Tens of thousands of fuel storage tanks in critical infrastructure facilities remain vulnerable to zero-day attacks due to buggy Automatic Tank Gauge systems from multiple vendors, say infosec researchers.
Automatic Tank Gauges (ATGs) are used to monitor fuel levels in storage tanks and ensure that the tanks don't leak. The ten CVEs disclosed today were found in products from several different vendors: Dover Fueling Solutions (DFS), OPW Fuel Management Systems (owned by DFS), Franklin Fueling Systems, and OMNTEC.
Seven are rated critical, and all of them allow for full administrator privileges of the device application, according to Bitsight, which found the flaws and reported them to the US Cybersecurity and Infrastructure Security Agency (CISA) six months ago. Three of the buggy products still don't have a fix.
"It's an exploit that moves something, so you have an impact on the physical world," Pedro Umbelino, Bitsight's principal research scientist, told The Register. Specifically, vulnerable ATGs can be abused to cause real-world, physical, and environmental damage, and Bitsight has seen these vulnerable products in use at gas stations, airports, government systems, manufacturers, and utility companies, he added.
Despite CISA and Bitsight spending the last six months attempting to work with vendors to plug the security holes, Umbelino estimates the number of vulnerable devices is still in the 1,200-1,500 range.
"They all allow for the same thing: access, so you can actually control the device as if you were the owner of the device, you can control everything," he said. "When you're trying to exploit a device, that's the holy grail."
This physical damage could include changing critical parameters, such as capacity, resulting in overflowing tanks. There's also the risk of a remote attacker changing tank settings or disabling alarms, which would also increase the chance of a dangerous spill, depending on the type of fuel being stored.
All of the bugs are remotely exploitable and are deemed to have "low attack complexity," according to CISA, which today issued its own disclosures about the flaws.
These include CVE-2024-45066 and CVE-2024-43693, both OS command injection bugs in DFS's ProGauge Maglink LX and consoles. These two flaws earned a perfect 10 severity rating — and for good reason. A remote attacker could send a specially crafted POST request to console sub-menus to inject malicious commands and then it's game over.
The researchers also found a 9.8-rated hardcoded credentials vulnerability, tracked as CVE-2024-43423, in DFS's Maglink LX4 device. Specifically, the web application for the console contains an administrative-level user account with an unchangeable password.
Maglink LX4 is also vulnerable to CVE-2024-45373, a privilege escalation flaw that allows a valid user to change their privileges to administrator. It earned an 8.8 CVSS rating.
Rounding out the rest of DFS's bugs, CVE-2024-43692 is a 9.8-rated authentication bypass bug in Maglink LX, while CVE-2024-41725, a cross-site scripting flaw in the same product, earned an 8.8 CVSS score.
Moving on to Franklin Fueling Systems TS-550 device, an Arbitrary File Read flaw (CVE-2024-8497) with a 7.5 CVSS rating can be exploited to gain administrative access over the affected device.
The good news is that all of the buggy Maglink products and the one made by Franklin have fixes. The manufacturers urge users who haven't already to upgrade to the most recent version of the affected products.
Additionally, CISA and Bitsight suggest placing these critical systems behind firewalls and isolating them from business networks. Make sure these – and all industrial control system devices – aren't accessible from the public internet. And if you have to allow remote access, use a secure VPN.
- Despite Russia warnings, Western critical infrastructure remains unprepared
- CISA boss: Makers of insecure software are enablers of the real villains
- US proposes ban on Chinese, Russian connected car tech over security fears
- 'Cybersecurity issue' takes MoneyGram offline for three days – and counting
While those seven CVEs do have manufacturer-issued updates to mitigate the flaw, the remaining three do not have fixes.
This includes a bug in OPW's SiteSentinel fuel management system, which has a 9.8-rated flaw tracked as CVE-2024-8310. This vulnerability can allow an attacker to bypass authentication to the server and obtain full admin privileges.
OPW Fuel Management Systems' parent company is DFS. This bug affected SiteSentinel versions prior to 17Q.2.1, which are end-of-life. As such, DFS won't be issuing any patches for the old products.
The manufacturer recommends that users install the device behind a firewall, and upgrade to at least v17Q.2.1. Users with newer versions should also contact DFS to confirm they are running a build with the needed fixes.
Meanwhile, OMNTEC and Alisonic Sibylla, the two remaining ATG makers of the bunch, did not respond to CISA's attempts to coordinate mitigation, we're told.
OMNTEC's Proteus OEL8000 tank monitoring device remains vulnerable to a 9.8-rated authentication bypass bug, tracked as CVE-2024-6981, with no fix.
Alisonic Sibylla devices are vulnerable to SQL injection attacks, which could allow complete access to the database. This flaw (CVE-2024-8630) earned a 9.4 CVSS rating and also has no fix.
"The challenge with these devices, and industrial control systems in general, is that they are really hard to patch," Umbelino said, adding that it usually requires someone physically visiting the facility where the device is located and then manually applying the fix.
And for a device that still doesn't have any mitigations? "Take it off of the internet," he said. "It should not be directly exposed." ®