Claroty discovers vulnerabilities in Ovarro TBox RTUs
Researchers from Claroty have discovered widespread vulnerabilities within Ovarro's TBox remote terminal units (RTUs), commonly found in industrial facilities in the oil, power, and gas sectors.
The five vulnerabilities could enable attackers to break into the systems and run code, crash systems, and meddle with configuration files, amongst other malicious actions.
"The risks associated with these flaws threaten not only affect the integrity of automation processes, but also, in some cases public safety," Claroty researchers state.
Researchers analysed the TBox on the LT2-530, version 1.44 build 485, and TWinSoft engineering software version 12.2.1, build 1545.
Researchers used open source intelligence including Shodan to work out how many of the TBox RTU devices were available through the internet. They found that only a third (37%) had authentication settings that protected devices from access. That means 63% of devices were completely open, enabling any visitor to control the RTU or read data in the custom HMI panel configuration.
"In its research, the Claroty Research Team was able to bypass and exploit vulnerabilities in each of these communication channels, eventually executing code remotely on the RTU regardless of any security mechanisms enabled," the company states.
Affected products include:
- TBoxLT2 (all models)
- TBox MS-CPU32
- TBox MS-CPU32-S2
- TBox MS-RM2 (all models)
- TBox TG2 (all models)
- All versions prior to TWinSoft 12.4 and prior to TBox Firmware 1.46
Ovarro has patched all vulnerabilities in TBox firmware version 1.46 and TWinSOft version 12.4. All users should update their systems to the latest versions immediately.
The details of each vulnerability and CVE are below.
CVE-2021-22646 | CWE-94 Improper Control of Generation of Code (Code Injection)
CVSS v3 Score: 8.8
This vulnerability and CVE-2021-22648 were the most severe among the vulnerabilities uncovered by Claroty researchers. With CVE-2021-22646, an attacker can exploit an ipk package update generated in TwinSoft engineering software to run malicious code in TBox.
CVE-2021-22648 | CWE-732 Incorrect Permission Assignment for Critical Resource
CVSS v3 Score: 8.8
This vulnerability was found in the TBox proprietary Modbus file access functions that allow an attacker to read, alter, or delete a configuration file.
CVE-2021-22642 | Uncontrolled Resource Consumption CWE-400
CVSS v3 Score: 7.5
A specially crafted Modbus frame can be used to crash a TBox system.
CVE-2021-22640 | Insufficiently Protected Credentials CWE-522
CVSS v3 Score: 7.5
An attacker can decrypt the login password by communication capture and brute force attacks.
CVE-2021-22644 | Use of Hard-Coded Cryptographic Key CWE-321
CVSS v3 Score: 7.5
TWinSoft uses a custom hardcoded user and cryptographic hardcoded key.