CONFERENCE Cyber AI & Automation Summit - Watch Sessions
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

ICS/OT

Unpatched Adcon ICS Products Exposed Online

A researcher has identified several high severity vulnerabilities in a base station product from Austria-based wireless telemetry solutions provider Adcon Telemetry.

A researcher has identified several high severity vulnerabilities in a base station product from Austria-based wireless telemetry solutions provider Adcon Telemetry.

ICS-CERT has published an advisory detailing a total of four serious flaws identified by researcher Aditya K. Sood in Adcon’s A840 Telemetry Gateway base station, which acts as an interface between an Adcon network and one or more hosts running SCADA (supervisory control and data acquisition) software. The product is designed to retrieve data from up to 200 remote terminal units (RTUs).

Adcon A840 Telemetry Gateway base stations are mainly used in the United States and Europe in commercial facilities, water and wastewater, critical manufacturing and other sectors.Adcon A850 Telemetry Gateway

Sood discovered that the product includes a file containing hardcoded credentials that can be used by an attacker to log in to the device with administrator privileges. Once logged in, the attacker can change the device’s settings and read/write to the file system, which can have a negative impact on the system’s confidentiality, integrity and availability. The issue has been assigned the identifier CVE-2015-7930 and a CVSS score of 10.

Another issue that has been assigned a CVSS score of 10 is related to the lack of SSL support for encrypting network communications (CVE-2015-7931). This means that all communications are easily readable by an attacker with a privileged position on the targeted network (CVE-2015-7932).

Sood has also found that the Java client used by Adcon A840 exposes the full path of log files stored on the server. This vulnerability has been assigned the identifier CVE-2015-7934 and a CVSS score of 8.6.

The expert also identified a vulnerability that is not covered in ICS-CERT’s advisory. The problem is related to the fact that the Java client downloads the sensor configuration file, which includes sensitive information, before the user is authenticated with the server. This allows an attacker to download the file without authentication.

Adcon told ICS-CERT that patches or updates will not be made available for the A840 gateway system since the product is no longer supported. The company said it sent a message to all known customers to offer upgrades to a more secure and stable version.

The A840 base station is no longer available on Adcon’s website and has been replaced with the A850 Telemetry Gateway, a product that supports up to 1,000 RTUs and brings more than a dozen new features.

Advertisement. Scroll to continue reading.

Sood, who plans on detailing his findings at security conferences next year, told SecurityWeek that he reported the vulnerabilities to ICS-CERT on November 3, when the A840 product was still present on Adcon’s website. The expert also pointed out that some documentation for A840 devices is still available on the company’s site.

While the vendor claims to have advised customers to upgrade their systems, the researcher has pointed to a Shodan search which shows that tens of A840 devices in North America and Europe are currently accessible from the Internet.

Sood noted in his advisory that the hardcoded credentials found in the product can be used to access devices directly from the Internet.

“Personally, I feel that the vendor should work in conjunction with customers to disclose the security holes and push them to update the software accordingly,” Sood said via email. “What happens in real time is a different story, as sometimes customers’ infrastructure does not support the updated versions or there are many dependencies to be addressed before the update happens.”

“The big question is the window of exposure (i.e. how long it will take customers to update from A840 to A850 systems),” the researcher noted. “The vendor should send notifications highlighting the risk posed by A840 systems. By not patching the systems, the company is putting onus on the customers and telling them to move on to new systems though.”

Adcon has not responded to SecurityWeek’s request for comment by the time of publication.

ICS-CERT advises organizations to minimize the risk of exploitation by ensuring that control systems are placed behind a firewall and isolated from the business network, and use VPNs when remote access is required.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Don’t miss this Live Attack demonstration to learn how hackers operate and gain the knowledge to strengthen your defenses.

Register

Join us as we share best practices for uncovering risks and determining next steps when vetting external resources, implementing solutions, and procuring post-installation support.

Register

People on the Move

Shanta Kohli has been named CMO at Sysdig.

Cloud security firm Sysdig has appointed Sergej Epp as CISO.

F5 has appointed John Maddison as Chief Product Marketing and Technology Alliances Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.