Source URL: https://www.theregister.com/2024/09/24/critical_bugs_fuel_storage_tanks/
Source: The Register
Title: 10 nasty bugs put thousands of fuel storage tanks at risk of attacks
Feedly Summary: Thousands of devices remain vulnerable and the US is most exposed to the threat
Tens of thousands of fuel storage tanks in critical infrastructure facilities remain vulnerable to zero-day attacks due to buggy Automatic Tank Gauge systems from multiple vendors, say infosec researchers. …
AI Summary and Description: Yes
Summary: The report highlights critical security vulnerabilities in Automatic Tank Gauge (ATG) systems used in fuel storage, posing significant risks to critical infrastructure due to the potential for remote exploitation. With 10 disclosed CVEs across multiple vendors and a concerning lack of fixes for some, industry professionals in security and infrastructure must prioritize their mitigation strategies to address these vulnerabilities effectively.
Detailed Description: The text discusses the discovery of ten critical vulnerabilities (CVEs) affecting Automatic Tank Gauge (ATG) systems, which play a vital role in monitoring fuel levels in storage tanks. The vulnerabilities, primarily affecting products from vendors like Dover Fueling Solutions and Franklin Fueling Systems, could allow attackers to gain full administrative access and manipulate critical fuel storage parameters, leading to severe physical and environmental damage. Key points include:
– **Vulnerabilities Overview:**
– Ten CVEs were identified, with seven rated critical, enabling full administrator privileges.
– Vulnerable ATGs can be exploited to cause real-world consequences such as fuel spills and environmental hazards.
– **Key Vulnerabilities:**
– CVE-2024-45066 and CVE-2024-43693: OS command injection flaws, rated 10/10.
– CVE-2024-43423: Hardcoded credentials vulnerability with a 9.8 rating in DFS’s Maglink LX4.
– CVE-2024-8310: Authentication bypass in OPW’s SiteSentinel, also rated 9.8, with no patch available.
– **Exploitability:**
– All identified vulnerabilities are remotely exploitable and have low attack complexity, making them particularly dangerous.
– The physical impact can include overflowing tanks due to altered capacity settings or disabling safety alarms.
– **Mitigation Recommendations:**
– CISA advises isolating these systems from business networks and ensuring they are not accessible from the public internet.
– If remote access is necessary, secure VPN usage is highly recommended.
– **Challenges in Patching:**
– Many of these devices are hard to patch, often requiring physical access for fixes, which complicates timely remediation.
– Some devices remain vulnerable with no available fixes due to vendor discontinuation of support for older models.
In conclusion, the vulnerabilities disclosed bear significant implications for security and compliance professionals, emphasizing the need for diligent risk management and effective remediation strategies within industrial control systems. Organizations must be proactive in addressing these vulnerabilities to safeguard their operations and comply with security best practices.