Nozomi Networks Labs
The communication between ThroughTek servers, OEMs products embedding ThroughTek P2P library and client applications is obfuscated with a custom protocol that relies on an hardcoded key. By deobfuscating the protocol, is possible to access the cleartext content of the communication.
An attacker may prevent legitimate clients from connecting to an affected product by manipulating the link parameter or changing its state
Mitsubishi Electric recommends that users apply the suggested mitigation so an unauthorized user cannot stop the establishment of Ethernet communications between devices.
An attacker could prevent Ethernet communication from being established in the affected products by manipulating the link parameter or changing its state.
JTEKT Corporation recommends that users apply the suggested mitigation so an unauthorized user cannot stop the establishment of Ethernet communications between devices.
The communication between Reolink NVR, P2P servers and applications is obfuscated with a custom protocol that relies on an hardcoded key. By deobfuscating the protocol, is possible to access the cleartext content of the communication. During the tests, this was observed to contain the P2P credentials.
Reolink P2P video/audio stream is transmitted without any encryption. Any actor who can access the client/NVR traffic, as it traverses the Internet, can access its content with no confidentiality for the parties involved.
Mitsubishi Electric Multiple Factory Automation Engineering Software Products (Update A) – CVE-2020-14496
Successful exploitation of this vulnerability could allow an attacker to escalate privileges and execute malicious programs. This could cause a denial-of-service condition, and allow information to be disclosed, tampered with, and/or destroyed.
This vulnerability could cause a denial-of-service condition when reading data with invalid index using Modbus TCP.
An attacker may send large message packages repeatedly to the telnet service, which may create a denial-of-service condition.
An attacker could send crafted TCP packets against the FTP service, forcing the target devices to enter an error mode and cause a denial-of-service condition.
An attacker could send a crafted HTTP/HTTPS request to render the web server unavailable and/or lead to remote code execution caused by a stack-based buffer overflow vulnerability.
An attacker could exhaust the available connection pool of an affected device by opening a sufficient number of connections to the device.
A remote, unauthenticated threat actor may intentionally send specially-crafted Ethernet/IP packets to Port 44818, causing the software application to stop responding and crash. The user must restart the software to regain functionality.
Non-administrative users are able to change executable and library files on the affected products.
A specially-crafted DLL file may be placed in the search path and loaded as an internal and valid DLL. This may allow arbitrary code execution.
Improper path validation may allow an attacker to replace executable files.
Improper file permissions in the default installation of TIA Portal may allow an attacker with local file system access to manipulate resources, which may be transferred to devices and executed there by a different user.
Improper file permissions in the default installation of TIA Portal may allow an attacker with local file system access to insert specially-crafted files. This may prevent TIA Portal startup (denial-of-service) or lead to local code execution.
GE PACSystems CPE305/310, CPE330, CPE400, RSTi-EP CPE 100, CPU320/CRU320, RXi Denial of Service – CVE-2018-8867
The device does not properly validate input, which could allow a remote attacker to send specially-crafted packets. This may cause the device to become unavailable.
A remote attack may take advantage of an improper implementation of the 3-way handshake during a TCP connection, affecting the communications with commission and service tools. Specially-crafted packets may also be sent to Port 2455/TCP/IP, used in Codesys management software. This may result in a denial-of-service condition relating to communications with commissioning and service tools.
A stack-based buffer overflow vulnerability caused by sending crafted packets on port 20547 could force the PLC to change its state into halt mode.
Successful exploitation of this vulnerability may render the device unresponsive. A physical reset of the PLC may be required.
Curated and maintained by Nozomi Networks Labs, the Threat Intelligence™ service provides threat and vulnerability updates to Guardian, making it easy for IT/OT professionals to stay on top of current OT and IoT risks.
“Threat actors love finding new ways to attack critical infrastructure. We love finding new ways to detect their malware before damage occurs.”
© 2021 Nozomi Networks, Inc.
All Rights Reserved.