Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

ICS/OT

Unpatched Loytec Building Automation Flaws Disclosed 2 Years After Discovery 

The details of 10 unpatched Loytec building automation product vulnerabilities have been disclosed two years after their discovery.

Building automation vulnerabilities

Industrial cybersecurity firm TXOne Networks has disclosed the details of 10 unpatched vulnerabilities discovered by its researchers in building automation products made by Austrian company Loytec more than two years ago. 

The vulnerabilities have been assigned the identifiers CVE-2023-46380 through CVE-2023-46389 and their details were disclosed in three separate advisories published on the Full Disclosure mailing list in November. 

The vulnerabilities are related to usernames and passwords being transmitted or stored in clear text, the lack of authentication, the exposure of admin passwords in a registry key, and the exposure of other potentially sensitive information

According to TXOne, the security holes impact LINX-212, LINX-151 and LIOB-586 programmable automation stations designed for controlling various building applications, LVIS-3ME12-A1 touch panels, the LWEB‑802 visualization tool, and the L-INX Configurator configuration tool.

An attacker — in some cases without authentication — could exploit the vulnerabilities to take control of the targeted system and disable building security systems and alarms.

However, exploiting some of the vulnerabilities is more complicated as it requires a man-in-the-middle (MitM) attack on the network or local access to the targeted product. 

The TXOne Networks research team provided some explanations for SecurityWeek:

  • CVE-2023-46380, CVE-2023-46382, CVE-2023-46383, and CVE-2023-46385 require a MitM position on the network to read sensitive data (cleartext password). On the other hand, CVE-2023-46382 doesn’t require any technical skills. If the web user interface of the preinstalled version of LWEB-802 is exposed to the internet, anyone could easily access and control it. We found some of the projects are exposed on the internet and accessible. 
  • For CVE-2023-46387, CVE-2023-46389, these files could be easily accessed once an attacker is able to login as administrator. These files contain SMTP client credentials used for alert and report functions.
  • Only CVE-2023-46384 requires local access to the machine on which LINX Configurator is installed. Anyone who can locally access the machine could steal the password.

The vulnerabilities were initially reported to the vendor through Trend Micro’s Zero Day Initiative (ZDI) in October 2021, and the US cybersecurity agency CISA attempted to make contact one year later. However, Loytec was unresponsive when contacted by ZDI and CISA, which is why TXOne decided to make its findings public.

Delta Electronics-owned Loytec did not respond to SecurityWeek’s request for comment.

Advertisement. Scroll to continue reading.

Related: Building Automation System Exploit Brings KNX Security Back in Spotlight 

Related: Researchers Create PoC Malware for Hacking Smart Buildings

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn about active threats targeting common cloud deployments and what security teams can do to mitigate them.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

ICS/OT

The overall effect of current global geopolitical conditions is that nation states have a greater incentive to target the ICS/OT of critical industries, while...

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

ICS/OT

Otorio has released a free tool that organizations can use to detect and address issues related to DCOM authentication.

ICS/OT

Wago has patched critical vulnerabilities that can allow hackers to take complete control of its programmable logic controllers (PLCs).

Cybercrime

Energy giants Schneider Electric and Siemens Energy confirm being targeted by the Cl0p ransomware group in the campaign exploiting a MOVEit zero-day.

ICS/OT

Mandiant's Chief analyst urges critical infrastructure defenders to work on finding and removing traces of Volt Typhoon, a Chinese government-backed hacking team caught in...

ICS/OT

Municipal Water Authority of Aliquippa in Pennsylvania confirms that hackers took control of a booster station, but says no risk to drinking water or...