sb-au logo
Story image

Claroty discovers vulnerabilities in Ovarro TBox RTUs

30 Mar 2021

Researchers from Claroty have discovered widespread vulnerabilities within Ovarro’s TBox remote terminal units (RTUs), commonly found in industrial facilities in the oil, power, and gas sectors.

The five vulnerabilities could enable attackers to break into the systems and run code, crash systems, and meddle with configuration files, amongst other malicious actions.

“The risks associated with these flaws threaten not only affect the integrity of automation processes, but also, in some cases public safety,” Claroty researchers state.

Researchers analysed the  TBox on the LT2-530, version 1.44 build 485, and TWinSoft engineering software version 12.2.1, build 1545. 

Researchers used open source intelligence including Shodan to work out how many of the TBox RTU devices were available through the internet. They found that only a third (37%) had authentication settings that protected devices from access. That means 63% of devices were completely open, enabling any visitor to control the RTU or read data in the custom HMI panel configuration.

“In its research, the Claroty Research Team was able to bypass and exploit vulnerabilities in each of these communication channels, eventually executing code remotely on the RTU regardless of any security mechanisms enabled,” the company states.

Affected products include:

  • TBoxLT2 (all models)
  • TBox MS-CPU32
  • TBox MS-CPU32-S2
  • TBox MS-RM2 (all models)
  • TBox TG2 (all models)
  • All versions prior to TWinSoft 12.4 and prior to TBox Firmware 1.46

Ovarro has patched all vulnerabilities in TBox firmware version 1.46 and TWinSOft version 12.4.  All users should update their systems to the latest versions immediately.

The details of each vulnerability and CVE are below.

CVE-2021-22646 | CWE-94 Improper Control of Generation of Code (Code Injection)

CVSS v3 Score: 8.8

This vulnerability and CVE-2021-22648 were the most severe among the vulnerabilities uncovered by Claroty researchers. With CVE-2021-22646, an attacker can exploit an ipk package update generated in TwinSoft engineering software to run malicious code in TBox.

CVE-2021-22648 | CWE-732 Incorrect Permission Assignment for Critical Resource

CVSS v3 Score: 8.8

This vulnerability was found in the TBox proprietary Modbus file access functions that allow an attacker to read, alter, or delete a configuration file.

CVE-2021-22642 | Uncontrolled Resource Consumption CWE-400

CVSS v3 Score: 7.5

A specially crafted Modbus frame can be used to crash a TBox system.

CVE-2021-22640 | Insufficiently Protected Credentials CWE-522

CVSS v3 Score: 7.5

An attacker can decrypt the login password by communication capture and brute force attacks.

CVE-2021-22644 | Use of Hard-Coded Cryptographic Key CWE-321

CVSS v3 Score: 7.5

TWinSoft uses a custom hardcoded user and cryptographic hardcoded key.

Story image
From Me to We: Partnerships & multiparty systems in the post-COVID-19 age
MPS is all about sharing data infrastructure between people and organisations - think along the lines of blockchain, distributed databases and ledgers.More
Story image
Video: 10 Minute IT Jams - Radware VP on the challenges of cloud security
In this interview, Techday speaks to Radware vice president of technologies Yaniv Hoffman, who discusses the primary challenges facing IT organisations in terms of their cloud security apparatus.More
Story image
Over half of ransomware victims pay up - but does it work?
"Handing over money doesn’t guarantee the return of data, and only encourages cybercriminals to continue the practice."More
Story image
Enterprises underutilising security tools, causing teams to burn out
The report unveiled a lack of meaningful ROI metrics when reporting on security progress, as well as disparate opinions on objectives, tool effectiveness and security awareness amongst the organisation between executives and operations on security teams.More
Story image
Why a more secure organisation is a collective responsibility
With vast volumes of data moving to the cloud, many IT professionals are frequently challenged to protect their enterprise environment, and there is a greater focus being placed on advancing cybersecurity strategies.More
Story image
ABB and Nozomi Networks extend collaboration, deliver improved OT security solutions
"With Nozomi Networks solutions added to our cybersecurity portfolio, our customers gain proven network monitoring and threat detection technology."More