Marel Updates Food Processing Systems

Friday, August 18, 2017 @ 03:08 PM gHale

Marel updated a previous fix for vulnerabilities in its food processing systems, according to a report with ICS-CERT.

The remotely exploitable vulnerabilities, discovered by Daniel Lance, are a hard-coded passwords, unrestricted upload and an improper access control.

Philips Clears Portal Vulnerabilities
Vulnerability in CPAP Machine
Advantech Unable to Verify WebOP Hole
ABB’s SREA-01, SREA-50 Patched

The following Marel food processing products suffer from the issues:
• All M3000 terminal-based products contain hard-coded password and unrestricted file upload vulnerabilities:
Graders using M3000 terminal
Portioning Machines using M3000 terminal
Flowline systems using M3000 terminal
Packing systems using M3000 terminal
SensorX machines using M3000 terminal
Target Batchers using M3000 terminal
SpeedBatchers using M3000 terminal

• All devices operating the Pluto platform contain an access control vulnerability:
Graders using Pluto platform
Portioning Machines using Pluto platform
Flowline systems using Pluto platform
Packing systems using Pluto platform
SensorX machines using Pluto platform
Target Batchers using Pluto platform
SpeedBatchers using Pluto platform

A remote attacker may be able to gain unauthorized administrative access to affected devices.

No known public exploits specifically target these vulnerabilities. However, an attacker with low skill level would be able to leverage the vulnerabilities.

The end user does not have the ability to change system passwords.

CVE-2016-9358 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 9.8.

In addition, the vulnerability allows an attacker to modify the operation and upload firmware changes without detection.

CVE-2017-6041 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 9.8.

Also, the affected systems using the Pluto platform do not restrict remote access.

CVE-2017-9626 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 9.8.

The products see use mainly in the food and agriculture sector. They also see action in the United States, Europe, South America, and Asia.

Iceland-based Marel has created an update for Pluto-based applications, which they will release October 1. This update will restrict remote access by implementing SSH authentication.

Marel said all M3000 terminal based products were at end-of-life in July 2012, and, thus, will not release product fixes to address the identified vulnerabilities. Marel recommends users upgrade these end-of-life systems.

Click here for more information regarding the vulnerabilities, mitigations, and Marel’s contact information.

Leave a Reply

You must be logged in to post a comment.