Researchers at the CYbersecurity and Infrastructure Security Agency (CISA) discovered a total of five vulnerabilities in different models of TBox remote terminal units (RTUs) developed by Ovarro. If those vulnerabilities don’t addressed and patched out, there’s a serious possibility that hackers could use them to perform denial of service (DoS) attacks and execute malicious code in the targeted systems. CISA published its advisory in which it warns about the vulnerabilities on the 23d of March.
About Ovarro’s TBox units
Ovarro’s TBox units are SCADA (Supervisory Control and Data Acquisition) solutions that allow their users to remotely manage and monitor industrial and other equipment. SCADA is normally used to control the equipment and industrial processes of both public and private companies through a centralized GUI (Graphical User Interface). A potential security flaw in a SCADA device could mean that the entire network of computers and equipment that is controlled and monitored by that device could be in jeopardy if an attacker attempts to exploit the flaw.
The Discovered Flaws
In the current case, the TBox flaws were discovered and reported by Uri Katz, a researcher at CISA. According to his research, there are multiple Ovarro TBox products that are affected by the reported flaws. Those products are TBox MS-CPU32, TBox LT2, TBox MS-RM2, TBox MS-CPU32-S2, TBox TG2, and all TBox Firmware versions that come before 1.46 and TWinSoft versions before 12.4.
The cybersecurity company Claroty has also found that over 62% of the TBox units that are connected to the Internet don’t require any form of authentication. This means that potential attackers could easily take control of the TBox units by exploiting the HTTP service.
Through further investigation, the researchers at Claroty have discovered five TBox vulnerabilities related to the Modbus communications protocol used in Ovarro’s products. The discovered vulnerabilities could be exploited to insert and run malicious code in targeted TBox units which could, in turn, allow the attackers to cause crashes in the devices, decrypt their login details, or capture the data traffic between the TBox unit and the software. Those vulnerabilities are known as CVE-2021-22646, CVE-2021-22642, CVE-2021-22640, respectively.
Another flaw was found in the Modbus file – CVE-2021-22648 – that can be used to modify or delete said file.
The fifth discovered vulnerability is CVE-2021-22644 and through it the attackers could go as far as to extract from the system its cryptographic key.
To demonstrate the potential application of the discovered flaws, the researchers experimentally attempted to exploit three of them: CVE-2021-22648, CVE-2021-22644, and CVE-2021-22646, and managed to access Modbus configuration file, extract and decrypt the cryptographic key, and finally insert malicious code in the TBox unit.
Need for Stricter Precautions
Currently, TBox RTUs are very widespread and used to manage many important infrastructures. This means that the flaws detected in them put all those infrastructures in serious jeopardy, especially the ones managed by RTUs that are exposed to the Internet.
Obviously, measures need to be taken to fix the flaws that researchers have discovered in the TBox RTUs, but it is just as important (if not more so) for the infrastructure administrators to do everything within their power to make those infrastructures as secure as possible. Many businesses and organizations (including public ones) often don’t take the required security precautions to protect their networks from hackers and leave them wide-open to attacks. Considering the essential nature of many of those infrastructures (water control, power distribution, transportation, etc), such negligence is unacceptable and shouldn’t be allowed.