Two critical vulnerabilities in a food-quality management software package would allow adversaries to completely compromise the system.
The issues affect the AK-EM 800 product from SCADA vendor Danfoss. It’s an enterprise management solution for the food retail industry that provides a central architecture for alarm management, automatic data collection and food-quality reporting.
“The vulnerabilities that Risk Based Security disclosed in the Danfoss product would allow an attacker to basically gain access to administration functions,” Jake Kouns, CISO, Risk Based Security, speaking to Threatpost. “It would make it hard for an organizational to have full confidence that the software is functioning as expected. This could potentially allow an attacker to manipulate or delete data, modify or disable alarms which could potentially impact food quality reports. We recommend that all organizations using the Danfoss product conduct their own risk assessment and determine appropriate timelines for implementing the patch.”
According to Risk Based Security, one of the flaws is a poorly authenticated backdoor debug tool, likely originally created to help the vendor’s support team log into systems to assist their clients. As such, it offers access to highly privileged functionality, including full management of the software.
The issue is that even though the password for the interface is dynamically generated, it’s is done in a predictable manner based on the system date.
Thus, “the password can be easily determined by attackers,” researchers said in an analysis on Wednesday. “Even though the password fluidly changes, the research team at Risk Based Security was able to write a program that generates the correct password at any given time.”
Researchers said that once access is obtained, an attacker can run SQL queries to disclose and manipulate data in the underlying database, or reset the super administrator’s password to then log in under that account with full privileges.
The other critical vulnerability arises from missing permission checks when accessing a servlet that allows sensitive database queries to be performed, for example disclosing usernames and passwords, according to the firm.
“One of the servlets provided by the undocumented debugging feature is downloadLogFiles,” according to the report. “This servlet serves two purposes as controlled by the ‘queryOrdownload’ parameter: downloading of log files or executing SQL queries passed via the ‘queryParam’ parameter and returning the results to the user. This functionality is only intended to be accessible to the debug backdoor account once successfully authenticated. However, due to missing authentication checks in the servlet it is possible for unauthenticated, remote attackers to access the functionality via direct requests.”
Risk Based Security also found a handful of other vulnerabilities, including flaws that allow remote attackers to lock out accounts, and bugs that allow local attackers to disclose passwords or gain SYSTEM privileges.
For instance, the Danfoss AK-EM 800 installs four default user accounts for web management (‘admin’, ‘administrator’, ‘user’, and ‘guest’) with a default password of ‘danfoss’ for all.
“While this is publicly known and documented in the user guide…In this case, the accounts cannot be disabled,” the firm said. “While a user is asked to change the default password for the account when logging in for the first time, there is a risk that system administrators may not log in as each account and change the default password. If they fail to do so, a remote attacker may trivially gain access to the web-based management interface.”
And, the system includes many older third party components with known vulnerabilities, the researchers found: “These include MySQL version 5.1.53 from 2010, which runs with SYSTEM privileges and is remotely accessible, Tomcat version 7.0.57 from 2014, which also runs with SYSTEM privileges, as well as many different Java libraries.”
Danfoss has patched the issues (version 2.33, released this week); for organizations where updating the software is not immediately possible, access should locally be restricted to trusted users while remotely restricted to trusted IPs, according to Risk Based Security. As for the third-party components, Risk Based Security said that patches are forthcoming.
“Overall, there are no local security boundaries in vulnerable versions and while not stated anywhere in the product documentation, the software should only be installed on secured systems with trusted users,” according to the report. “Similarly, as the product does not honor least-privilege security recommendations, any remote compromise would lead to complete control over the system with SYSTEM privileges.”
Interested in more on the internet of things (IoT)? Don’t miss our on-demand Threatpost webinar, IoT: Implementing Security in a 5G World. Join experts from Nokia, iboss and Sectigo as they offer enterprises and other organizations insights about how to approach security for the next wave of IoT deployments. Click here to listen to the recorded webinar.