Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

ICS/OT

Vulnerabilities Can Allow Attackers to Remotely Gain Control of Weintek HMIs

A cybersecurity researcher who specializes in industrial control systems (ICS) has identified three types of critical vulnerabilities in products made by human-machine interface (HMI) manufacturer Weintek.

A cybersecurity researcher who specializes in industrial control systems (ICS) has identified three types of critical vulnerabilities in products made by human-machine interface (HMI) manufacturer Weintek.

The Taiwan-based vendor’s products are used worldwide. The company has posted a technical advisory instructing customers to install available patches and take steps to mitigate risks. It noted that the risk of exploitation is more significant if the devices are connected to an open network.

Weintek HMI vulnerabilitiesThe vulnerabilities were discovered by Marcin Dudek, a senior ICS/OT security researcher at Poland’s CERT Polska. The security holes have been found to impact the EasyWeb web-based configuration interface available for Weintek cMT products. Affected products include HMIs (including screenless HMIs), programmable logic controllers (PLCs), and gateways.

The vulnerabilities can be exploited by a remote, unauthenticated attacker for code execution with root privileges (CVE-2021-27446), to remotely access sensitive information and conduct actions on behalf of an admin (CVE-2021-27444), and to execute malicious JavaScript code via a stored XSS flaw (CVE-2021-27442).

Dudek noted on Twitter that there are more than 170 cMT HMIs connected directly to the internet, including systems located in Europe, Asia and North America.

Learn more about vulnerabilities in industrial systems at SecurityWeek’s ICS Cyber Security Conference and SecurityWeek’s Security Summits virtual event series

The researcher told SecurityWeek that an attacker could exploit the first two vulnerabilities with a single request sent to the targeted device. In the case of CVE-2021-27444, an attacker could leverage it to obtain the administrator password hash.

In the worst case scenario, an attacker can exploit the vulnerabilities to take complete control of the targeted device with root privileges, which in a real world environment could have serious consequences.

“Having such high privileges, an attacker can have unlimited access to all functions of the HMI,” Dudek explained. “It could also be used as a proxy to get access to the internal network of an organization, or to have direct access to other industrial devices in the same network, such as PLCs.

Advertisement. Scroll to continue reading.

Dudek said he worked well with the vendor during the disclosure process. He said it took roughly two months to release all patches, but most of the fixes were ready one month after he reported his findings.

Remotely accessible HMIs can pose a serious threat to organizations in critical infrastructure sectors. Some of the high-profile incidents that came to light recently involve attacks on the water sector.

According to the U.S. Cybersecurity and Infrastructure Security Agency (CISA), which issued an advisory for the Weintek cMT vulnerabilities this week, the impacted products are mostly used in the water and commercial facilities sectors.

Related: Iranian Hackers Access Unprotected ICS at Israeli Water Facility

Related: CISA Issues Advisory for High-Severity Vulnerabilities in Fuji Electric HMI Products

Related: Tens of Vulnerabilities Expose WAGO Controllers, HMI Panels to Attacks

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

The AI Risk Summit brings together security and risk management executives, AI researchers, policy makers, software developers and influential business and government stakeholders.

Register

People on the Move

Data security startup Reco adds Merritt Baer as CISO

Chris Pashley has been named CISO at Advanced Research Projects Agency for Health (ARPA-H).

Satellite cybersecurity company SpiderOak has named Kip Gering as its new Chief Revenue Officer.

More People On The Move

Expert Insights