JanTek JTC-200 Holes Remain Until New Model

Wednesday, October 11, 2017 @ 02:10 PM gHale


There are two vulnerabilities in the JanTek JTC-200 the company will not be mitigating because they are developing a new JTC-300 model instead, according to a report with ICS-CERT.

The remotely exploitable vulnerabilities, discovered by Karn Ganeshan, are a cross-site request forgery and an improper authentication.

RELATED STORIES
Hole in LAVA Ether-Serial Link
Siemens Clears Data Manager Hole
GE Fixes CIMPLICITY Hole
Siemens Updates OPC Vulnerability

A TCP/IP converter, all versions of JTC-200 suffer from the issues.

Successful exploitation of these vulnerabilities could allow for remote code execution on the device with elevated privileges.

Public exploits are available. An attacker with low skill level could leverage the vulnerabilities.

In the cross-site request forgery vulnerability, an attacker could perform actions with the same permissions as a victim user, provided the victim has an active session and is induced to trigger the malicious request.

CVE-2017-5789 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 8.0.

The improper authentication could provide undocumented Busybox Linux shell accessible over Telnet service without any authentication.

CVE-2017-5791 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 9.8.

The product mainly sees use in the critical manufacturing sector. It also sees action in Europe and Asia.

Taiwan-based JanTek said it will not be developing mitigations for the vulnerabilities affecting JTC-200 as it will release a JTC-300 model scheduled to come out near the end of 2017.



3 Responses to “JanTek JTC-200 Holes Remain Until New Model”

  1. jericho says:

    Can you confirm those CVE assignments? Those appear to be for HP products and do not involve a CSRF.

    2017-5791 – HP Intelligent Management Center (iMC) PLAT UrlAccessController doFilter() Method Remote Authentication Bypass

    2017-5789 – HPE Loadrunner / HPE Performance Center libxdrutil.dll mxdr_string() Function Remote Heap Buffer Overflow

  2. gHale says:

    Yes, those are the CVE’s obtained from ICS-CERT ….

  3. jericho says:

    ICS-CERT used the wrong CVE IDs (mixed up year) based on these newly opened up CVE IDs:

    Date: Thu, 12 Oct 2017 22:05:37 -0400
    Subject: [CVENEW] New CVE CANs: 2017/10/12 22:00 ; count=4

    ======================================================
    Name: CVE-2016-5789
    Status: Candidate
    URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5789
    Final-Decision:
    Interim-Decision:
    Modified:
    Proposed:
    Assigned: 20160623
    Category:
    Reference: MISC:https://ics-cert.us-cert.gov/advisories/ICSA-17-283-02

    A Cross-site Request Forgery issue was discovered in JanTek JTC-200,
    all versions. An attacker could perform actions with the same
    permissions as a victim user, provided the victim has an active session
    and is induced to trigger the malicious request.

    ======================================================
    Name: CVE-2016-5791
    Status: Candidate
    URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5791
    Final-Decision:
    Interim-Decision:
    Modified:
    Proposed:
    Assigned: 20160623
    Category:
    Reference: MISC:https://ics-cert.us-cert.gov/advisories/ICSA-17-283-02

    An Improper Authentication issue was discovered in JanTek JTC-200, all
    versions. The improper authentication could provide an undocumented
    BusyBox Linux shell accessible over the TELNET service without any
    authentication.


Leave a Reply

You must be logged in to post a comment.