Co-Authors: Ta-Lun Yen, Chizuru Toyama, Queenie Liao, Daniel Chiu
Critical devices in cybersecurity are defined by three key traits.
- They have network connectivity
- They can send out critical decisions, such as opening a water gate or operating a boiler
- They have the necessary computing power to do their work
If a hacker takes control of a critical device, he can send malicious commands to the PLC or circuit switch, jeopardizing the whole operation. One type of critical device, human machine interfaces (HMIs), are common points of control in ICS industries used to allow operators to manipulate electronic systems more intuitively.
Key functions of HMI:
- Providing a graphical representation of the process for the operator
- Controlling, monitoring, alarming, and trending
- Collecting data from devices and displays
- Sending data to a database for long-term trending
C-More human machine interfaces (HMIs) are extremely common in the ICS industry, and are used in a variety of critical infrastructure sectors, including manufacturing, waste water treatment, oil & gas, and smart power grids. TXOne Networks’ research team recently discovered that these HMIs are vulnerable to remote code execution, pre-authorization remote control, authorization bypass, DoS, and backdoor exploits which can be used by hackers to harm or take over factory systems. Such threats are of critical interest because they can cause not only substantial financial losses but also significant dangers to human life and health.
While manufacturers strongly recommend the use of firewalls and authentication (passwords, for example) to secure HMI, the vulnerabilities discovered here allow these security measures to be circumvented with little effort. Exposed HMIs can be accessed from the internet with startling ease.
Our researchers found many C-More HMIs such as this one exposed on the open internet
In total, five such vulnerabilities were discovered in C-More HMIs. They come in two kinds, improper authentication and unsecured source code.
C-More HMI EA9 Authentication Bypass Vulnerability
(CVSS Score 7.5, ZDI-20-805, CVE-2020-10918)
Taking advantage of this vulnerability, attackers don’t require authentication to escalate their privileges and access resources normally denied to unauthorized users on C-More HMI EA9 touchscreen panels.
C-More HMI EA9 Weak Cryptography for Passwords Information Disclosure Vulnerability (CVSS Score 5.9, ZDI-20-806, CVE-2020-10919)
Remote attackers can access sensitive information on affected C-More HMI EA9 touchscreen panels. Passwords are encrypted in a format that can be recovered, allowing easy access to credentials.
(CVSS Score 9.8, ZDI-20-808, CVE-2020-10920)
Affected C-More HMI EA9 touchscreens won’t require authentication before allowing the system to be re-configured. In short, attackers can execute code remotely without authentication.
(CVSS Score 9.8, ZDI-20-807, CVE-2020-10921)
Due to lack of input validation prior to processing user requests, attackers don’t need authentication to trigger a denial-of-service condition on affected C-More HMI EA9 touchscreens.
(CVSS Score 7.5, ZDI-20-809, CVE-2020-10922)
Due to a lack of input validation prior to processing user requests on affected C-More HMI EA9 touchscreens, attackers can take advantage of this vulnerability to trigger denial-of-service on the system.
We can clearly see here how unsecure or legacy appliances can provide a welcoming attack surface in OT environments.
Suggested threat prevention measures to counter these exploits:
- Deploy virtual patching using EdgeFire or EdgeIPS: Malicious traffic would be detected by signature and then stopped.
- Implement zone segmentation using EdgeFire or EdgeIPS: Network segmentation prevents the attack from spreading to other devices on the network, protecting your entire system from being compromised as well as stopping hackers from getting valuable information about your network.
- Using a VPN gateway to keep your OT network away from the open internet.
- Set up an IP address access control policy using EdgeFire and EdgeIPS. HMIs should be running a trust list so that they can only be connected to from known devices.
Please look here for pseudo snort rules to protect against exploitation of these vulnerabilities.