Industrial cybersecurity firm TXOne Networks has disclosed the details of 10 unpatched vulnerabilities discovered by its researchers in building automation products made by Austrian company Loytec more than two years ago.
The vulnerabilities have been assigned the identifiers CVE-2023-46380 through CVE-2023-46389 and their details were disclosed in three separate advisories published on the Full Disclosure mailing list in November.
The vulnerabilities are related to usernames and passwords being transmitted or stored in clear text, the lack of authentication, the exposure of admin passwords in a registry key, and the exposure of other potentially sensitive information.
According to TXOne, the security holes impact LINX-212, LINX-151 and LIOB-586 programmable automation stations designed for controlling various building applications, LVIS-3ME12-A1 touch panels, the LWEB‑802 visualization tool, and the L-INX Configurator configuration tool.
An attacker — in some cases without authentication — could exploit the vulnerabilities to take control of the targeted system and disable building security systems and alarms.
However, exploiting some of the vulnerabilities is more complicated as it requires a man-in-the-middle (MitM) attack on the network or local access to the targeted product.
The TXOne Networks research team provided some explanations for SecurityWeek:
- CVE-2023-46380, CVE-2023-46382, CVE-2023-46383, and CVE-2023-46385 require a MitM position on the network to read sensitive data (cleartext password). On the other hand, CVE-2023-46382 doesn’t require any technical skills. If the web user interface of the preinstalled version of LWEB-802 is exposed to the internet, anyone could easily access and control it. We found some of the projects are exposed on the internet and accessible.
- For CVE-2023-46387, CVE-2023-46389, these files could be easily accessed once an attacker is able to login as administrator. These files contain SMTP client credentials used for alert and report functions.
- Only CVE-2023-46384 requires local access to the machine on which LINX Configurator is installed. Anyone who can locally access the machine could steal the password.
The vulnerabilities were initially reported to the vendor through Trend Micro’s Zero Day Initiative (ZDI) in October 2021, and the US cybersecurity agency CISA attempted to make contact one year later. However, Loytec was unresponsive when contacted by ZDI and CISA, which is why TXOne decided to make its findings public.
Delta Electronics-owned Loytec did not respond to SecurityWeek’s request for comment.