Multiple vulnerabilities in Martem TELEM-GW6/GWM
| Risk | High |
| Patch available | NO |
| Number of vulnerabilities | 3 |
| CVE-ID | CVE-2018-10603 CVE-2018-10607 CVE-2018-10609 |
| CWE-ID | CWE-306 CWE-400 CWE-79 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software Subscribe |
TELEM-GWM Server applications / SCADA systems TELEM-GW6 Server applications / SCADA systems |
| Vendor | Martem |
Security Bulletin
This security bulletin contains information about 3 vulnerabilities.
1) Authentication bypass
EUVDB-ID: #VU12988
Risk: High
CVSSv3.1: 8.9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L/E:U/RL:W/RC:C]
CVE-ID: CVE-2018-10603
CWE-ID:
CWE-306 - Missing Authentication for Critical Function
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass authentication on the target system.
The vulnerability exists due to the RTU does not perform authentication of IEC-104 control commands. A remote attacker can bypass authentication and which may allow a rogue node a remote control of the industrial process.
Successful exploitation of this vulnerability may result in system compromise.
In most cases, the vulnerability can be resolved by proper configuration:
- Using "other side IP" field in RTU configuration for every TCP/IP channel. This will minimize the risk of allowing unauthorized access and control over the communication channels (i.e., only trusted partners are allowed);
- Using secure VPN channels;
- Proper packet filtering by enabling firewall in RTU configuration. Note that the "interface" field of every communication channel must be properly set in RTU configuration when firewall is enabled.
TELEM-GWM: 2018.04.18-linux_4-01-601cb47
TELEM-GW6: 2018.04.18-linux_4-01-601cb47
External linkshttp://ics-cert.us-cert.gov/advisories/ICSA-18-142-01
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Resource exhaustion
EUVDB-ID: #VU12989
Risk: Medium
CVSSv3.1: 7.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N/E:U/RL:W/RC:C]
CVE-ID: CVE-2018-10607
CWE-ID:
CWE-400 - Resource exhaustion
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to cause DoS condition on the target system.
The vulnerability exists due to resource exhaustion. A remote attacker can create new connections to one or more IOAs, without closing them properly and cause a denial of service within the industrial process control channel.
MitigationIn most cases, the vulnerability can be resolved by proper configuration:
- Using "other side IP" field in RTU configuration for every TCP/IP channel. This will minimize the risk of allowing unauthorized access and control over the communication channels (i.e., only trusted partners are allowed);
- Using secure VPN channels;
- Proper packet filtering by enabling firewall in RTU configuration. Note that the "interface" field of every communication channel must be properly set in RTU configuration when firewall is enabled.
TELEM-GWM: 2018.04.18-linux_4-01-601cb47
TELEM-GW6: 2018.04.18-linux_4-01-601cb47
External linkshttp://ics-cert.us-cert.gov/advisories/ICSA-18-142-01
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Cross-site scripting
EUVDB-ID: #VU12987
Risk: Low
CVSSv3.1: 5.4 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:U/RL:T/RC:C]
CVE-ID: CVE-2018-10609
CWE-ID:
CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Exploit availability: No
DescriptionThe disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data over a Websocket. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
MitigationUpdate to version 2.0.73 or higher. Fixed firmware will be available after 23.05.2018.
Vulnerable software versionsTELEM-GWM: 2018.04.18-linux_4-01-601cb47
TELEM-GW6: 2018.04.18-linux_4-01-601cb47
External linkshttp://ics-cert.us-cert.gov/advisories/ICSA-18-142-01
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
