What is the MAGLINK LX Console?

The MAGLINK LX Console is a product from Dover Fueling Solutions (DFS), a division of Dover Corporation. It is designed for monitoring fuel tanks and is part of a range of solutions including advanced fuel dispensing equipment, electronic systems and payment, fleet systems, automatic tank gauging, and wetstock management.

What vulnerabilities have been reported in the MAGLINK LX Console?

CISA has reported high and critical severity vulnerabilities in the MAGLINK LX Console. These vulnerabilities can potentially grant an attacker full system access. The specific vulnerabilities are tracked as CVE-2023-41256 (authentication bypass), CVE-2023-36497 (inadequate access control), and CVE-2023-38256 (path traversal).

What are the potential risks associated with these vulnerabilities?

The successful exploitation of these vulnerabilities could allow an attacker to gain full system access, potentially compromising the security and integrity of the MAGLINK LX Console.

Has there been any known public exploitation of these vulnerabilities?

As of now, there have been no known reports of public exploitation targeting these vulnerabilities.

Advisory

Critical Vulnerability in Dover Fueling Solutions MAGLINK LX Console

Q: How can these vulnerabilities be mitigated?

Dover Fueling Solutions has addressed these vulnerabilities by releasing MAGLINK LX 4. CISA recommends defensive measures to reduce the risk of exploitation, including minimizing network exposure, firewall placement, and the use of secure remote access methods like VPNs.

published: Sept. 7, 2023

Take action: If you are using a vulnerable Dover Fueling Solutions MAGLINK LX Console, replace it with a new version. If that's not an option, isolate the console in a non-exposed network and use VPN to connect to the console.

Learn More

CISA reports high severity and critical severity flaws in Dover Fueling Solutions MAGLINK LX Console. Dover Fueling Solutions (DFS), a part of Dover Corporation that delivers advanced fuel dispensing equipment, electronic systems and payment, fleet systems, automatic tank gauging and wetstock management. MAGLINK LX Console is provides monitoring of fuel tanks.

Successful exploitation of these vulnerabilities could grant an attacker full system access. The vulnerabilities are tracked as:

CVE-2023-41256 (CVSS3 score 9.1) - AUTHENTICATION BYPASS VIA ALTERNATE PATH OR CHANNEL - This vulnerability allows unauthorized access by bypassing authentication, potentially granting an attacker user access via the MAGLINK LX Web Console.
CVE-2023-36497 (CVSS3 score 8.8) - INADEQUATE ACCESS CONTROL - The affected product may permit a guest user to escalate privileges to admin status through the MAGLINK LX Web Console.
CVE-2023-38256 (CVSS3 score 6.8) - PATH TRAVERSAL - This vulnerability exposes the system to a path traversal attack, potentially allowing an attacker to access stored files.

The following versions of MAGLINK LX Web Console Configuration are affected:

MAGLINK LX Web Console Configuration: version 2.5.1
MAGLINK LX Web Console Configuration: version 2.5.2
MAGLINK LX Web Console Configuration: version 2.5.3
MAGLINK LX Web Console Configuration: version 2.6.1
MAGLINK LX Web Console Configuration: version 2.11
MAGLINK LX Web Console Configuration: version 3.0
MAGLINK LX Web Console Configuration: version 3.2
MAGLINK LX Web Console Configuration: version 3.3*

Dover Fueling Solutions announced the end-of-life for MAGLINK LX 3 in 2023 and released MAGLINK LX 4, which addresses these vulnerabilities. CISA recommends defensive measures to reduce the risk of exploitation, including network exposure minimization, firewall placement, and the use of secure remote access methods like VPNs.
No known public exploitation targeting these vulnerabilities has been reported.

Critical Vulnerability in Dover Fueling Solutions MAGLINK LX Console

Read More
QNAP patches multible security vulnerabilities in legacy VioStor …
Critical vulnerability exposes Mitsubishi Electric Air Conditioning Controllers …
Hitachi Energy patches critical RCE flaw in Asset …
CISA reports critical authentication vulnerability in AutomationDirect MB-Gateway …
Rockwell Automation patches critical flaws in ThinManager ThinServer