13 Vulnerabilities Discovered in a Widely Used Industrial Router

13 Vulnerabilities Discovered in a Widely Used Industrial Router

11 Oct 2021

OTORIO’s Pen Testers (PT) recently analyzed one of  InHand’s industrial routers and discovered 13 highly severe vulnerabilities, including two different Remote Code Execution vulnerabilities, Account Takeover, Authorization Bypass, and Malicious File Upload.

As industrial companies continue to digitally transform every aspect of their operations at breakneck speeds, the advantages--and disadvantages--of digitization are quickly rising to the surface. Industrial routers are at the forefront of this transformation; these ruggedly designed hardware components were built for harsh industrial environments, and deliver the reliable connectivity critical to ensuring business continuity for remote workforces dealing with organizations’ crucial OT layer. However, in the rush towards digitization organizations can mistakenly leave their industrial routers and network components open to the internet. This significantly raises the risk of internal network breaches that can reach HMIs and PLCs that connect directly to them.

OTORIO’s world-class Pen Testers (PT) recently analyzed one of  InHand’s industrial routers and discovered 13 highly severe vulnerabilities, including two different Remote Code Execution vulnerabilities, Account Takeover, Authorization Bypass, and Malicious File Upload. InHand is a leading provider of IoT products for the industrial sector that specializes in M2M routers, IoT gateways, vehicle gateways, industrial Ethernet switches, rugged computers and IoT management platforms. Their remote access service--InConnect--is a plug & play service that builds remote networks for industrial machines, enabling remote access to devices at any time and from anywhere.

Leveraging online networks scanners such as Censys and Shodan, OTORIO’s researchers discovered thousands of InHand router devices currently in use. Apparently, these highly popular devices are deployed across many industrial environments, and unfortunately, many organizations leave them exposed to external actors via the internet.

Successful remote exploitation of InHand’s’s vulnerabilities requires that hackers authenticate themselves to the router web management portal. This is easily done using default credentials, brute force (the IR615 router has weak password policy) and the enumeration of all valid users in the router using the enumeration vulnerability. This would enable malicious actors to introduce substantial risks to an organization by:

  • Performing remote actions on the product
  • Intercepting and stealing sensitive information
  • Impersonating administrative actions
  • Taking full control over the product
  • Deleting system files
  • Executing remote code
  • Uploading malicious files

By performing Remote Code Execution, malicious actors could potentially gain access to an affected organization’s corporate and operational networks. From there, the path to the critical SCADA, OT and IIot components that control essential machinery and infrastructure is wide open, allowing malicious actors to easily wreak havoc on an organization's core operations.

Additionally, attackers could leverage the vulnerabilities to launch hard-to-detect phishing campaigns that would give them access to highly privileged accounts. With these accounts, attackers could change administrative settings of the network device to remotely perform configuration changes, modify administrator settings and even run system commands on the router.

Finally, attackers could take full control over InHand’s cloud-based products and execute code within the different internal networks that the products connect to.

Vulnerability 

CVE ID

SCORE

SEVERITY

CWE ID

 Weak Password Policy

CVE-2021-38462

9.8 

Critical

CWE-521

 Cross Site Request Forgery

CVE-2021-38480

9.6

Critical

CWE-352

 Remote Command Execution via Traceroute Tool

CVE-2021-38478

9.1

Critical

CWE-78

 Remote Command Execution via Ping Tool

CVE-2021-38470

9.1

Critical

CWE-78

 Malicious File Upload

CVE-2021-38484

9.1

Critical

CWE-434

 Reflected Cross Site Scripting

CVE-2021-38466

8.8

High

CWE-79

 Stored Cross Site Scripting on InHand Cloud

CVE-2021-38482

8.7

High

CWE-79

 Stored Cross Site Scripting

CVE-2021-38468

8.7

High

CWE-79

 Authorization Bypass

CVE-2021-38486

8.0

High

CWE-285

 Username Enumeration

CVE-2021-38476

6.5

Medium

CWE-204

 Inadequate Channel Encryption

CVE-2021-38464

6.4

Medium

CWE-326

 Lack of Lockout Policy

CVE-2021-38474

6.3

Medium

CWE-307

 Clickjacking

CVE-2021-38472

4.7

Medium

CWE-2021

 

OTORIO Recommendations

To date, the vulnerabilities still lack formal fixes from InHand. In the meantime, OTORIO recommends all companies to check that their routers and other OT devices are not accessible via the internet and to set up security controls such as firewall, VPN, ACL in their operational network.

OTORIO  encourages companies using InHand Router solutions to follow CISA’s  recommendations to minimize risks created by the exploitation of these vulnerabilities:

  • Minimize network exposure for all control systems and devices and ensure that they’re not accessible via the internet.
  • Set up firewalls for control system network and remote devices while isolating them from the business network so that IT penetrations don’t cross into the OT layer.
  • Use only secure remote access methods such as VPNs while constantly verifying that they’ve been updated to the latest version available.

 

To learn more, read OTORIO’s Solutions Portfolio and see how we can help you protect your organization from industrial cyber attacks.

02 Mar 2021 OTORIO’s Pen-Testers discovered more than 20 vulnerabilities in a popular Industrial Remote Access Solution more...
10 Feb 2021 Florida’s Water Poisoned by Hackers: A Warning Signal more...
11 Dec 2020 Containing Risks by Leveraging Digital Twins: An Innovative Collaboration between Accenture Labs and OTORIO more...
×

OTORIO website uses cookies. By continuing to browse the site you are agreeing to our use of cookies. For more details about cookies and how to manage them, see our cookie policy.

Continue