Potentially serious vulnerabilities discovered by researchers in a PiiGAB product could expose industrial organizations to remote hacker attacks.
PiiGAB is a Sweden-based company that provides industrial and building automation hardware and software solutions.
Researchers Floris Hendriks and Jeroen Wijenbergh conducted an in-depth security assessment of PiiGAB’s M-Bus 900s gateway/converter as part of their master’s in cybersecurity at Radboud University in the Netherlands. The product is designed for the remote monitoring of devices using the M-Bus protocol.
“For example, the device is connected to electricity meters, water meters but also heat pumps, cooling units and PLC devices. This means that this product can be used to communicate with a large ecosystem of ICS devices,” the researchers told SecurityWeek.
The US Cybersecurity and Infrastructure Security Agency (CISA) on Thursday published an advisory describing the vulnerabilities discovered by Hendriks and Wijenbergh in the PiiGAB product.
The vendor has been notified and it has released updates that should address the security holes.
According to the CISA advisory, the two researchers discovered nine types of vulnerabilities, including code injection, login attempt rate limiting, hardcoded and plaintext credentials, weak password, cross-site scripting (XSS), and cross-site request forgery (CSRF) issues.
An attacker could exploit the flaws to execute arbitrary commands, launch brute-force attacks, obtain access to the system, gain elevated privileges, and trick legitimate users into executing malicious commands. A majority of the flaws have been assigned ‘critical’ or ‘high’ severity ratings.
“Some of the vulnerabilities do not require privileges,” the researchers explained. “For example, initially it was possible to brute force the login credentials or bypass authentication using cross site request forgeries. Other vulnerabilities, such as the code injection, can only be exploited with low privileges.”
Exploitation of the vulnerabilities against an industrial organization could have serious consequences.
“As these devices are connected to industrial control systems such as PLCs, sensors and actuators, hacking them can have significant impact on the industrial processes,” Hendriks and Jeroen Wijenbergh said. “Using the exploits, an attacker is able to remotely gain (root) control over the PiiGAB device. Consequently, an attacker can, for example, conduct network pivoting, which allows an attacker to gain access to the local industrial network.”
“Moreover, it is also possible to monitor the network to eavesdrop credentials used for accessing other systems. Lastly, denial of service attacks and confidential data exfiltration can be conducted as well,” they added.
A Shodan search shows more than 600 internet-exposed instances of PiiGAB M-Bus, which could be vulnerable to remote attacks launched directly from the web. However, the researchers pointed out that some organizations use VPNs to mitigate potential attacks from the outside.
“We think that this is a good way to harden the security. However, we would like to stress that the software should be secure and a VPN should be seen as a second factor,” the researchers noted.
The Shodan search shows that the internet-exposed devices are mainly located in Sweden, as well as a few other Nordic countries, but CISA’s advisory says the impacted product is used worldwide in the energy sector.