The critical set of vulnerabilities allowed attackers to cause significant problems, such as taking control of the device and disrupting the water supply, among other nefarious activities.
Propump and Controls, a US-based company specializing in pumping systems and automated controls, has been found to have vulnerabilities in its Osprey Pump Controller, according to a report by Cybersecurity research firm Zero Science Lab.
The report stated that the vulnerabilities could allow hackers to cause significant problems, such as remotely taking control of the device and disrupting the water supply, among other nefarious activities.
CISA has published an advisory describing the vulnerabilities found by Krstic in the Osprey Pump Controller, and ten individual advisories describing each flaw were also published by Zero Science Lab’s website. The affected product is the Osprey Pump Controller version 1.01, which is used in pumping systems and automated controls. The following vulnerabilities have been discovered:
- Insufficient entropy CWE-331: A predictable weak session token generation algorithm could aid in authentication and authorization bypass, allowing a threat actor to hijack a session by predicting the session id and gain unauthorized access to the product. CVE-2023-28395 has been assigned to this vulnerability.
- Use of GET request method with sensitive query strings CWE-598: An unauthenticated file disclosure could allow cybercriminals to force the affected device to disclose arbitrary files and sensitive system information. CVE-2023-28375 has been assigned to this vulnerability.
- Use of hard-coded password CWE-259: The web management interface configuration can be fully accessed through a hidden administrative account that has a hardcoded password. However, this account cannot be seen in the Usernames and Passwords menu of the application, and its password cannot be changed through any regular operation of the device. CVE-2023-28654 has been assigned to this vulnerability.
- Improper neutralization of special elements used in an OS command (‘OS command injection’) CWE-78: Vulnerability could allow unauthenticated OS command injection that may lead to an attacker injecting and executing arbitrary shell commands through HTTP POST or GET parameters. CVE-2023-27886 and CVE-2023-27394 have been assigned to these vulnerabilities.
- Improper neutralization of input during web page generation (‘Cross-site scripting’) CWE-79: Inputs passed to a GET parameter are not properly sanitized before being returned to the user, which could enable attackers to execute arbitrary HTML/JS code in a user’s browser session in context of an affected site. CVE-2023-28648 has been assigned to this vulnerability.
- Authentication bypass using an alternate path or channel CWE-288: This could enable an unauthorized user to bypass authentication and gain access to the system by creating an account through an alternate path or channel. CVE-2023-28398 has been assigned to this vulnerability.
- Cross-site request forgery (CSRF) CWE-352: HTTP requests can be used by users to carry out actions without undergoing any verification checks. This may lead to a scenario where an individual without authorization may be able to carry out actions with administrative privileges in the event a logged-in user visits a harmful website. CVE-2023-28718 has been assigned to this vulnerability.
According to Security Week, the founder and chief information security engineer of Zero Science Lab, Gjoko Krstic, attempted to report his findings to the vendor, as well as the US Cybersecurity and Infrastructure Security Agency (CISA) and Carnegie Mellon University’s Vulnerability Information and Coordination Environment (VINCE), but the vendor has not responded, and the vulnerabilities likely remain unpatched.
According to Krstic, dozens of controllers are exposed on the internet, including in the case of the client whose network was assessed by Zero Science Lab. This means that attackers can access the controller and manipulate VFDs, change pressure, or cut down the water supply, depending on where the controller is applied.
In conclusion, the discovery of vulnerabilities in ProPump and Controls’ Osprey Pump Controller raises concerns about the security of industrial control systems. Companies need to ensure that their products are secure and that vulnerabilities are addressed in a timely and effective manner to prevent potential attacks that can lead to significant disruptions and damages.
However, as the vendor, in this case, has not responded, users of the Osprey Pump Controller need to take necessary precautions as instructed in the CISA advisory to protect their systems from possible attacks.