ICS Summary for Week of October 12, 2017

JanTek TCP/IP Converter Vunerabilities Found – No Patch Available

Security researcher, Karn Ganeshan, found two vulnerabilities in the JTC-200 TCP/IP converters.  The products from Taiwan-based company, JanTek, are primarily used in the Critical Manufacturing sector in Europe and Asia.  The vulnerabilities, if exploited could allow an attacker to to execute remote code on the device with administrative privileges.

The two vulnerabilities found were a cross-site request forgery (CSRF) and improper authentication.  The improper authentication vulnerability (CVE-2016-5791) was deemed critical with a CVSS score of 9.8.  This could allow an unauthenticated attacker to have access to the Busybox linux shell over Telnet service.  The access would also be undocumented.  The CSRF vulnerability (CVE-2016-5789) was given a CVSS score of 8.0 and ICS-CERT states that “An attacker could perform actions with the same permissions as a victim user, provided the victim has an active session and is induced to trigger the malicious request.”  If these vulnerabilities are exploited, it could allow an unauthorized remote user to execute code on the device with high level privileges.

JanTek has decided not to create a patch for the vulnerabilities affected the device.  Instead, they have stated that they are developing a newer model, JTC-300, which is scheduled to be released late 2017.  Because of the lack of any manufacturer mitigations, ICS-CERT offered some recommendations to help minimize risk when using this product.  Users should minimize network exposure for all control systems devices and to not allow internet access, these control system networks should be located and isolated from the business network, and finally, if remote access is necessary, ensure that all methods are fully updated.  

Vulnerable Devices:

• JanTek JTC-200 – All versions

Sources: ICSA-17-283-02 (ICS-CERT)

ProMinent MultiFLEX Controllers Found Vulnerable

ICS-CERT has released an advisory regarding five vulnerabilities found in US-based company ProMinent’s MultiFLEX M10a Controller.  The exploitation of these vulnerabilities could lead to an attacker bypassing defense measures, “assuming the identity of authenticated users”, and being able to alter the configuration of the device.  These devices are used worldwide in water and wastewater systems.

Security researcher, Maxim Rupp, found and disclosed the vulnerabilities to ICS-CERT.  Two of these vulnerabilities were given a CVSS score of 8.8.  They were a cross-site request forgery (CSRF) and an unverified password change.  The MultiFLEX M10a Controller’s web interface did not properly very requests, thus making it susceptible to CSRF.  Exploitation of that would allow an unauthorized attacker to make changes in the configuration of the device.  The other high scoring vulnerability was found when setting a new password for a user.  The old password was not required for the change, so an authenticated attacker could change a user’s password for future access.

The other medium scoring vulnerabilities were the use of client-side enforcement of server-side security, insufficient session expiration, and information exposure.  The application’s log out function only removed the user’s session from the client side which could allow an attacker to assume the identity of the authenticated user.  The sessions would also last for an extended period after last activity.  This would allow an attacker to have access to reuse an old session to gain authorization.  The information exposure vulnerability happened when the “Change Password” option was used.  The current password for the user was displayed in plain text.

ProMinent has not yet released any mitigations for these vulnerabilities.  Because of the lack of any manufacturer patches, ICS-CERT offered some recommendations to help minimize risk when using this product.  Users should minimize network exposure for all control systems devices and to not allow internet access, these control system networks should be located and isolated from the business network, and finally, if remote access is necessary, ensure that all methods are fully updated.

Vulnerable Devices:

• MultiFLEX M10a Controller web interface – All versions

Sources: ICSA-17-285-01

Note: The purpose of the weekly executive summary is to provide useful information that a business or agency could use in both its cybersecurity and business strategies. In order for this website to serve the community we need to know your concerns and questions about (for example) proper safeguards for technology you’re looking into or what sets of compliance and governance policies would you need to operate a particular business. The CSCC openly invites you to send in your inquiries. We’ll have students research your issues and provide an analysis of the information at hand to guide you with all things cybersecurity. Mail us at: uhwocscc@hawaii.edu