Cybersecurity researchers from BitSight TRACE have uncovered multiple 0-day vulnerabilities in Automated Tank Gauge (ATG) systems, which are integral to managing fuel storage tanks across various critical infrastructures.
These vulnerabilities in six ATG systems from five vendors pose significant threats to public safety and economic stability.
The flaws could potentially be exploited by malicious actors to cause physical damage, environmental hazards, and economic losses.
Automatic Tank Gauging (ATG) systems are designed to automatically measure and record product level, volume, and temperature in storage tanks.
These systems are used in gas stations and are prevalent in military bases, hospitals, airports, emergency services, and power plants.
They are crucial in ensuring compliance with environmental regulations and optimizing inventory management. However, their exposure to the internet makes them vulnerable targets for cyberattacks.
Free Webinar on How to Protect Small Businesses Against Advanced Cyberthreats -> Free Registration
The investigation by BitSight TRACE identified 11 vulnerabilities across several ATG models. These include OS command injection, authentication bypasses, hardcoded credentials, and SQL injection vulnerabilities.
Each flaw allows attackers to gain full administrative control over the ATG systems.
The vulnerabilities have been assigned CVE identifiers with critical CVSS scores, highlighting their severity: here is a summary of the CVE table data related to the vulnerabilities found in Automated Tank Gauge (ATG) systems:
Product | Vulnerability Type | CVE | CVSS 3.1 Score |
Maglink LX | OS Command Injection | CVE-2024-45066 | 10.0 |
Maglink LX | OS Command Injection | CVE-2024-43693 | 10.0 |
Maglink LX4 | Hardcoded Credentials | CVE-2024-43423 | 9.8 |
OPW SiteSentinel | Authentication Bypass | CVE-2024-8310 | 9.8 |
Proteus® OEL8000 | Authentication Bypass | CVE-2024-6981 | 9.8 |
Maglink LX | Authentication Bypass | CVE-2024-43692 | 9.8 |
Alisonic Sibylla | SQL Injection | CVE-2024-8630 | 9.4 |
Maglink LX | XSS | CVE-2024-41725 | 8.8 |
Maglink LX4 | Privilege Escalation | CVE-2024-45373 | 8.8 |
Franklin TS-550 | Arbitrary File Read | CVE-2024-8497 | 7.5 |
These security flaws reflect fundamental design issues that should have been addressed long ago.
The exploitation of these vulnerabilities could lead to severe consequences:
These scenarios underscore the urgent need for enhanced security measures to protect these systems from exploitation.
BitSight has been working closely with the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) to mitigate these vulnerabilities through responsible disclosure.
They have collaborated with affected vendors for six months to develop remediation strategies.
CISA has published advisories to guide organizations in securing their ATG systems against potential attacks.
The discovery of these vulnerabilities highlights the critical need for improved cybersecurity practices in industrial control systems like ATGs.
These systems are integral to national infrastructure, so their security must be prioritized to prevent potential disasters. Organizations are urged to disconnect ATGs from the internet and implement robust security measures to safeguard against future threats.
Image of an Automated Tank Gauge SystemAs the industry moves towards a “secure by design” philosophy, it is imperative that manufacturers and operators work together to address these vulnerabilities and protect critical infrastructure from cyber threats.
Analyse AnySuspicious Links Using ANY.RUN's New Safe Browsing Tool: Try It for Free
Recent research has revealed that a Russian advanced persistent threat (APT) group, tracked as "GruesomeLarch"…
Microsoft's Digital Crimes Unit (DCU) has disrupted a significant phishing-as-a-service (PhaaS) operation run by Egypt-based…
The Russian threat group TAG-110, linked to BlueDelta (APT28), is actively targeting organizations in Central…
Earth Kasha, a threat actor linked to APT10, has expanded its targeting scope to India,…
Raspberry Robin, a stealthy malware discovered in 2021, leverages advanced obfuscation techniques to evade detection…
Critical infrastructure, the lifeblood of modern society, is under increasing threat as a new report…