PiiGAB product vulnerable to potentially critical exploits
Take action: This is a massive finding for a common industrial control system, and will not be easy to patch. Try to lock it down as much as possible in a isolated network, but definitely try to persuade management to allow for patching. Because someone will eventually expose them to the internet.
Learn More
Researchers have uncovered a series of potentially significant vulnerabilities in a product developed by PiiGAB, a prominent Swedish company specializing in industrial and building automation solutions.
The severity ratings assigned to the majority of these vulnerabilities are either 'critical' or 'high,' emphasizing the potential impact of successful exploitation.
The product in question is the M-Bus 900s gateway/converter, designed to facilitate remote monitoring of devices utilizing the M-Bus protocol.
The researchers highlighted the versatility of the product, explaining that it is utilized to communicate with various industrial control systems, including electricity meters, water meters, heat pumps, cooling units, and PLC devices. This wide range of applications makes the product a potential target for attackers seeking to compromise the larger ecosystem of industrial control systems.
Following the discovery of these vulnerabilities, the US Cybersecurity and Infrastructure Security Agency (CISA) issued an advisory outlining the security issues identified by the researchers. The vendor, PiiGAB, has been promptly notified and has released updates aimed at addressing the identified security flaws.
The vulnerabilities encompass a range of issues, including
- code injection,
- login attempt rate limiting,
- hardcoded and plaintext credentials,
- weak passwords,
- cross-site scripting (XSS),
- cross-site request forgery (CSRF)
If successfully exploited, these vulnerabilities could enable attackers to execute arbitrary commands, launch brute-force attacks, gain unauthorized access to systems, obtain elevated privileges, and deceive legitimate users into executing malicious commands.
The researchers clarified that some of the vulnerabilities can be exploited without the need for elevated privileges. For instance, initial access through brute-force attacks or bypassing authentication using cross-site request forgery techniques may not require high-level privileges. However, other vulnerabilities, such as code injection, can only be exploited with limited privileges.
Exploitation of these vulnerabilities within an industrial organization could have far-reaching consequences. As the compromised devices are connected to critical industrial control systems such as PLCs, sensors, and actuators, successful attacks could severely impact industrial processes. With the ability to gain remote control over the PiiGAB device, an attacker could conduct network pivoting, facilitating access to the local industrial network.
Additionally, the attacker could monitor network traffic to gather credentials used for accessing other systems, conduct denial-of-service attacks, or exfiltrate confidential data.
A Shodan search revealed over 600 internet-exposed instances of the PiiGAB M-Bus product, making them potentially vulnerable to direct web-based attacks.
