Our new Biannual ICS Risk & Vulnerability Report is the most up-to-date look at CVEs disclosed in OT devices.
Check it out!
Claroty Uncovers Vulnerabilities in TBox RTUs
By Uri Katz and Sharon Brizinov | March 23, 2021
The Claroty Research Team found and disclosed vulnerabilities affecting Ovarro’s TBox remote terminal units (RTUs) and its TWinSoft engineering software that left these devices exposed to the internet and unprotected from threat actors, regardless of their capabilities.
Key findings include:
Ovarro has patched all of the vulnerabilities privately disclosed by Claroty in TBox firmware version 1.46 and TWinSOft version 12.4. All users are urged to update immediately. All TBox models are affected, as are all versions prior to TWinSoft 12.4.
ICS-CERT has published an advisory with technical details for all affected products, as well as mitigation advice.
TBox RTUs have a web interface that is used for remote automation and monitoring of assets in a number of critical infrastructure sectors.
Claroty researchers found vulnerabilities in implementations of Ovarro’s proprietary version of the Modbus protocol, allowing them to modify ipk update packages with malicious code
Claroty also discovered denial-of-service, memory corruption, and security bypass vulnerabilities in TBox.
These vulnerabilities demonstrate the risks of connecting critical infrastructure to the internet, and the need to securely configure authentication for devices, and promptly address software and firmware vulnerabilities.
Connecting unprotected critical infrastructure components to the internet carries with it unacceptable risks that industrial enterprises must make themselves aware of.
That may sound like an obvious statement, but it’s becoming increasingly clear that many organizations aren’t heeding the warnings from researchers about exposing misconfigured web-based interfaces online and mitigating control system software and firmware vulnerabilities in a timely fashion.
Relatively simple configuration mistakes such as not setting a password—or leaving default passwords in place—for devices can put infrastructure that monitors critical systems within reach of script kiddies as well as advanced attackers. Online tools, such as the Shodan internet search engine, can quickly enumerate specific types of machines connected to the internet, and in an instant, eradicate an organization’s belief that a device’s specific IP address won’t be found among tens of millions of others. It will.
Claroty’s latest research into Ovarro’s TBox remote terminal units (RTUs) exposed several vulnerabilities that fit into this scenario. We also found other vulnerabilities that an advanced attacker could use to bypass existing protections in order to access devices and either disrupt them or execute code.
The risks associated with these flaws threaten not only the integrity of automation processes, but also, in some cases public safety. Using these security shortcomings, we were able to find web-based interfaces, similar to HMIs, that monitor process levels and other industrial activity. We’ve seen in the past what could go wrong when such an interface is exposed to the internet without security; the fact such interfaces are exposed online removes many barriers to entry for adversaries of all types.
Example of web-based automation interface discovered by Claroty researchers (1 of 3).
Example of web-based automation interface discovered by Claroty researchers (2 of 3).
Example of web-based automation interface discovered by Claroty researchers (3 of 3).
As we said, these devices may be exploited by opportunistic attackers, as well as those that are more skilled and resourced. Claroty noted in its Biannual ICS Risk & Vulnerability Report: 2H 2020 that new researchers are emerging with a focus on ICS vulnerabilities; we found 50 new research groups that published vulnerabilities in the second half of 2020 that had not published in the previous two years. We’ve already seen some indications that attackers, such as in the case of the Israel Water Authority attacks of 2020 and Oldsmar, are making their way onto networks as a demonstration of capabilities. In each case, the vulnerabilities they’re exploiting could be addressed through improved security architecture and basic security hygiene around access controls and system configurations.
This was probably best illustrated through a May 2020 incident when Palestinian hackers who call themselves the Jerusalem Electronic Army published a handful of social media posts claiming access to control systems within Israel’s water infrastructure. The posts included screenshots of web-based HMIs that showed the group had access to control systems monitoring thermal water processes. Israel’s CERT and Claroty researchers determined that these systems were not password-protected and were easy pickings for any attention-seeking or advanced adversary.
Claroty’s research into the ubiquitous TBox remote terminal units (RTUs) is important work in closing off exposures of this type. RTUs are increasingly connected industrial assets that exchange telemetry with SCADA systems or distributed control systems. Ovarro is a leader in this space, and its TBox RTUs are prevalent in critical infrastructure, specifically in the water, power, oil & gas, transportation, and process industries, enabling remote control and monitoring of applications and processes.
According to Ovarro, TBox is a secure and powerful RTU solution for remote automation and monitoring of critical assets. In other words, it allows users to control and monitor remote processes via a dedicated web interface similarly to how a HMI controls a PLC, in one packed platform.
TBox platform by Ovarro.
The Claroty Research Team early last year took a comprehensive look at the security of TBox RTUs, and found critical vulnerabilities that, if exploited, allow attackers to crash these devices or remotely execute code. All of the issues have been patched by Ovarro, which along with ICS-CERT, have published advisories with technical details and mitigation information.
How Common are These Devices?
We used open source intelligence sources such as Shodan to compile some statistics on the availability of these devices online. Of all the internet-connected TBox RTUs we found online, only 37% had some sort of authentication protecting the device. Most of the devices were found in Canada, Germany, Thailand, and the United States.
The following graph describes the Internet-facing HTTP service running on TBox devices that are directly accessible via the Internet. These HTTP services run the HMI web interface. As we can see, 62.5% don’t require authentication and therefore can enable any visitor to this service to control the RTU in hand or read data presented in the custom HMI panel configured on the device.
Connected TBox RTUs with authentication.
The next graph describes the distribution of internet-facing devices that have either MODBUS or HTTP services accessible via standard internet connection broken down by region.
Exposed TBox RTUs by country.
Claroty conducted its analysis of TBox on the LT2-530, version 1.44 build 485, and TWinSoft engineering software version 12.2.1, build 1545. The TBox RTU uses a default proprietary Modbus protocol for communication; SSH may be enabled for uploading files to the RTU and for firmware updates.
In its research, the Claroty Research Team was able to bypass and exploit vulnerabilities in each of these communication channels, eventually executing code remotely on the RTU regardless of any security mechanisms enabled.
Code Execution Through Update Packages
Attacks against the TBox RTU required targeting Modbus and eventually using update packages for code execution. TBox’s custom Modbus protocol implements updates using ipk packages, which are uploaded to a temporary file before an update command with the ipk file name is sent to the RTU where it is extracted to a directory. Claroty was able to modify the update package file before it’s sent to the RTU, writing any file to any location on the RTU including malicious executables that would launch when TBox restarts.
Denial of Service through Modbus File Access
The proprietary Modbus protocol handles a number of file operations, including read, write, and remove. The main RTU software, running as root, handles file access. We were able to override the RTU main configuration file, and either change or delete it, making it unstable until a root access user restores the configuration.
Modbus RTU Reset, Memory Corruptions
Prior to patching, TBox software running on the RTU would assume any Modbus frames it receives are valid. A specially crafted Modbus packet crashes the main program.
Bypassing Global/Enhanced Protection
Researchers were also able to bypass Global/Enhanced protection features in TBox, which is intended to limit file access; to do so we were able to decrypt passwords from communication between the RTU and engineering software, as well as bypass protections using a configuration read.
This video shows three vulnerabilities (CVE-2021-22648, CVE-2021-22644, and CVE-2021-22646) chained together to allow for code execution on a protected TBox RTU. First, the configuration file is read from the device using the MODBUS protocol. Next, the encrypted passwords are extracted and decrypted using a hardcoded key. After obtaining the plain-text credentials, a malicious update package containing an executable file in /etc/exec_test is downloaded to the RTU.
TBoxLT2 (all models)
TBox MS-RM2 (all models)
TBox TG2 (all models)
All versions prior to TWinSoft 12.4 and prior to TBox Firmware 1.46
TWinSoft version 12.4 and TBox firmware version 1.46 mitigate these vulnerabilities.
CISA also recommends minimizing the exposure of these devices to the internet, isolating control system networks and devices from business networks, and using VPNs for remote access.
CWE-94 Improper Control of Generation of Code (Code Injection)
CVSS v3 Score: 8.8
This vulnerability and CVE-2021-22648 were the most severe among the vulnerabilities uncovered by Claroty researchers. With CVE-2021-22646, an attacker can exploit an ipk package update generated in TwinSoft engineering software to run malicious code in TBox.
CWE-732 Incorrect Permission Assignment for Critical Resource
CVSS v3 Score: 8.8
This vulnerability was found in the TBox proprietary Modbus file access functions that allow an attacker to read, alter, or delete a configuration file.
Uncontrolled Resource Consumption CWE-400
CVSS v3 Score: 7.5
A specially crafted Modbus frame can be used to crash a TBox system.
Insufficiently Protected Credentials CWE-522
CVSS v3 Score: 7.5
An attacker can decrypt the login password by communication capture and brute force attacks.
Use of Hard-Coded Cryptographic Key CWE-321
CVSS v3 Score: 7.5
TWinSoft uses a custom hardcoded user and cryptographic hardcoded key.
VisibleRisk, a cybersecurity ratings company funded by Moody’s and Team8, provided information that contributed to this research. We would like to thank Shahar Bahat and Oran Moyal, members of the research team at VisibleRisk, for their assistance with OSINT research.