Critical Vulnerabilities Uncovered in Automatic Tank Gauges
By David Silva on October 4, 2024
Executive Summary
Bitsight TRACE, a security and research intelligence team, recently uncovered critical vulnerabilities found within several automatic tank gauging systems (ATGs) across multiple devices and from different vendors. Not only do these vulnerabilities allow attackers to pivot within a network, but also pose a major safety concern as ATGs are responsible for ensuring systems are running safely and within acceptable parameters. ATGs are used in a variety of industries including healthcare, water treatment, manufacturing, and energy management. Due to the nature of these critical industries, being able to disrupt, damage, or further infiltrate these networks could cause irreparable damage to infrastructure and harm to the public if gone unchecked.
Background
The ATG models featuring these vulnerabilities include the Maglink LX, Maglink LX4, OPW SiteSentinel, Proteus OEL80000, Alisonic Sibylla, and the Franklin TS-550. Some of the vulnerability types found across these six ATG models include OS command injection, hardcoded credentials, authentication bypass, SQL injection, cross-site-scripting (XSS), privilege escalation, and arbitrary file read. All the vulnerabilities relating to the models listed above have been assigned a common vulnerability scoring system (CVSS) score of 7.5 and above with half of the vulnerabilities having a CVSS score of 9.8 showcasing the importance of fixing these vulnerabilities.
Vulnerability
The most severe of the vulnerabilities discovered were the OS command injection vulnerabilities discovered on Maglink LX’s. OS command injection can allow a hacker to execute malicious commands to install malware, steal data, or reduce the efficiency of the device. The Maglink LX4 features hardcoded credentials due an administrative-level user account having a password that cannot be changed. The Maglink LX4 also has an issue with privilege escalation allowing a valid user to change their privileges to administrator. Authentication bypass vulnerabilities were identified in the OPW SiteSentinel, Maglink LX, and Proteus OEL8000 models allowing users administrative privileges without properly authenticating. A SQL injection vulnerability was discovered on the Alisonic Sibylla ATG allowing full access to the database in which data could be destroyed, stolen, or altered. The XSS vulnerability found on the Maglink LX is due to improper input sanitization when rendering pages which allows malicious code to be executed when the affected website is visited. Lastly, the Franklin TS-550 has an arbitrary file read vulnerability allowing attackers to obtain administrator credentials.
Significance
Vulnerabilities as critical as these are a huge threat to not only our communities, but possibly our country as ATGs just like these are used across the United States and Europe. As the number of internet facing industrial control systems climb, so does the danger. Attackers can connect to ATGs with these vulnerabilities and potentially cause catastrophic failure which could in turn cause major disruptions in critical infrastructure and even loss of life. Considering vulnerabilities like these have been spotted in ATGs since 2015 this should be a wake-up call. It is no longer enough to include security as an afterthought. Security must be implemented during the inception of these products. Vendors must remain vigilant throughout the lifecycle of their product, pushing security patches even once the product is out the door. Users and companies implementing ATGs like this must also implement best cyber security practices and minimize their exposure and internet facing systems as much as possible.
References
Cybersecurity and Infrastructure Security Agency. (2024). Dover Fueling Solutions ProGauge MAGLINK LX Console. Cybersecurity and Infrastructure Security Agency. https://www.cisa.gov/news-events/ics-advisories/icsa-24-268-04
Cybersecurity and Infrastructure Security Agency. (2024). Alisonic Sibylla. Cybersecurity and Infrastructure Security Agency. https://www.cisa.gov/news-events/ics-advisories/icsa-24-268-02
Cybersecurity and Infrastructure Security Agency. (2024). Franklin Fueling Systems TS-550 EVO. Cybersecurity and Infrastructure Security Agency. https://www.cisa.gov/news-events/ics-advisories/icsa-24-268-03
Cybersecurity and Infrastructure Security Agency. (2024). OPW Fuel Management Systems SiteSentinel. Cybersecurity and Infrastructure Security Agency. https://www.cisa.gov/news-events/ics-advisories/icsa-24-268-01
Cybersecurity and Infrastructure Security Agency. (2024). OMNTEC Proteus Tank Monitoring. Cybersecurity and Infrastructure Security Agency. https://www.cisa.gov/news-events/ics-advisories/icsa-24-268-06
Umbelino, P. (2024). Critical Vulnerabilities Discovered in Automated Tank Gauge Systems. Bitsight. https://www.bitsight.com/blog/critical-vulnerabilities-discovered-automated-tank-gauge-systems
-
New Cybersecurity Regulations Pose Major Shifts for ICS Operators
New Cybersecurity Regulations Pose Major Shifts for ICS Operators
4/4/2025 -
New Threats in Familiar Code: Open-Source Risks in ICS
New Threats in Familiar Code: Open-Source Risks in ICS
4/4/2025 -
The MOVEit Data Breach: Understanding the Risks and Mitigation Strategies
The MOVEit Data Breach: Understanding the Risks and Mitigation Strategies
3/14/2025