Now on Demand: Threat Detection and Incident Response (TDIR) Summit - All Sessions Available
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

ICS/OT

Vulnerabilities in PiiGAB Product Could Expose Industrial Organizations to Attacks

Potentially serious vulnerabilities discovered by researchers in a PiiGAB product could expose industrial organizations to remote hacker attacks.

Potentially serious vulnerabilities discovered by researchers in a PiiGAB product could expose industrial organizations to remote hacker attacks.

PiiGAB is a Sweden-based company that provides industrial and building automation hardware and software solutions. 

Researchers Floris Hendriks and Jeroen Wijenbergh conducted an in-depth security assessment of PiiGAB’s M-Bus 900s gateway/converter as part of their master’s in cybersecurity at Radboud University in the Netherlands. The product is designed for the remote monitoring of devices using the M-Bus protocol. 

“For example, the device is connected to electricity meters, water meters but also heat pumps, cooling units and PLC devices. This means that this product can be used to communicate with a large ecosystem of ICS devices,” the researchers told SecurityWeek

The US Cybersecurity and Infrastructure Security Agency (CISA) on Thursday published an advisory describing the vulnerabilities discovered by Hendriks and Wijenbergh in the PiiGAB product.

The vendor has been notified and it has released updates that should address the security holes. 

According to the CISA advisory, the two researchers discovered nine types of vulnerabilities, including code injection, login attempt rate limiting, hardcoded and plaintext credentials, weak password, cross-site scripting (XSS), and cross-site request forgery (CSRF) issues. 

An attacker could exploit the flaws to execute arbitrary commands, launch brute-force attacks, obtain access to the system, gain elevated privileges, and trick legitimate users into executing malicious commands. A majority of the flaws have been assigned ‘critical’ or ‘high’ severity ratings. 

“Some of the vulnerabilities do not require privileges,” the researchers explained. “For example, initially it was possible to brute force the login credentials or bypass authentication using cross site request forgeries. Other vulnerabilities, such as the code injection, can only be exploited with low privileges.”

Advertisement. Scroll to continue reading.

Exploitation of the vulnerabilities against an industrial organization could have serious consequences.

“As these devices are connected to industrial control systems such as PLCs, sensors and actuators, hacking them can have significant impact on the industrial processes,” Hendriks and Jeroen Wijenbergh said. “Using the exploits, an attacker is able to remotely gain (root) control over the PiiGAB device. Consequently, an attacker can, for example, conduct network pivoting, which allows an attacker to gain access to the local industrial network.” 

“Moreover, it is also possible to monitor the network to eavesdrop credentials used for accessing other systems. Lastly, denial of service attacks and confidential data exfiltration can be conducted as well,” they added.

A Shodan search shows more than 600 internet-exposed instances of PiiGAB M-Bus, which could be vulnerable to remote attacks launched directly from the web. However, the researchers pointed out that some organizations use VPNs to mitigate potential attacks from the outside. 

“We think that this is a good way to harden the security. However, we would like to stress that the software should be secure and a VPN should be seen as a second factor,” the researchers noted. 

The Shodan search shows that the internet-exposed devices are mainly located in Sweden, as well as a few other Nordic countries, but CISA’s advisory says the impacted product is used worldwide in the energy sector. 

Related: Critical Siemens RTU Vulnerability Could Allow Hackers to Destabilize Power Grid

Related: Critical Flaw in Inea ICS Product Exposes Industrial Organizations to Remote Attacks

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

People on the Move

Wendy Zheng named as CFO and Joe Diamond as CMO at cyber asset management firm Axonius.

Intelligent document processing company ABBYY has hired Clayton C. Peddy as CISO.

Digital executive protection services provider BlackCloak has appointed Ryan Black as CISO.

More People On The Move

Expert Insights