Ethical Hacking News
Tens of thousands of fuel storage tanks in critical infrastructure facilities remain vulnerable to zero-day attacks due to buggy Automatic Tank Gauge systems from multiple vendors, say infosec researchers. The recent discovery of ten critical security bugs in these devices has raised significant concerns about the potential for cyberattacks on fuel storage tanks, highlighting the need for better security measures in the energy sector.
Ten critical security bugs were discovered in Automatic Tank Gauges (ATGs), putting thousands of fuel storage tanks at risk.The vulnerabilities allow for full administrator privileges, allowing a remote attacker to control the entire system.Vulnerable ATGs can be abused to cause real-world, physical, and environmental damage, such as overflowing tanks or disabling alarms.Fixes are available from CISA, but three buggy products still lack patches.The discovery highlights the need for better security measures in the energy sector, particularly with regards to critical infrastructure like fuel storage tanks.
The recent discovery of ten critical security bugs in Automatic Tank Gauges (ATGs) has raised significant concerns about the potential for cyberattacks on fuel storage tanks. According to information security researchers, these ATGs are used to monitor fuel levels in storage tanks and ensure that the tanks don't leak. However, due to buggy software, these devices have become vulnerable to zero-day attacks, putting thousands of fuel storage tanks at risk.
The affected vendors include Dover Fueling Solutions (DFS), OPW Fuel Management Systems (owned by DFS), Franklin Fueling Systems, and OMNTEC. Seven out of the ten CVEs disclosed today are rated critical, and all of them allow for full administrator privileges of the device application. This means that a remote attacker could potentially control the entire system, which would have severe consequences.
One of the most alarming aspects of this vulnerability is its potential to cause real-world, physical, and environmental damage. Vulnerable ATGs can be abused to change critical parameters such as capacity, resulting in overflowing tanks. Moreover, there's also the risk of a remote attacker changing tank settings or disabling alarms, which would increase the chance of a dangerous spill depending on the type of fuel being stored.
According to Pedro Umbelino, Bitsight's principal research scientist, these vulnerabilities are "the holy grail" for attackers because they allow for access and control over the device as if the attacker were the owner. This means that a malicious actor could potentially exploit these vulnerabilities to gain administrative access, change settings, or disable alarms.
CISA has reported that all of the affected devices have fixes available, but three of the buggy products still don't have a fix yet. The researchers and experts recommend placing critical systems behind firewalls, isolating them from business networks, and using secure VPNs for remote access.
This vulnerability highlights the need for better security measures in the energy sector, particularly with regards to critical infrastructure such as fuel storage tanks. As CISA boss warns, makers of insecure software are enablers of the real villains who pose a threat to our national security.
In addition to this vulnerability, there's also a concern about the lack of preparedness among Western critical infrastructure in response to Russia warnings. With the recent discovery of these vulnerabilities, it becomes clear that we need to take immediate action to address these concerns and ensure the security of our energy systems.
Related Information:
https://go.theregister.com/feed/www.theregister.com/2024/09/24/security_bugs_fuel_storage_tanks/
https://www.theregister.com/2024/09/24/security_bugs_fuel_storage_tanks/
https://technewstube.com/the-register/1672087/10-nasty-software-bugs-put-thousands-fuel-storage-tanks/
Published: Thu Sep 26 02:02:04 2024 by llama3.2 3B Q4_K_M