Risk Based Security uncovered multiple vulnerabilities in the AK-EM 800 product from SCADA vendor Danfoss.
The discovered vulnerabilities
Researchers found two critical vulnerabilities. One is effectively a backdoor into highly privileged functionality to manage the software. Although this backdoor was likely created to help the vendor’s support team log into systems to assist their clients, the password can be easily determined by attackers.
Even though the password fluidly changes, the research team at Risk Based Security was able to write a program that generates the correct password at any given time. Once access is obtained in this manner, an attacker can perform various actions including disclosing and manipulating data in the underlying database, or reset the super administrator’s password to then log in under that account with full privileges.
The other critical vulnerability relates to missing permission checks when accessing a servlet that allows sensitive database queries to be performed, for example disclosing usernames and passwords.
Other vulnerabilities allowed remote attackers to lock out accounts or local attackers to disclose passwords or gain system privileges.
An updated version is available
The release of an updated version took ten months, far beyond the 90 to 180 days normally extended by researchers to vendors to address a reported vulnerability before disclosure.
SCADA vendors in general have poor reputations when it comes to addressing reported vulnerabilities, but Risk Based Security’s research team overall found Danfoss to be highly responsive in their communications, with detailed monthly status updates and clearly established timelines.
“It’s strongly recommended that customers immediately update to the latest version 2.33. For any organizations where updating the software is not immediately possible, access should locally be restricted to trusted users while remotely restricted to trusted IPs”, says Carsten Eiram, Chief Research Officer at Risk Based Security.