A cybersecurity researcher who specializes in industrial control systems (ICS) has identified three types of critical vulnerabilities in products made by human-machine interface (HMI) manufacturer Weintek.
The Taiwan-based vendor’s products are used worldwide. The company has posted a technical advisory instructing customers to install available patches and take steps to mitigate risks. It noted that the risk of exploitation is more significant if the devices are connected to an open network.
The vulnerabilities were discovered by Marcin Dudek, a senior ICS/OT security researcher at Poland’s CERT Polska. The security holes have been found to impact the EasyWeb web-based configuration interface available for Weintek cMT products. Affected products include HMIs (including screenless HMIs), programmable logic controllers (PLCs), and gateways.
The vulnerabilities can be exploited by a remote, unauthenticated attacker for code execution with root privileges (CVE-2021-27446), to remotely access sensitive information and conduct actions on behalf of an admin (CVE-2021-27444), and to execute malicious JavaScript code via a stored XSS flaw (CVE-2021-27442).
Dudek noted on Twitter that there are more than 170 cMT HMIs connected directly to the internet, including systems located in Europe, Asia and North America.
Learn more about vulnerabilities in industrial systems at SecurityWeek’s ICS Cyber Security Conference and SecurityWeek’s Security Summits virtual event series
The researcher told SecurityWeek that an attacker could exploit the first two vulnerabilities with a single request sent to the targeted device. In the case of CVE-2021-27444, an attacker could leverage it to obtain the administrator password hash.
In the worst case scenario, an attacker can exploit the vulnerabilities to take complete control of the targeted device with root privileges, which in a real world environment could have serious consequences.
“Having such high privileges, an attacker can have unlimited access to all functions of the HMI,” Dudek explained. “It could also be used as a proxy to get access to the internal network of an organization, or to have direct access to other industrial devices in the same network, such as PLCs.
Dudek said he worked well with the vendor during the disclosure process. He said it took roughly two months to release all patches, but most of the fixes were ready one month after he reported his findings.
Remotely accessible HMIs can pose a serious threat to organizations in critical infrastructure sectors. Some of the high-profile incidents that came to light recently involve attacks on the water sector.
According to the U.S. Cybersecurity and Infrastructure Security Agency (CISA), which issued an advisory for the Weintek cMT vulnerabilities this week, the impacted products are mostly used in the water and commercial facilities sectors.
Related: Iranian Hackers Access Unprotected ICS at Israeli Water Facility
Related: CISA Issues Advisory for High-Severity Vulnerabilities in Fuji Electric HMI Products
Related: Tens of Vulnerabilities Expose WAGO Controllers, HMI Panels to Attacks
