21 Vulnerabilities Discovered in Crucial IT-OT Connective Routers

Researchers have discovered 21 vulnerabilities in a popular brand of industrial router.

On Dec. 7 at Black Hat Europe, analysts from Forescout will reveal the bugs — including one of 9.6 "Critical" severity on the CVSS scale, and nine "High" severity — affecting a brand of operational technology (OT)/Internet of Things (IoT) routers especially common in the medical and manufacturing sectors.

OT/IoT routers bridge the wider Internet with internal networks, via 3G and 4G cellular networks. They're most often found in critical sectors such as transportation, government, and water treatment. Compromising these devices can enable lateral movement within networks, malware deployment, espionage, disruption of services, and much more.

Vulnerabilities Show Breadth and Depth

Seven of the newly discovered vulnerabilities lie in internal components of the routers. Fourteen of them derive from open source components, specifically, a captive portal for Wi-Fi networks and an XML processing library.

The nature of the vulnerabilities run the gamut: cross-site scripting (XSS), denial of service (DoS), remote code execution (RCE), unauthorized access, and authentication bypass.

Viewed another way, these bugs can be grouped into two broad categories. "It's either a design flaw — things like hardcoded credentials, SSL certificates, and so on — or how the device handles potentially malicious or malformed inputs that could lead to injecting malicious code or to crashing the device," explains Daniel dos Santos, head of security research at Forescout.

With an opening into one of these devices, attackers can circumvent traditional industrial security protections and charge straight at the most critical devices in a plant.

"When we talk about attacks in OT, the typical path is that somebody would find an initial access point on the IT network — a workstation of an employee that clicks on a phishing link," dos Santos says. "Then there's lateral movement, until something that bridges the gap with OT — an engineering workstation, data historian, SCADA system, or something like that — and then you manage to get access to IoT devices."

The interesting thing with these routers is that they tend to be bridging potentially critical devices with the Internet directly. "For pipelines or substations or things like that, you can imagine that they would be connected directly to potentially safety critical devices without requiring the typical IT-OT lateral movement," dos Santos says.

86,000 Vulnerable Instances

The road to edge security may begin with SBOMs, but there are even simpler, quicker fixes available to OT infrastructure providers right now.

Using only regular scans, the researchers identified over 86,000 such OT/IoT devices unprotected on the open Web (68,605 of them in the US). And it gets worse: 22,000 of them use default SSL certificates, enabling easy man-in-the-middle (MitM) attacks.

Even aside from the 21 new ones, less than 10% of those 86,000 devices are hardened to already publicly known vulnerabilities.

Among those running management interfaces, 80% are at end of life, meaning that they cannot be patched any longer.

Unpatched legacy equipment is common in industrial settings due to the extra difficulty, expense, and risk involved in updating or replacing certain specific, critical software and machinery running 24/7. But, dos Santos says, this habit seems to have extended to devices which don't necessarily fall into that category.

"I believe that people tend to think: it's still in the OT world, so it's legacy," he concludes. "We don't need to replace it right now. But that's definitely problematic, and this is one area of the OT perimeter that could be helped in upgrading devices."