Cyber Security News

Multiple 0-Day Flaws in Automated Tank Gauge Systems Threaten Critical Infrastructure

Cybersecurity researchers from BitSight TRACE have uncovered multiple 0-day vulnerabilities in Automated Tank Gauge (ATG) systems, which are integral to managing fuel storage tanks across various critical infrastructures.

These vulnerabilities in six ATG systems from five vendors pose significant threats to public safety and economic stability.

The flaws could potentially be exploited by malicious actors to cause physical damage, environmental hazards, and economic losses.

The Role of ATG Systems in Critical Infrastructure

Automatic Tank Gauging (ATG) systems are designed to automatically measure and record product level, volume, and temperature in storage tanks.

These systems are used in gas stations and are prevalent in military bases, hospitals, airports, emergency services, and power plants.

They are crucial in ensuring compliance with environmental regulations and optimizing inventory management. However, their exposure to the internet makes them vulnerable targets for cyberattacks.

“Voltage of Team OneFist,” associated with cyberattacks targeting Russian infrastructure, claims the takedown of several devices, one OPW tank gauge included (source: BitSight)

Free Webinar on How to Protect Small Businesses Against Advanced Cyberthreats -> Free Registration

Details of the Vulnerabilities

The investigation by BitSight TRACE identified 11 vulnerabilities across several ATG models. These include OS command injection, authentication bypasses, hardcoded credentials, and SQL injection vulnerabilities.

Each flaw allows attackers to gain full administrative control over the ATG systems.

The vulnerabilities have been assigned CVE identifiers with critical CVSS scores, highlighting their severity: here is a summary of the CVE table data related to the vulnerabilities found in Automated Tank Gauge (ATG) systems:

ProductVulnerability TypeCVECVSS 3.1 Score
Maglink LXOS Command InjectionCVE-2024-4506610.0
Maglink LXOS Command InjectionCVE-2024-4369310.0
Maglink LX4Hardcoded CredentialsCVE-2024-434239.8
OPW SiteSentinelAuthentication BypassCVE-2024-83109.8
Proteus® OEL8000Authentication BypassCVE-2024-69819.8
Maglink LXAuthentication BypassCVE-2024-436929.8
Alisonic SibyllaSQL InjectionCVE-2024-86309.4
Maglink LXXSSCVE-2024-417258.8
Maglink LX4Privilege EscalationCVE-2024-453738.8
Franklin TS-550Arbitrary File ReadCVE-2024-84977.5

These security flaws reflect fundamental design issues that should have been addressed long ago.

Automatic Tank Gauges Vulnerabilities by Product(source: BitSight)

The exploitation of these vulnerabilities could lead to severe consequences:

  1. Denial of Service (DoS): Attackers could disable ATG systems by reconfiguring settings or flashing faulty firmware.
  2. Physical Damage: By altering critical parameters such as tank geometry and capacity, attackers could cause fuel leaks or disable alarms.
  3. Data Theft: Sensitive operational data could be captured and sold to third parties.
  4. Network Intrusion: Vulnerable ATG systems could serve as entry points for further attacks on internal networks.

These scenarios underscore the urgent need for enhanced security measures to protect these systems from exploitation.

Coordinated Efforts for Mitigation

BitSight has been working closely with the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) to mitigate these vulnerabilities through responsible disclosure.

They have collaborated with affected vendors for six months to develop remediation strategies.

CISA has published advisories to guide organizations in securing their ATG systems against potential attacks.

The discovery of these vulnerabilities highlights the critical need for improved cybersecurity practices in industrial control systems like ATGs.

These systems are integral to national infrastructure, so their security must be prioritized to prevent potential disasters. Organizations are urged to disconnect ATGs from the internet and implement robust security measures to safeguard against future threats.

Image of an Automated Tank Gauge SystemAs the industry moves towards a “secure by design” philosophy, it is imperative that manufacturers and operators work together to address these vulnerabilities and protect critical infrastructure from cyber threats. 

Analyse AnySuspicious Links Using ANY.RUN's New Safe Browsing Tool: Try It for Free


Divya

Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Recent Posts

Nearest Neighbor Attacks: Russian APT Hack The Target By Exploiting Nearby Wi-Fi Networks

Recent research has revealed that a Russian advanced persistent threat (APT) group, tracked as "GruesomeLarch"…

1 day ago

240+ Domains Used By PhaaS Platform ONNX Seized by Microsoft

Microsoft's Digital Crimes Unit (DCU) has disrupted a significant phishing-as-a-service (PhaaS) operation run by Egypt-based…

2 days ago

Russian TAG-110 Hacked 60+ Users With HTML Loaded & Python Backdoor

The Russian threat group TAG-110, linked to BlueDelta (APT28), is actively targeting organizations in Central…

2 days ago

Earth Kasha Upgraded Their Arsenal With New Tactics To Attack Organizations

Earth Kasha, a threat actor linked to APT10, has expanded its targeting scope to India,…

2 days ago

Raspberry Robin Employs TOR Network For C2 Servers Communication

Raspberry Robin, a stealthy malware discovered in 2021, leverages advanced obfuscation techniques to evade detection…

2 days ago

145,000 ICS Systems, Thousands of HMIs Exposed to Cyber Attacks

Critical infrastructure, the lifeblood of modern society, is under increasing threat as a new report…

2 days ago