Cyber Security News

Multiple 0-Day Flaws in Automated Tank Gauge Systems Threaten Critical Infrastructure

Cybersecurity researchers from BitSight TRACE have uncovered multiple 0-day vulnerabilities in Automated Tank Gauge (ATG) systems, which are integral to managing fuel storage tanks across various critical infrastructures.

These vulnerabilities in six ATG systems from five vendors pose significant threats to public safety and economic stability.

The flaws could potentially be exploited by malicious actors to cause physical damage, environmental hazards, and economic losses.

The Role of ATG Systems in Critical Infrastructure

Automatic Tank Gauging (ATG) systems are designed to automatically measure and record product level, volume, and temperature in storage tanks.

These systems are used in gas stations and are prevalent in military bases, hospitals, airports, emergency services, and power plants.

They are crucial in ensuring compliance with environmental regulations and optimizing inventory management. However, their exposure to the internet makes them vulnerable targets for cyberattacks.

“Voltage of Team OneFist,” associated with cyberattacks targeting Russian infrastructure, claims the takedown of several devices, one OPW tank gauge included (source: BitSight)

Free Webinar on How to Protect Small Businesses Against Advanced Cyberthreats -> Free Registration

Details of the Vulnerabilities

The investigation by BitSight TRACE identified 11 vulnerabilities across several ATG models. These include OS command injection, authentication bypasses, hardcoded credentials, and SQL injection vulnerabilities.

Each flaw allows attackers to gain full administrative control over the ATG systems.

The vulnerabilities have been assigned CVE identifiers with critical CVSS scores, highlighting their severity: here is a summary of the CVE table data related to the vulnerabilities found in Automated Tank Gauge (ATG) systems:

ProductVulnerability TypeCVECVSS 3.1 Score
Maglink LXOS Command InjectionCVE-2024-4506610.0
Maglink LXOS Command InjectionCVE-2024-4369310.0
Maglink LX4Hardcoded CredentialsCVE-2024-434239.8
OPW SiteSentinelAuthentication BypassCVE-2024-83109.8
Proteus® OEL8000Authentication BypassCVE-2024-69819.8
Maglink LXAuthentication BypassCVE-2024-436929.8
Alisonic SibyllaSQL InjectionCVE-2024-86309.4
Maglink LXXSSCVE-2024-417258.8
Maglink LX4Privilege EscalationCVE-2024-453738.8
Franklin TS-550Arbitrary File ReadCVE-2024-84977.5

These security flaws reflect fundamental design issues that should have been addressed long ago.

Automatic Tank Gauges Vulnerabilities by Product(source: BitSight)

The exploitation of these vulnerabilities could lead to severe consequences:

  1. Denial of Service (DoS): Attackers could disable ATG systems by reconfiguring settings or flashing faulty firmware.
  2. Physical Damage: By altering critical parameters such as tank geometry and capacity, attackers could cause fuel leaks or disable alarms.
  3. Data Theft: Sensitive operational data could be captured and sold to third parties.
  4. Network Intrusion: Vulnerable ATG systems could serve as entry points for further attacks on internal networks.

These scenarios underscore the urgent need for enhanced security measures to protect these systems from exploitation.

Coordinated Efforts for Mitigation

BitSight has been working closely with the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) to mitigate these vulnerabilities through responsible disclosure.

They have collaborated with affected vendors for six months to develop remediation strategies.

CISA has published advisories to guide organizations in securing their ATG systems against potential attacks.

The discovery of these vulnerabilities highlights the critical need for improved cybersecurity practices in industrial control systems like ATGs.

These systems are integral to national infrastructure, so their security must be prioritized to prevent potential disasters. Organizations are urged to disconnect ATGs from the internet and implement robust security measures to safeguard against future threats.

Image of an Automated Tank Gauge SystemAs the industry moves towards a “secure by design” philosophy, it is imperative that manufacturers and operators work together to address these vulnerabilities and protect critical infrastructure from cyber threats. 

Analyse AnySuspicious Links Using ANY.RUN's New Safe Browsing Tool: Try It for Free


Divya

Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Recent Posts

Indonesia Government Data Breach – Hackers Leaked 82 GB of Sensitive Data Online

Hackers have reportedly infiltrated and extracted a vast 82 GB of sensitive data from the Indonesian…

8 hours ago

IBM AIX TCP/IP Vulnerability Lets Attackers Exploit to Launch Denial of Service Attack

IBM has issued a security bulletin warning of two vulnerabilities in its AIX operating system…

10 hours ago

Apache Auth-Bypass Vulnerability Lets Attackers Gain Control Over HugeGraph-Server

The Apache Software Foundation has issued a security alert regarding a critical vulnerability in Apache…

10 hours ago

USA Launched Cyber Attack on Chinese Technology Firms

The Chinese National Internet Emergency Center (CNIE) has revealed two significant cases of cyber espionage…

10 hours ago

Node.js systeminformation Package Vulnerability Exposes Millions of Systems to RCE Attacks

A critical command injection vulnerability in the popular systeminformation npm package has recently been disclosed, exposing millions…

2 days ago

Skuld Malware Using Weaponized Windows Utilities Packages To Deliver Malware

Researchers discovered a malware campaign targeting the npm ecosystem, distributing the Skuld info stealer through…

3 days ago