Flaws in Ovarro TBox RTUs Could Open Industrial Systems to Remote Attacks

Cyber Security

As many as five vulnerabilities have been uncovered in Ovarro’s TBox remote terminal units (RTUs) that, if left unpatched, could open the door for escalating attacks against critical infrastructures, like remote code execution and denial-of-service.

“Successful exploitation of these vulnerabilities could result in remote code execution, which may cause a denial-of-service condition,” the U.S. Cybersecurity and Infrastructure Security Agency (CISA) said in an advisory published on March 23.

TBox is an “all-in-one” solution for automation and control systems for supervisory control and data acquisition (SCADA) applications, with its telemetry software used for remote control and monitoring of assets in a number of critical infrastructure sectors, such as water, power, oil and gas, transportation, and process industries. TBox devices can be programmed using a software suite called TWinSoft, which allows for the creation of interactive web pages, where users will be able to monitor and control their site assets.

The flaws were detected and reported to CISA by Uri Katz, a security researcher for operational technology security company Claroty. They affect multiple products, including TBox LT2, TBox MS-CPU32, TBox MS-CPU32-S2, TBox MS-RM2, TBox TG2, and all versions of TWinSoft prior to 12.4 and TBox Firmware before 1.46.

Claroty found that of all the internet-accessible TBox RTUs that were found online, nearly 62.5% of the devices required no authentication, thus potentially enabling attackers to exploit the HTTP service and take control of the units. Most of the devices are said to be located in Canada, Germany, Thailand, and the U.S.

Further investigation into the remote terminal units revealed multiple vulnerabilities in its proprietary Modbus protocol used for communications that could be leveraged to run malicious code in TBox (CVE-2021-22646), crash a TBox system (CVE-2021-22642), and even decrypt the login password (CVE-2021-22640) by capturing the network traffic between the RTU and the software.

A fourth flaw discovered in Modbus file access functions granted an attacker elevated permissions to read, alter, or delete a configuration file (CVE-2021-22648), while CVE-2021-22644 made it possible to extract the hard-coded cryptographic key.

As a proof-of-concept, the researchers chained three of the above flaws — CVE-2021-22648, CVE-2021-22644, and CVE-2021-22646 — to access the configuration file, extract and decode the hard-coded key, and ultimately deploy a malicious update package in the RTU.

Given the prevalence of TBox RTUs in critical infrastructure, the research demonstrates the dangers involved in exposing such devices directly on the Internet, thereby posing a threat to the integrity of automation processes and public safety alike.

“Connecting unprotected critical infrastructure components to the internet carries with it unacceptable risks that industrial enterprises must make themselves aware of,” Claroty’s Katz and Sharon Brizinov noted.

“That may sound like an obvious statement, but it’s becoming increasingly clear that many organizations aren’t heeding the warnings from researchers about exposing misconfigured web-based interfaces online and mitigating control system software and firmware vulnerabilities in a timely fashion.”