Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

ICS/OT

Unpatched Adcon ICS Products Exposed Online

A researcher has identified several high severity vulnerabilities in a base station product from Austria-based wireless telemetry solutions provider Adcon Telemetry.

A researcher has identified several high severity vulnerabilities in a base station product from Austria-based wireless telemetry solutions provider Adcon Telemetry.

ICS-CERT has published an advisory detailing a total of four serious flaws identified by researcher Aditya K. Sood in Adcon’s A840 Telemetry Gateway base station, which acts as an interface between an Adcon network and one or more hosts running SCADA (supervisory control and data acquisition) software. The product is designed to retrieve data from up to 200 remote terminal units (RTUs).

Adcon A840 Telemetry Gateway base stations are mainly used in the United States and Europe in commercial facilities, water and wastewater, critical manufacturing and other sectors.Adcon A850 Telemetry Gateway

Sood discovered that the product includes a file containing hardcoded credentials that can be used by an attacker to log in to the device with administrator privileges. Once logged in, the attacker can change the device’s settings and read/write to the file system, which can have a negative impact on the system’s confidentiality, integrity and availability. The issue has been assigned the identifier CVE-2015-7930 and a CVSS score of 10.

Another issue that has been assigned a CVSS score of 10 is related to the lack of SSL support for encrypting network communications (CVE-2015-7931). This means that all communications are easily readable by an attacker with a privileged position on the targeted network (CVE-2015-7932).

Sood has also found that the Java client used by Adcon A840 exposes the full path of log files stored on the server. This vulnerability has been assigned the identifier CVE-2015-7934 and a CVSS score of 8.6.

The expert also identified a vulnerability that is not covered in ICS-CERT’s advisory. The problem is related to the fact that the Java client downloads the sensor configuration file, which includes sensitive information, before the user is authenticated with the server. This allows an attacker to download the file without authentication.

Adcon told ICS-CERT that patches or updates will not be made available for the A840 gateway system since the product is no longer supported. The company said it sent a message to all known customers to offer upgrades to a more secure and stable version.

The A840 base station is no longer available on Adcon’s website and has been replaced with the A850 Telemetry Gateway, a product that supports up to 1,000 RTUs and brings more than a dozen new features.

Sood, who plans on detailing his findings at security conferences next year, told SecurityWeek that he reported the vulnerabilities to ICS-CERT on November 3, when the A840 product was still present on Adcon’s website. The expert also pointed out that some documentation for A840 devices is still available on the company’s site.

While the vendor claims to have advised customers to upgrade their systems, the researcher has pointed to a Shodan search which shows that tens of A840 devices in North America and Europe are currently accessible from the Internet.

Sood noted in his advisory that the hardcoded credentials found in the product can be used to access devices directly from the Internet.

“Personally, I feel that the vendor should work in conjunction with customers to disclose the security holes and push them to update the software accordingly,” Sood said via email. “What happens in real time is a different story, as sometimes customers’ infrastructure does not support the updated versions or there are many dependencies to be addressed before the update happens.”

“The big question is the window of exposure (i.e. how long it will take customers to update from A840 to A850 systems),” the researcher noted. “The vendor should send notifications highlighting the risk posed by A840 systems. By not patching the systems, the company is putting onus on the customers and telling them to move on to new systems though.”

Adcon has not responded to SecurityWeek’s request for comment by the time of publication.

ICS-CERT advises organizations to minimize the risk of exploitation by ensuring that control systems are placed behind a firewall and isolated from the business network, and use VPNs when remote access is required.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

ICS/OT

Otorio has released a free tool that organizations can use to detect and address issues related to DCOM authentication.

ICS/OT

Vulnerabilities in GE’s Proficy Historian product could be exploited for espionage and to cause damage and disruption in industrial environments.

Cybersecurity Funding

Internet of Things (IoT) and Industrial IoT security provider Shield-IoT this week announced that it has closed a $7.4 million Series A funding round,...

ICS/OT

A hacktivist group has made bold claims regarding an attack on an ICS device, but industry professionals have questioned their claims.

ICS/OT

Vulnerabilities in industrial routers made by InHand Networks could allow hackers to bypass security systems and gain access to OT networks.

ICS/OT

The overall effect of current global geopolitical conditions is that nation states have a greater incentive to target the ICS/OT of critical industries, while...

ICS/OT

Serious vulnerabilities found in Econolite EOS traffic controller software can be exploited to control traffic lights, but the flaws remain unpatched.