity
Sygnia
Sygnia aligns with NVIDIA, revolutionizes OT security for energy and industrial sectors
Armexa adds John Cusimano as vice president to its leadership team
Armexa, ISA partner to offer standards-based OT cybersecurity training
House Committee emphasizes importance of CIRCIA implementation for cyber preparedness
House Committee emphasizes importance of CIRCIA implementation for cyber preparedness
Global cybersecurity agencies issue alert on threat to OT systems from pro-Russia hacktivist activity
Global cybersecurity agencies issue alert on threat to OT systems from pro-Russia hacktivist activity
Insane Cyber
Insane Cyber closes $4.2 million funding round to safeguard critical infrastructure installations