OleumTech Fixes WIO Family Holes

Friday, May 22, 2015 @ 02:05 PM gHale


OleumTech created updates that mitigate multiple holes in its WIO family including the sensors and the DH2 data collector, according to a report on ICS-CERT.

Security researchers Lucas Apa and Carlos Mario Penagos Hollman of IOActive discovered the remotely exploitable vulnerabilities.

RELATED STORIES
More Holes Filled in Healthcare System
OSIsoft Fixes Permissions Hole
Rockwell Patches RSLinx Classic Bug
Healthcare Control System Holes Filled

The following OleumTech Products suffer from the issue:
• OleumTech WIO DH2 Wireless Gateway
• All OleumTech Sensor Wireless I/O Modules versions

Two identified vulnerabilities may potentially allow a Man-in-the-Middle (MitM) attack to either monitor for reconnaissance or insert specially crafted data packets into the data stream. The third vulnerability can lead to a denial-of-service (DoS) condition under the correct circumstances.

Foothill Ranch, CA-based OleumTech’s products are part of the WIO System, developed to provide end-to-end wireless remote monitoring infrastructure. According to OleumTech WIO products see action across several sectors including, energy, water and wastewater systems and others. OleumTech estimates these products see use primarily in the United States and Canada.

If a specially crafted packet ends up received by the DH2 Gateway with a high value on the battery voltage field, the DH2 Gateway radio receiver crashes. If this scenario repeats multiple times, a DoS condition could occur. This could allow the attacker to execute arbitrary code.

CVE-2014-2360 is the case number assigned to this vulnerability, which has a CVSS v2 base score of 5.0.

When connecting any of the devices to BreeZ, it is possible to read the site security key of the device without authentication. This could allow someone, who has stolen a node or has physical access to the device to obtain the site security key to communicate freely with other network devices. However, this key cannot end up read remotely when the data system is up and running, only in the manual setup mode. The data flow one way from sensor to gateway collector, and there is no control channel back to the sensor. To reset the key, the device must go offline and then updated manually.

CVE-2014-2361 is the case number assigned to this vulnerability, which has a CVSS v2 base score of 7.2.

The Site Security Key ends up generated using the function time64() from the standard C library. This is a 4-byte number that corresponds to the project creation calendar time. Using this value as a site security key could allow an unauthenticated device to guess the site key by trying a considerably low number of possible combinations.

CVE-2014-2362 is the case number assigned to this vulnerability, which has a CVSS v2 base score of 7.8.

No known public exploits specifically target these vulnerabilities. However, an attacker with a low skill would be able to exploit these vulnerabilities.

OleumTech has created updates for BreeZ and the gateway to mitigate all these vulnerabilities. These updates allow users to encrypt their wireless traffic with AES256. To obtain these updates, log in to the OleumTech download center or contact OleumTech tech support at 866-508-8586 or via email.



Leave a Reply

You must be logged in to post a comment.