Industrial cybersecurity firm TXOne Networks recently revealed the existence of ten unpatched vulnerabilities in building automation products developed by Loytec, an Austrian company. These vulnerabilities, discovered over two years ago by TXOne’s researchers, pose a significant risk to the security and integrity of building automation systems. In this article, we will delve into the details of these vulnerabilities, their potential impact, and the urgent need for patching and securing affected systems.
Vulnerability details and disclosure
The vulnerabilities identified by TXOne Networks have been assigned the identifiers CVE-2023-46380 through CVE-2023-46389. These details were publicly disclosed in three separate advisories that the company published on the Full Disclosure mailing list back in November. The vulnerabilities primarily relate to the transmission and storage of usernames and passwords in clear text, lack of proper authentication mechanisms, exposure of admin passwords in a registry key, and the potential exposure of sensitive information.
Affected products
The vulnerabilities reported by TXOne Networks impact several Loytec building automation products. These include the LINX-212, LINX-151, and LIOB-586 programmable automation stations responsible for controlling various building applications. Additionally, the LVIS-3ME12-A1 touch panels, LWEB-802 visualization tool, and the L-INX Configurator configuration tool are also affected.
Potential impact
Exploiting these vulnerabilities could allow an attacker, in some cases even without authentication, to take control of the targeted building automation system. Once compromised, the attacker could proceed to disable security systems and alarms, leading to potentially severe consequences. This highlights the critical nature of addressing these vulnerabilities promptly.
Complexity of exploitation
While some of the vulnerabilities can be exploited relatively easily, others require more sophisticated techniques. Certain vulnerabilities can only be exploited through a man-in-the-middle (MitM) attack on the network or local access to the affected Loytec products. These additional requirements for exploitation serve as obstacles, but they still emphasize the importance of securing systems and preventing unauthorized access.
MitM attack and sensitive data access
Vulnerabilities such as CVE-2023-46380, CVE-2023-46382, CVE-2023-46383, and CVE-2023-46385 specifically require a MitM position on the network to successfully read sensitive data, such as cleartext passwords. These vulnerabilities emphasize the importance of implementing strong encryption protocols and securing network communications within building automation systems.
Easy access through exposed web user interface
One of the vulnerabilities, CVE-2023-46382, poses a significant risk due to its exploitable nature. This vulnerability does not require any technical skills to exploit. If the web user interface of the preinstalled version of LWEB-802 is exposed to the internet, anyone with access can easily enter and assume control. This emphasizes the importance of proper network configuration and applying appropriate access controls.
Access to sensitive files as an administrator
For CVE-2023-46387 and CVE-2023-46389, the ability to access sensitive files containing SMTP client credentials used for alert and report functions requires an attacker to gain administrator-level access. However, once an attacker successfully achieves administrative privileges, these files can be easily accessed, leading to potential misuse or unauthorized disclosure of sensitive information.
Reporting and vendor response
TXOne Networks initially reported these vulnerabilities to Loytec through Trend Micro’s Zero Day Initiative (ZDI) in October 2021. Shockingly, the US cybersecurity agency, CISA, attempted to contact Loytec a year later, highlighting potential delays in the vendor’s response to critical security concerns. It is imperative that vendors promptly address reported vulnerabilities to safeguard their customers’ systems.
The unpatched vulnerabilities discovered in Loytec building automation products by TXOne Networks represent a significant threat to industrial cybersecurity. Urgent action is needed to identify and mitigate these vulnerabilities, ensuring the security and integrity of building automation systems. Vendors must respond swiftly to vulnerability reports and patch their products, while end-users and system administrators should promptly apply patches and implement robust security measures to safeguard their critical infrastructure from potential compromise and unauthorized access. By prioritizing cybersecurity and fostering collaboration between cybersecurity researchers and manufacturers, we can collectively enhance the resilience of our critical infrastructures, guarding against potential cyber threats that could have severe consequences.