Flaws in leading industrial remote access systems allow disruption of operations

Pierluigi Paganini October 01, 2020

Experts found critical security flaws in two popular industrial remote access systems that could be exploited by threat actors for malicious purposes.

Security researchers from Israeli firm OTORIO found critical vulnerabilities in leading industrial remote access systems that could be exploited by attackers to ban access to industrial production floors, hack into company networks, tamper with data, and even steal sensitive business secrets.

Remote access has crucial in the modern industry, especially due to the increased demands of industrial remote access systems sustained during the ongoing COVID-19 pandemic.

The issues affect the popular industrial remote access systems B&R Automation’s SiteManager and GateManager broadly used in multiple sectors, including in automotive, energy, oil & gas, and metal.

The experts found six vulnerabilities in B&R Automation’s SiteManager and GateManager (CVE-2020-11641CVE-2020-11642CVE-2020-11643CVE-2020-11644CVE-2020-11645CVE-2020-11646) that could potentially disrupt operations.

“Exploiting the 6 new vulnerabilities, an attacker who has gained authorized access to the solution could view sensitive information about other users, their assets and their processes (even when they belong to an external organization).” reads the advisory published by the company. “Additionally, hackers can fool users to malicious foreign sites through fictive system messages and alerts, and trigger a repeated restart of both the GateManager and the SiteManager, leading eventually to a loss of availability, and halt production.”

“Leveraging all three vulnerabilities would have enabled attackers to devise a worst-case scenario to an operations floor which relied on remote access employees.”

The US CISA agency also published a security advisory to warn of risks associated with the successful exploitation of the flaws in the B&R Automation systems. The Agency confirmed that an authenticated attacker with access to the solution via a general license could exploit the flaws to trigger a DoS condition or to achieve arbitrary information disclosure and data manipulation.

The vulnerabilities impact all versions of SiteManager prior to v9.2.620236042, GateManager 4260, and 9250 before v9.0.20262, and GateManager 8250 prior to v9.2.620236042.

Experts also found security vulnerabilities in mymbCONNECT24 and mbCONNECT24 that could be exploited by authenticated attackers to access arbitrary information via SQL injection, steal session details by carrying out a cross-site request forgery (CSRF).

The vulnerabilities, tracked as (CVE-2020-24569, CVE-2020-24568, CVE-2020-24570), impact mymbCONNECT24 and mbCONNECT24 versions v2.6.1 and prior.

The most severe issue is an IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS USED IN A COMMAND (‘COMMAND INJECTION’) vulnerability that received a CVSS score of 9.8.

CISA also published a security advisory for these vulnerabilities, the US agency provided the following recommendations to the users:

  • Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet.
  • Locate control system networks and remote devices behind firewalls, and isolate them from the business network.
  • When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.
[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, industrial remote access systems)

[adrotate banner=”5″]

[adrotate banner=”13″]



you might also like

leave a comment