Researchers from industrial cybersecurity company Claroty have detected security vulnerabilities in Ovarro’s TBox RTUs (remote terminal units) and in its TWinSoft engineering software that left these devices exposed to the internet and unprotected from hackers.
The exploitation of the vulnerabilities such as code injection, incorrect permission assignment for critical resource, uncontrolled resource consumption, insufficiently protected credentials, and use of a hard-coded cryptographic key, could result in remote code execution, which may cause a denial-of-service condition, according to an advisory issued by the Cybersecurity and Infrastructure Security Agency (CISA).
“We also found other vulnerabilities that an advanced attacker could use to bypass existing protections in order to access devices and either disrupt them or execute code,” wrote Uri Katz and Sharon Brizinov in a Claroty blog post. “The risks associated with these flaws threaten not only the integrity of automation processes but also, in some cases public safety. Using these security shortcomings, we were able to find web-based interfaces, similar to HMIs, that monitor process levels, and other industrial activity.”
RTUs are increasingly connected industrial assets that exchange telemetry with SCADA (supervisory control and data acquisition) systems or distributed control systems. The TBox RTUs are prevalent in critical infrastructure, specifically in the water, power, oil and gas, transportation, and process industries, enabling remote control and monitoring of applications and processes.
According to Ovarro, TBox delivers remote automation and monitoring of critical assets, by allowing users to control and monitor remote processes via a dedicated web interface similar to how an HMI controls a PLC, in one packed platform.
The researchers found that the TBox RTUs are important in closing off exposures that exploit web-based HMIs with access to control systems. The Claroty Research Team early last year took a comprehensive look at the security of TBox RTUs and found critical vulnerabilities that, if exploited, allow attackers to crash these devices or remotely execute code.
The TBox RTU uses a default proprietary Modbus protocol for communication, while SSH may be enabled for uploading files to the RTU and for firmware updates, Claroty said. The researchers were able to bypass and exploit vulnerabilities in each of these communication channels, eventually executing code remotely on the RTU regardless of any security mechanisms enabled.
Attacks against TBox RTUs require targeting Modbus and eventually using update packages for code execution. TBox’s custom Modbus protocol implements updates using ‘ipk’ packages, which are uploaded to a temporary file before an update command with the ‘ipk’ file name is sent to the RTU where it is extracted to a directory. Claroty was able to modify the update package file before it is sent to the RTU, writing any file to any location on the RTU including malicious executables that would launch when TBox restarts.
The proprietary Modbus protocol handles a number of file operations, including read, write, and remove, Claroty said. The main RTU software, running as root, handles file access. The researchers were able to override the RTU main configuration file, and either change or delete it, making it unstable until a root access user restores the configuration.
Researchers were also able to bypass Global/Enhanced protection features in TBox, which is intended to limit file access. To do so, they were able to decrypt passwords from communication between the RTU and engineering software, as well as bypass protections using a configuration read.
All of the issues have been patched by Ovarro, which has also released TWinSoft version 12.4 and TBox firmware version 1.46 to mitigate these vulnerabilities. The company, along with ICS-CERT, has published advisories with technical details and mitigation information.
Claroty has previously identified the dangers involved in the operational technology (OT) environment exposed to the internet without security, as the interfaces are immediately exposed to online adversaries.
The company has already observed some indications that attackers, such as in the case of the Israel Water Authority attacks of 2020 and Oldsmar water plant hack, are making their way onto networks as a demonstration of capabilities. In each case, the vulnerabilities could be addressed through improved security architecture and basic security hygiene around access controls and system configurations.