Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Share Post: Reddit Facebook
Claroty discovers vulnerabilities in Ovarro TBox RTUs
#1
Quote:Researchers from Claroty have discovered widespread vulnerabilities within Ovarro’s TBox remote terminal units (RTUs), commonly found in industrial facilities in the oil, power, and gas sectors.

The five vulnerabilities could enable attackers to break into the systems and run code, crash systems, and meddle with configuration files, amongst other malicious actions.

“The risks associated with these flaws threaten not only affect the integrity of automation processes, but also, in some cases public safety,” Claroty researchers state.

Researchers analysed the  TBox on the LT2-530, version 1.44 build 485, and TWinSoft engineering software version 12.2.1, build 1545.

Researchers used open source intelligence including Shodan to work out how many of the TBox RTU devices were available through the internet. They found that only a third (37%) had authentication settings that protected devices from access. That means 63% of devices were completely open, enabling any visitor to control the RTU or read data in the custom HMI panel configuration.

“In its research, the Claroty Research Team was able to bypass and exploit vulnerabilities in each of these communication channels, eventually executing code remotely on the RTU regardless of any security mechanisms enabled,” the company states.

Affected products include:

TBoxLT2 (all models)
TBox MS-CPU32
TBox MS-CPU32-S2
TBox MS-RM2 (all models)
TBox TG2 (all models)
All versions prior to TWinSoft 12.4 and prior to TBox Firmware 1.46

Ovarro has patched all vulnerabilities in TBox firmware version 1.46 and TWinSOft version 12.4.  All users should update their systems to the latest versions immediately.

The details of each vulnerability and CVE are below.

CVE-2021-22646 | CWE-94 Improper Control of Generation of Code (Code Injection)

CVSS v3 Score: 8.8

This vulnerability and CVE-2021-22648 were the most severe among the vulnerabilities uncovered by Claroty researchers. With CVE-2021-22646, an attacker can exploit an ipk package update generated in TwinSoft engineering software to run malicious code in TBox.

CVE-2021-22648 | CWE-732 Incorrect Permission Assignment for Critical Resource

CVSS v3 Score: 8.8

This vulnerability was found in the TBox proprietary Modbus file access functions that allow an attacker to read, alter, or delete a configuration file.

CVE-2021-22642 | Uncontrolled Resource Consumption CWE-400

CVSS v3 Score: 7.5

A specially crafted Modbus frame can be used to crash a TBox system.

CVE-2021-22640 | Insufficiently Protected Credentials CWE-522

CVSS v3 Score: 7.5

An attacker can decrypt the login password by communication capture and brute force attacks.

CVE-2021-22644 | Use of Hard-Coded Cryptographic Key CWE-321

CVSS v3 Score: 7.5

TWinSoft uses a custom hardcoded user and cryptographic hardcoded key.


Source
Reply


Possibly Related Threads…
Thread Author Replies Views Last Post
  Avast Threat Report Discovers Cybercriminals Using Common Applications mrtrout 0 467 05-20-2023 , 05:33 PM
Last Post: mrtrout
  Kaspersky discovers movie malware disguised as best picture nominees sidemoon 0 1,181 02-07-2020 , 10:39 PM
Last Post: sidemoon
  ESET discovers 21 new Linux malware families mrtrout 0 1,150 12-07-2018 , 06:02 AM
Last Post: mrtrout
  Security Firm Discovers Secret Plan to Hack Numerous Websites and Forums baziroll 0 2,185 04-20-2016 , 10:59 PM
Last Post: baziroll

Forum Jump:


Users browsing this thread: 1 Guest(s)