26 Jun 2023
Vulnerability Details and Hardening Suggestions
The Power Focus 6000 is a Torque Controller that connects a wide range of Atlas Copco assembly tools, providing a single platform assembly solution. The device is commonly used in manufacturing and industrial companies and can be managed from the integrated HMI interface or remotely from a built-in WEB interface.
The vulnerabilities discovered by OTORIO, if successfully exploited, could lead to the compromise of sensitive information, as well as the unauthorized takeover of active user sessions, which can potentially lead to delays in operations and errors in production.
We are in continuous communication with Atlas Copco in order to address these vulnerabilities. Atlas Copco is working on an official hotfix to the Power Focus device but has already acknowledged the mitigations in this document.
In this blog post, we will delve into the details of these vulnerabilities and discuss potential mitigations to safeguard against exploitation.
Vulnerability Details
During an activity within a manufacturing customer’s network, we came across the Power Focus 6000. During a general network assessment, we discovered several vulnerabilities related to its WEB interface.
1. Unsanitized Login Information Storage (CVE-2023-1897 CVSS 9.4)
The Power Focus 6000 web server performs an automatic login for any user using hard coded credentials. When a user navigates to the WEB server, an automatic request is sent by the browser to the controller with the hard-coded credentials and receives a session ID. This flaw could allow an attacker to gain unauthorized access to the controller and could allow them to set a PIN code in order to get persistent access.
A request send from user browser to the controller, with hardcoded credentials
2. Insecure Session ID Handling (CVE-2023-1898 CVSS 9.4)
The Power Focus 6000 web server utilizes a weak session ID format - simple integer numbers, making it vulnerable to enumeration attacks - an attacker can send multiple HTTP requests with different session IDs until they find an active session. This is a trivial brute force type of attack that can be done by an unskilled attacker.
A raw login response from Power Focus device, with a low number session ID
3. Lack of Secure Connection (CVE-2023-1899 CVSS 9.4)
By default, the Power Focus 6000 web server does not establish a secure connection (TLS/SSL), exposing sensitive information during network communication between the user and the controller. This flaw could allow an attacker to intercept and gather critical data by monitoring network traffic.
Mitigations and Hardening Suggestions
The vulnerabilities mentioned above could be addressed by performing the following actions:
Minimal the attack surface
Disable the web interface - If not required for operational needs, please consider disabling the web interface altogether, thereby eliminating the attack surface completely - note that this will require operators to interact with the device only from the integrated HMI.
Implement Network Segmentation - The device has Firewall functionality that allows it to filter incoming connections based on Service port, IP address and MAC address.
In addition, it is recommended to Isolate the Power Focus Device inside a segregated network to minimize the potential attack surface. If it is not possible to isolate the device, consider restricting the WEB TCP port (The port that the Web server runs on) to allow communication only with necessary stations.
Please refer to the Power Focus 6000 user manual for further details:
https://picontent.atlascopco.com/cont/external/short/html/Power_Focus_6000/en-US/18725177995.html
Set Strong User and PIN Codes
Set a strong and unique PIN code for accessing the device - the device allows setting up a username with up to 32 characters long and a four digit PIN code. A robust username and PIN code add an additional layer of authentication and prevent unauthorized access. Setting a PIN code will prevent unauthorized attackers from gaining access to the device.
Additional details can be found in the following guide:
https://picontent.atlascopco.com/cont/external/short/html/Power_Focus_6000/en-US/60269835.html
Consider the Suggested Security Mechanisms In Vendor Manuals
User manuals provide detailed information on the configuration, settings, and security features of industrial systems, allowing operators to understand and implement necessary safeguards. By following the instructions in the user manual, operators can ensure that the OT systems are set up securely, with proper access controls, network segmentation, and authentication mechanisms. This helps protect critical infrastructure from potential cyber threats, vulnerabilities, and unauthorized access, safeguarding against potential disruptions, data breaches, and malicious activities. For example - changing default passwords or setting passwords where they don’t exist.
Conclusion
The discovery of vulnerabilities in the Power Focus 6000 Controllers serves as a reminder of the importance of robust security measures in OT assets. The identified flaws, if exploited, could result in financial risks due to delays in the manufacturing process. The fact that our team discovered these vulnerabilities unintentionally while performing unrelated research tasks highlights the significance and severity of these results.
We would like to thank the ICS-CERT for their coordination and Atlas Copco for their cooperation and ongoing efforts in mitigating the discovered vulnerabilities.
Recent Posts
25 Mar 2024
29 Jan 2024