Security News > 2021 > March > Flaws in Ovarro TBox RTUs Could Open Industrial Systems to Remote Attacks

Flaws in Ovarro TBox RTUs Could Open Industrial Systems to Remote Attacks
2021-03-29 08:28

As many as five vulnerabilities have been uncovered in Ovarro's TBox remote terminal units that, if left unpatched, could open the door for escalating attacks against critical infrastructures, like remote code execution and denial-of-service.

TBox is an "All-in-one" solution for automation and control systems for supervisory control and data acquisition applications, with its telemetry software used for remote control and monitoring of assets in a number of critical infrastructure sectors, such as water, power, oil and gas, transportation, and process industries.

TBox devices can be programmed using a software suite called TWinSoft, which allows for the creation of interactive web pages, where users can monitor and control their site assets.

They affect multiple products, including TBox LT2, TBox MS-CPU32, TBox MS-CPU32-S2, TBox MS-RM2, TBox TG2, and all versions of TWinSoft prior to 12.4 and TBox Firmware before 1.46.

Most of the devices are said to be located in Canada, Germany, Thailand, and the U.S. Further investigation into the remote terminal units revealed multiple vulnerabilities in its proprietary Modbus protocol used for communications that could be leveraged to run malicious code in TBox, crash a TBox system, and even decrypt the login password by capturing the network traffic between the RTU and the software.

As a proof-of-concept, the researchers chained three of the above flaws - CVE-2021-22648, CVE-2021-22644, and CVE-2021-22646 - to access the configuration file, extract and decode the hard-coded key, and ultimately deploy a malicious update package in the RTU. Given the prevalence of TBox RTUs in critical infrastructure, the research demonstrates the dangers involved in exposing such devices directly on the Internet, thereby posing a threat to the integrity of automation processes and public safety alike.


News URL

http://feedproxy.google.com/~r/TheHackersNews/~3/vErPzoJgNQk/flaws-in-ovarro-tbox-rtus-could-open.html

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2022-07-28 CVE-2021-22648 Incorrect Permission Assignment for Critical Resource vulnerability in Ovarro products
Ovarro TBox proprietary Modbus file access functions allow attackers to read, alter, or delete the configuration file. 		0.0
0.0
2022-07-28 CVE-2021-22646 Unspecified vulnerability in Ovarro products
The “ipk” package containing the configuration created by TWinSoft can be uploaded, extracted, and executed in Ovarro TBox, allowing malicious code execution. 		0.0
0.0
2022-07-28 CVE-2021-22644 Use of Hard-coded Credentials vulnerability in Ovarro products
Ovarro TBox TWinSoft uses the custom hardcoded user “TWinSoft” with a hardcoded key. 		0.0
0.0