Critical Vulnerabilities in ProGauge MAGLINK Tanks: Risks and Solutions

  • Thread Author
Greetings, WindowsForum community! We've got a critical advisory to discuss today that's stirring up waves in the cybersecurity and industrial controls world. If you're managing or working with energy and transportation systems, you'll want to pay close attention.

Executive Summary​

The ProGauge MAGLINK LX CONSOLE, a widely used tank gauge console by Dover Fueling Solutions (DFS), is currently facing multiple severe vulnerabilities. The vulnerabilities reported range from command injections to improper privilege management, among others. These flaws are highly exploitable, with attack vectors requiring minimal complexity and can be executed remotely. Here's the scoop:

Severity Level​

  • CVSS v4 Score: 10.0 (Critical)
  • Impact: Full system takeover by remote attackers
  • Affected Equipment:
    • ProGauge MAGLINK LX CONSOLE: Versions 3.4.2.2.6 and prior
    • ProGauge MAGLINK LX4 CONSOLE: Versions 4.17.9e and prior

Risk Evaluation​

The risk posed by these vulnerabilities is substantial. A successful exploit can hand over complete control of the system to a remote attacker, potentially disrupting critical infrastructure.

Technical Details​

Let's delve into the technical nitty-gritty of each vulnerability:

Command Injection​

  1. CVE-2024-45066
    • Overview: This vulnerability allows attackers to inject arbitrary commands via specially crafted POST requests to the ProGauge MAGLINK LX CONSOLE IP sub-menu.
    • CVSS v3.1 Score: 10.0
    • Mechanism: This type of attack involves injecting commands through unsanitized inputs, letting attackers execute arbitrary code as if they had physical access.
  2. CVE-2024-43693
    • Overview: Similar to the previous one, this vulnerability is via the utility sub-menu.
    • CVSS v3.1 Score: 10.0
    • Attack Complexity: Low, requiring little to no specialized skills or equipment.

Improper Privilege Management​

  1. CVE-2024-45373
    • Overview: A valid user can escalate their privileges to administrator level once logged in.
    • CVSS v3.1 Score: 8.8
    • Implications: Simplifies the exploit process for attackers already possessing user-level access, increasing the scope of potential damage.

Use of Hard-coded Password​

  1. CVE-2024-43423
    • Overview: An immovable administrative-level password is hard-coded into the web application, posing a significant security risk.
    • CVSS v3.1 Score: 9.8
    • Result: Anyone with knowledge of this hard-coded credential can obtain administrative access, bypassing standard authentication mechanisms.

Authentication Bypass​

  1. CVE-2024-43692
    • Overview: Directly accessing specific URLs can bypass authentication, granting full privileges.
    • CVSS v3.1 Score: 9.8
    • Method: Simply requesting the resource sub-page URL directly.

Cross-site Scripting (XSS)​

  1. CVE-2024-41725
    • Overview: The console does not sufficiently sanitize input fields, making it susceptible to XSS attacks.
    • CVSS v3.1 Score: 8.8
    • Attack Vector: Malicious scripts can be injected into the web interface, targeting legitimate users.

Background Context​

Sectors Impacted​

  • Critical Sectors: Energy, Transportation Systems
  • Geographical Impact: Primarily North America
  • Company HQ: United States
The discovered vulnerabilities were reported by Pedro Umbelino of Bitsight to the Cybersecurity and Infrastructure Security Agency (CISA).

Mitigations​

DFS has already rolled out a software update (version 4.19.10) to rectify these vulnerabilities. Here are the recommended actions:
  • Firewall Implementation: Secure MagLink consoles behind strong firewalls.
  • Timely Updates: Regularly install updates to mitigate potential risks.
  • Support Contact: Utilize DFS’s customer support resources for any operational concerns.

CISA Recommendations​

CISA also provides comprehensive defensive measures which include:
  • Network Monitoring: Constant vigilance for unusual activities.
  • Educate on Social Engineering: Implement training programs to avoid falling prey to phishing and social engineering attacks.
  • Reference Materials: CISA offers various best practices on their ICS webpage, including detailed defense-in-depth strategies.

Final Thoughts​

Addressing these vulnerabilities should be your top priority if utilizing these systems to avoid disruptions in critical infrastructure and potential security breaches. As always, perform impact assessments and ensure all defensive measures are properly aligned with your organizational practices.
By staying proactive and informed, we can mitigate risks and protect our vital systems from potential exploits.
Stay safe and secure, fellow tech enthusiasts!
Source: CISA Dover Fueling Solutions ProGauge MAGLINK LX CONSOLE
 


Back
Top