A few of the industrial management system (ICS) merchandise made by Taiwan-based Novakon are affected by severe vulnerabilities, and the seller doesn’t seem to have launched any patches.
A subsidiary of iBASE Expertise, Novakon designs and manufactures human-machine interfaces (HMIs), industrial PCs, and IIoT options. The corporate serves 18 international locations throughout North America, Europe and Asia. Advertising supplies present that 40,000 items of Novakon’s 7” HMIs have been deployed in world information facilities.
Researchers at CyberDanube, an IT/OT penetration testing and security consulting firm, found that Novakon’s HMIs are affected by 5 forms of vulnerabilities.
In keeping with an advisory revealed by CyberDanube, the HMIs are affected by an unauthenticated buffer overflow permitting distant code execution with root privileges, a listing traversal that exposes recordsdata, and a few weak authentication points that permit entry to the machine and functions.
The security agency’s researchers additionally found lacking safety mechanisms and unnecessarily excessive permissions for sure processes.
Sebastian Dietz, security researcher at CyberDanube, instructed information.killnetswitch that the vulnerabilities may be exploited remotely with out authentication.
“An unauthenticated attacker might leverage these vulnerabilities to execute excessive privilege code on these gadgets,” Dietz defined. “As HMI gadgets are used to work together with machines and techniques (eg, PLCs, manufacturing traces) in important infrastructure, gaining arbitrary code execution might have extreme penalties.”
Dietz famous that it’s troublesome to find out what number of gadgets could also be weak to assaults, “as they’re usually deployed in important infrastructure and (hopefully) in a roundabout way uncovered through the web”.
CyberDanube mentioned Novakon has been despatched a report describing its findings, however the vendor didn’t present any suggestions and ignored a overwhelming majority of its communication makes an attempt.
Novakon has not responded to information.killnetswitch’s request for remark.
