A critical vulnerability has been found in oil tank monitoring devices from Tecson/GOK, but the vendor has released a patch and points out that there are less than 1,000 devices that could be affected.
Tecson is a Germany-based manufacturer of tank measurement systems, including oil tank displays, level probes, and remote monitoring products.
Security researcher Maxim Rupp discovered that some Tecson devices are affected by a vulnerability that allows an attacker to access a web-based configuration interface without needing appropriate credentials.
An attacker only needs to know a specific URL on the web server and the format of a valid request and they can access the configuration interface and view and modify settings.
“This issue allows changing the configuration and get full access to the web-based configuration interface of the device which includes all settings like passwords, alerting parameters and output states. That can adversely affect the planned operation of the equipment or can aid in further attacks on the industrial control process,” read the advisories published by Tecson and Germany’s VDE CERT.
The vulnerability, tracked as CVE-2019-12254 with a CVSS score of 9.8 (critical), impacts LX-Net, LX-Q-Net, e-litro net, SmartBox4 LAN and SmartBox4 pro LAN oil tank monitoring products. The security hole has been addressed with the release of firmware version 6.3. Alternatively, attacks can be prevented by disabling port forwarding and remote access to the device.
Rupp told SecurityWeek that the vendor patched the vulnerability roughly one month after learning of its existence, which he has described as a “fast and good reaction.” The researcher said that while it may be possible to find a few vulnerable devices exposed to the Internet, these systems are typically accessible only from the local network.
Tecson told SecurityWeek that the affected products are mostly deployed in Germany, with less than five percent used by organizations in Austria and Belgium. The company has pointed out that the vulnerability should not be seen as highly critical as it does not allow an attacker to get beyond the device in the targeted organization’s network. The flaw can be more problematic if the relay switching function is enabled, but the vendor says only a few of its customers use it.
The company says there are less than 1,000 devices that could be affected, and only if they have port forwarding enabled.
Tecson claims it’s in the process of identifying and notifying impacted customers of the vulnerability.