A researcher has identified several high severity vulnerabilities in a base station product from Austria-based wireless telemetry solutions provider Adcon Telemetry.
ICS-CERT has published an advisory detailing a total of four serious flaws identified by researcher Aditya K. Sood in Adcon’s A840 Telemetry Gateway base station, which acts as an interface between an Adcon network and one or more hosts running SCADA (supervisory control and data acquisition) software. The product is designed to retrieve data from up to 200 remote terminal units (RTUs).
Adcon A840 Telemetry Gateway base stations are mainly used in the United States and Europe in commercial facilities, water and wastewater, critical manufacturing and other sectors.
Sood discovered that the product includes a file containing hardcoded credentials that can be used by an attacker to log in to the device with administrator privileges. Once logged in, the attacker can change the device’s settings and read/write to the file system, which can have a negative impact on the system’s confidentiality, integrity and availability. The issue has been assigned the identifier CVE-2015-7930 and a CVSS score of 10.
Another issue that has been assigned a CVSS score of 10 is related to the lack of SSL support for encrypting network communications (CVE-2015-7931). This means that all communications are easily readable by an attacker with a privileged position on the targeted network (CVE-2015-7932).
Sood has also found that the Java client used by Adcon A840 exposes the full path of log files stored on the server. This vulnerability has been assigned the identifier CVE-2015-7934 and a CVSS score of 8.6.
The expert also identified a vulnerability that is not covered in ICS-CERT’s advisory. The problem is related to the fact that the Java client downloads the sensor configuration file, which includes sensitive information, before the user is authenticated with the server. This allows an attacker to download the file without authentication.
Adcon told ICS-CERT that patches or updates will not be made available for the A840 gateway system since the product is no longer supported. The company said it sent a message to all known customers to offer upgrades to a more secure and stable version.
The A840 base station is no longer available on Adcon’s website and has been replaced with the A850 Telemetry Gateway, a product that supports up to 1,000 RTUs and brings more than a dozen new features.
Sood, who plans on detailing his findings at security conferences next year, told SecurityWeek that he reported the vulnerabilities to ICS-CERT on November 3, when the A840 product was still present on Adcon’s website. The expert also pointed out that some documentation for A840 devices is still available on the company’s site.
While the vendor claims to have advised customers to upgrade their systems, the researcher has pointed to a Shodan search which shows that tens of A840 devices in North America and Europe are currently accessible from the Internet.
Sood noted in his advisory that the hardcoded credentials found in the product can be used to access devices directly from the Internet.
“Personally, I feel that the vendor should work in conjunction with customers to disclose the security holes and push them to update the software accordingly,” Sood said via email. “What happens in real time is a different story, as sometimes customers’ infrastructure does not support the updated versions or there are many dependencies to be addressed before the update happens.”
“The big question is the window of exposure (i.e. how long it will take customers to update from A840 to A850 systems),” the researcher noted. “The vendor should send notifications highlighting the risk posed by A840 systems. By not patching the systems, the company is putting onus on the customers and telling them to move on to new systems though.”
Adcon has not responded to SecurityWeek’s request for comment by the time of publication.
ICS-CERT advises organizations to minimize the risk of exploitation by ensuring that control systems are placed behind a firewall and isolated from the business network, and use VPNs when remote access is required.