Nozomi researchers find Bently Nevada 3500 rack model vulnerabilities allowing authentication bypass by hackers

Researchers from Nozomi Networks Labs have identified the presence of three flaws in Bently Nevada 3500 rack model that allow attackers to bypass authentication. One of these vulnerabilities may allow an attacker to bypass the authentication process and obtain complete access to the device by crafting and sending a malicious request. As the development of a patch is not planned due to legacy limitations, technical details have voluntarily been omitted. 

“At the end of 2022, Nozomi Networks Labs began a research project on Bently Nevada Machinery Protection Systems manufactured by Baker Hughes, a company that develops and deploys technology solutions for energy and industrial companies,” the researchers wrote in a Tuesday blog post. “These protection systems are typically installed in environments such as refineries, petrochemical plants, hydroelectric facilities, and wind farms to detect and prevent anomalies in rotating machinery like turbines, compressors, motors, and generators.”

They added that by raising awareness about these vulnerabilities, “we aim to empower industrial organizations to proactively take steps to fortify their critical infrastructure against potential threats.”

The researchers decided to investigate the security posture of Bently Nevada 3500 systems, typically used to continuously monitor critical parameters. such as vibration, temperature, and speed indicators for anticipating and preventing mechanical failures in industrial machinery. “The system is composed of a chassis that supports the installation of several expansion modules and the Ethernet-based communication is handled through the Transient Data Interface (TDI /22) which was also the main focus of our research. Information is exchanged using a clear-text proprietary protocol spoken by the device and the 3500 System Configuration utility,” they added.

Nozomi added that the rack was configured to enable password protection both at the access level (Connect Password), as well as at the configuration level (Configuration Password) to simulate a realistic scenario where both protections are enabled. “The proprietary protocol was then analyzed and reverse engineered to identify possible weaknesses both at the design-level as well as at the implementation-level.” 

The findings of this analysis catalyzed the Nozomi Networks Labs team to uncover three more vulnerabilities. Subsequently, these vulnerabilities were reported to the vendor, ultimately leading to their disclosure. These specific flaws were identified within the Bently Nevada 3500 rack model and have since been made public under the designations CVE-2023-34437, CVE-2023-34441, and CVE-2023-36857.

Of high risk and CVSS v3.1 base score of 7.5, the CVE-2023-34437 enables exposure of sensitive information to an unauthorized hacker, Nozomi disclosed. “To successfully exploit CVE-2023-34437 (Exposure of Sensitive Information to an Unauthorized Actor), an attacker only requires network access to reach the target device version with this vulnerability present to be able to exfiltrate both the ‘Connect’ and the ‘Configuration’ password by sending a malicious request.” 

Also, if no additional hardening measure is in place for the device, this information can be accessed and abused to fully compromise the machinery. “This could impact the confidentiality, integrity, and availability of processes and operations since extracted information can be leveraged to craft authenticated requests toward the target.”

The blog added that the other two vulnerabilities are of medium risk. The  CVE-2023-34441 allows for cleartext transmission of sensitive information and has a CVSS v3.1 base score of 6.8; while the CVE-2023-36857 allows authentication bypass by capture-replay with a  CVSS v3.1 base score of 5.4.

These flaws require that an attacker gains access to one or more requests captured from a data transmission, Nozomi identified. “Such scenario might occur either as a consequence of a Man-in-the-Middle (MitM) attack or by gaining access to verbose traces recorded by traffic inspection solutions.” 

In terms of impact, CVE-2023-34441 was evaluated to have a higher severity than CVE-2023-36857 because all authenticated requests, even if they belong to different sessions, contain the same secret key to authenticate access, even if they belong to different sessions, according to Nozomi. “This means that keys extracted from one packet can then be used to craft additional arbitrary authenticated requests toward the target for an indefinite amount of time since it is not temporarily associated to a specific session.”

All these vulnerabilities were confirmed affecting firmware versions up to 5.05 and later of the /22 TDI Module (both USB and Serial versions).

Bently Nevada responded to vulnerabilities reported by Nozomi Networks through a responsible disclosure process by providing guidelines to customers for system hardening. These guidelines include recommendations such as ensuring devices are in RUN Mode, implementing network segmentation, using strong and unique passwords, and enabling non-default enhanced security features, especially for legacy systems. These measures aim to reduce the impact of vulnerabilities and enhance system security.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.