Critical Vulnerabilities in Tank Gauge Systems Could Lead to Remote Attacks

September 30, 2024

Critical security vulnerabilities have been identified in six different Automatic Tank Gauge (ATG) systems from five manufacturers. These vulnerabilities could expose these systems to remote attacks. "These vulnerabilities pose significant real-world risks, as they could be exploited by malicious actors to cause widespread damage, including physical damage, environmental hazards, and economic losses," said Pedro Umbelino, a researcher at Bitsight.

The analysis further found that thousands of these ATGs are exposed to the internet, making them attractive targets for malicious actors looking to stage disruptive and destructive attacks against various critical infrastructure facilities such as gas stations, hospitals, airports, military bases. ATGs are sensor systems designed to monitor the level of a storage tank (e.g., fuel tank) over time with the goal of determining leakage and other parameters. If security flaws in these systems are exploited, it could lead to serious consequences like denial-of-service (DoS) attacks and physical damage.

The newly discovered 11 vulnerabilities affect six ATG models including Maglink LX, Maglink LX4, OPW SiteSentinel, Proteus OEL8000, Alisonic Sibylla, and Franklin TS-550. Eight of these 11 flaws are rated critical in severity. "All these vulnerabilities allow for full administrator privileges of the device application and, some of them, full operating system access," Umbelino said. "The most damaging attack is making the devices run in a way that might cause physical damage to their components or components connected to it."

Security flaws have also been found in the open-source OpenPLC solution, including a critical stack-based buffer overflow bug (CVE-2024-34026, CVSS score: 9.0) that could be exploited to achieve remote code execution. "By sending an ENIP request with an unsupported command code, a valid encapsulation header, and at least 500 total bytes, it is possible to write past the boundary of the allocated log_msg buffer and corrupt the stack," Cisco Talos said. "Depending on the security precautions enabled on the host in question, further exploitation could be possible."

Another set of security holes was found in the Riello NetMan 204 network communications card used in its Uninterruptible Power Supply (UPS) systems. These could allow malicious actors to take control of the UPS and even tamper with the collected log data. "Inputting the recovery code in '/recoverpassword.html' resets the login credentials to admin:admin," said Thomas Weber from CyberDanube. This could allow an attacker to hijack the device and turn it off. Both vulnerabilities remain unpatched, making it necessary for users to limit access to these devices in critical environments until a fix is available.

Latest News

• Critical Vulnerability in NVIDIA Container Toolkit Allows Complete Host System Control
• Storm-0501 Ransomware Threat Actor Expands Attacks to Hybrid Cloud Environments
• Critical Unpatched Vulnerabilities in CUPS Open-Source Printing System Risk Linux Systems
• HPE Aruba Addresses Severe Vulnerabilities in Access Points
• 'SloppyLemming' APT Targets Government and Law Enforcement Agencies via Cloudflare