Attacks and Vulnerabilities
Control device security
Critical infrastructure
ICS Security Framework
Industrial Cyber Attacks
Malware, Phishing & Ransomware
News
Regulation, Standards and Compliance
Secure Remote Access
Secure-by-Design
System Design & Architecture
Threat Landscape
Vulnerabilities

Nozomi announces top risks in browser-based HMIs, concludes CVE study with AiLux RTU62351B

June 14, 2024
Nozomi announces top risks in browser-based HMIs, concludes CVE study with AiLux RTU62351B

Nozomi Networks Labs outlined the top eleven risks of implementing browser-based HMIs in controlled OT (operational technology) settings, emphasizing the challenges of a web-centric approach. The analysis wraps up its CVE reservation process, enabling the publication of vulnerabilities found in the AiLux RTU62351B, the final device in their study. Additionally, the Labs shared insights in a white paper that analyzed browser-based HMIs across five devices from high-profile vendors. 

Last year, in the fourth quarter, Nozomi presented their research, entitled ‘Codename I11USION,’ at the No Hat security conference in Bergamo, Italy. Over the past few years, Nozomi Networks Labs has conducted extensive research on the security of browser-based HMIs, analyzing devices from high-profile vendors such as Siemens, SEL, Phoenix Contact, and Bosch Rexroth

In its white paper, Nozomi Networks Labs researched five browser-based HMIs from vendors to identify and detail eleven major security risks inherent to these systems. This includes both commonly known web security issues like Cross-Site Scripting (XSS) and Cross-Site Request Forgery (CSRF), as well as more obscure risks such as the mismanagement of file operations and the remote exploitation of privileges granted to physical operators. These vulnerabilities provide potential attack vectors through which malicious actors could gain complete control over the HMI, and consequently, the controlled industrial processes.

The white paper also provides an understanding of the spectrum of potential security threats that are crucial for maintaining the integrity and resilience of ICS (industrial control system). The MITRE ATT&CK framework for ICS provides a structured approach to identifying and addressing the multifaceted risks associated with HMI vulnerabilities.

It identified that the first step for an adversary is gaining entry into the ICS environment. This is often achieved through the exploitation of remote services. In the context of HMIs, this could involve exploiting vulnerabilities in exposed services (even internet-facing) or leveraging insecure remote access tools. Once inside, attackers can move laterally to target critical infrastructure components. 

Following initial access, adversaries seek to execute unauthorized commands or manipulate system functions. This can be achieved through the command-line interface or graphical user interface. An illustrative example of GUI exploitation was the attack on a water treatment system in Florida in 2021, where the attacker gained access to the HMI via TeamViewer and attempted to manipulate the system directly through its GUI.

Attackers aim to gather information that will drive their objectives, such as details about the ICS environment and its operation. Techniques include monitoring process states to understand system behavior and performing screen captures to obtain visual information about the system operations and sensitive data displayed on the HMI. To prevent detection or mitigation of their activities, adversaries may attempt to inhibit the system’s response functions. This can be done by modifying alarm settings to suppress alerts or stopping critical services that are essential for identifying or responding to abnormal system states.

Nozomi outlined that the ultimate goal of many attacks is to cause physical or operational harm. “This can be achieved by manipulating control systems to cause equipment to operate in a hazardous manner or by manipulating the view presented to operators, misleading them about the true state of the system. All techniques that enable view/control manipulation pose significant risks to the integrity and safety of ICS environments,” the white paper added.

Nozomi noted that the selection of the devices reflects the diversity of applications and operational contexts in which browser-based HMIs are deployed. From building automation and electrical substations to general industrial applications, the analyzed HMIs illustrate the varied landscapes of modern automation and control systems. Its findings aim to shed light on the security postures of these devices, offering insights that are relevant across the spectrum of browser-based HMI implementations.

The Siemens PXM30.E represents a specialized segment of the HMI market, designed specifically for building automation. This device facilitates the monitoring and control of various building systems, such as HVAC, lighting and security systems, providing operators with a sophisticated interface to manage these complex systems efficiently. The PXM30.E exemplifies the integration of browser-based HMIs in the management of modern intelligent buildings. 

The white paper identified that the Schweitzer Engineering Laboratories (SEL) Real-Time Automation Controller (RTAC) suite encompasses a range of functionalities tailored for electrical substations, including a web-based HMI component. This suite is engineered to support the robust demands of substation automation, offering capabilities that span from data acquisition to control processes. The inclusion of a web-based HMI within this suite underscores the critical role of intuitive, accessible interfaces in the management of electrical infrastructure.

Nozomi detailed that similar to the SEL RTAC, the AiLux RTU is designed for the automation and control of substations. The device provides a crucial link between physical control systems and the operators who manage them, facilitating the efficient and reliable operation of electrical substations. The AiLux RTU exemplifies the specialized application of HMIs in critical infrastructure, where reliability and precision are paramount.

Phoenix Contact offers general-purpose browser-based HMIs that cater to a broad range of industrial applications. These devices are characterized by their versatility, supporting a wide array of use cases from manufacturing processes to energy management. Phoenix Contact HMIs demonstrate the adaptability of browser-based interfaces in meeting the diverse needs of the industrial sector.

The Bosch Rexroth HMI stands out for its Android-based operating system, distinguishing it within the general-purpose HMI category. This Android foundation enables a high degree of customization and flexibility, allowing the device to support various industrial applications. The use of a popular mobile OS like Android highlights the evolving nature of HMI technology and its convergence with mainstream computing platforms.

“By far, the most prevalent vulnerability class discovered across the landscape of browser-based HMIs is ‘Improper Allowlist on Starting Pages and/or Browsable URLs,’” according to the Nozomi white paper. “This vulnerability stems from an oversight in the security configurations of browser-based HMIs, where the browser is configured to restrict user interactions with the address bar, ostensibly to limit direct access to unauthorized web content. However, this restriction does not extend to preventing interactions with alternative URLs or Uniform Resource Identifier (URI) schemes that a user could be redirected to through various means such as JavaScript, HTML tags, or HTTP redirects. An instance of this vulnerability is CVE-2022-40181, found on the Siemens PXM30.E,” it added. 

The issue arises from the fact that browsers are not limited to navigating HTTP or HTTPS protocols. For instance, when a browser accesses a ‘file’ URL, it essentially functions as a file browser. This capability can be exploited to read arbitrary files from the system’s internal resources.

In summary, Nozomi said “This vulnerability highlights a significant oversight in the security configuration of browser-based HMIs. The ability to access and manipulate alternative URLs and URI schemes without proper restrictions exposes these systems to a range of security threats, including kiosk evasion, unauthorized data access, XSS and DoS attacks. Addressing this vulnerability requires a comprehensive approach to security configuration and the implementation of strict allowlists and validation mechanisms to ensure that only authorized content and interactions are permitted within the HMI environment.”

Another notable finding when it comes to security vulnerabilities within browser-based HMIs pertains to the ‘Improperly Configured File Download Functionality.’ This vulnerability arises from a configuration oversight within the browser, which is both unrestrictedly allowed to download any type of file from a web service and open to accept custom download paths from a user. 

As a matter of fact, the sole possibility of downloading unrestricted files is usually not enough to cause any major consequences, given that modern browsers normally download files by default in a harmless destination. The vulnerability class not only facilitates the arbitrary writing of files but also the evasion of the kiosk mode, up to the execution of arbitrary code.

On the issue of ‘Missing Verification of the TLS Certificate’ that represents a pervasive flaw within the landscape of browser-based HMIs, the vulnerability arises primarily due to the logistical and operational challenges associated with maintaining an internal Certificate Authority (CA) for TLS connections within asset owners’ networks. “This vulnerability is most commonly found in the browser embedded in the HMI, not performing the necessary verifications of the TLS certificate. However, as a case study, we examine a distinctive instance where the missing verification of the TLS certificate facilitated a code execution attack through a peculiar method, namely CVE-2023-31151 when chained with CVE-2023-31148 found on the SEL-3350,” it added.

Also, the browser-based HMI management service included a web proxy feature. This functionality was designed to fetch remote web pages and render them under the domain of the management service upon request, with the aim of facilitating communication with devices that are not within an operator’s reach.

In its conclusion, Nozomi identified that the practical implications of these vulnerabilities are far-reaching. Through detailed case studies and exploitation scenarios, we have demonstrated the potential for attackers to completely compromise a browser-based HMI even as the result of solely clicking one link or visiting a webpage. 

Having achieved this position, an attacker may then not only tamper with industrial processes but also manipulate the HMI’s display to conceal their actions from operators. This dual capability to affect both the control and the monitoring aspects of HMIs can have devastating consequences, allowing malicious actors to cause physical damage, disrupt operations, and undermine the safety protocols integral to industrial systems.

It added that as browser-based HMIs continue to gain traction in the OT/IoT world, it is imperative that the unique set of risks associated with this technology is acknowledged and addressed. Ensuring the security of these interfaces is not just about protecting data but safeguarding critical infrastructure and the physical processes it controls. The future of industrial automation and control lies in the balance of leveraging technological advancements while mitigating the security risks they bring. 

In a blog post, Nozomi researchers announced the completion of their CVE reservation process. This milestone allows them to publish the vulnerabilities identified in the AiLux RTU62351B, the last device in the series. “Having concluded this final step, we are thrilled to also release to the public the white paper associated with our research, comprehensively describing all results and insights learned from our investigation,” the post added.

AiLux is an emerging brand in Italy for substation automation systems, producing devices that are employed in plants of major energy players such as Enel or Eni. AiLux produces the RTU62351B, a Remote Terminal Unit (RTU) with embedded HMI that is designed for the automation and control of electrical substations. The device runs a customized, Linux-based operating system that exposes a web-based HMI. Physical operators can monitor and interact with it through the touch panel and a Chromium-based browser. Remote control and monitoring through the Ethernet network are also available.

While analyzing the device, Nozomi Networks Labs discovered twelve vulnerabilities, including CVE-2023-5456, CVE-2023-5457, CVE-2023-45591, CVE-2023-45592, CVE-2023-45593, CVE-2023-45594, CVE-2023-45595, CVE-2023-45596, CVE-2023-45597, CVE-2023-45598, CVE-2023-45599, and CVE-2023-45600. 

Nozomi added that the impacts posed by these vulnerabilities are diverse, with one particularly notable chain: by exploiting weaknesses in the browser configuration, an unauthenticated physical attacker could have accessed sensitive resources on the device, altered its configuration, and even achieved execution of arbitrary commands as root. 

All CVEs have been successfully remediated in the AiLux imx6 bundle version imx6_1.0.7-2, and it strongly recommends ‘that asset owners apply the update to avoid misuse of the device by malicious threat actors.’

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

Webinar: A Sense of Urgency - Industrial Cybersecurity and Compliance Under the NIS2 Directive

Register: June 27, 2024 2pm CET

http://industrialcyber.co

Related

US DOE introduces supply chain cybersecurity principles to bolster global energy infrastructure security
US DOE introduces supply chain cybersecurity principles to bolster global energy infrastructure security
Global cybersecurity agencies advocate adoption of zero trust, SSE, SASE to enhance network access security
Global cybersecurity agencies advocate adoption of zero trust, SSE, SASE to enhance network access security
Cal Poly report highlights outer space as new frontier for cybersecurity threats; offers ICARUS matrix
Cal Poly report highlights outer space as new frontier for cybersecurity threats; offers ICARUS matrix
From Vulnerabilities to Strategy: Transforming Industrial Cybersecurity Management
Industrial CISO Perspectives – From Vulnerabilities to Strategy: Transforming Industrial Cybersecurity Management
NHS updates on disruptions, potential data breach following London lab ransomware attack
NHS updates on disruptions, potential data breach following London lab ransomware attack
Five Eyes' Critical 5 nations focus on adapting to evolving cyber threats to boost critical infrastructure security, resilience
Five Eyes’ Critical 5 nations focus on adapting to evolving cyber threats to boost critical infrastructure security, resilience
EmberOT and Opscura partner to boost OT and ICS security, tackling industry-wide visibility challenges
EmberOT and Opscura partner to boost OT and ICS security, tackling industry-wide visibility challenges
CISA leads initial government-private sector tabletop exercise on AI security incident response
CISA leads initial government-private sector tabletop exercise on AI security incident response
US House Committee examines Microsoft's security posture post-cyber intrusion by China-linked hackers
US House Committee examines Microsoft’s security posture post-cyber intrusion by China-linked hackers
US HC3 issues alert on critical PHP vulnerability impacting healthcare sector
US HC3 issues alert on critical PHP vulnerability impacting healthcare sector