Background
A building automation system (BAS) is a system that allows the centralized control and monitoring of various building systems, such as heating, ventilation, air conditioning, lighting, security, and fire alarms. A BAS can improve the performance, efficiency, comfort, and security of a building by collecting and analyzing data from sensors, devices, and services, and using artificial intelligence and machine learning to make the building programmable and responsive to the needs of the users and the building manager. A BAS can also use Power over Ethernet (PoE) to power and connect different devices through a single network infrastructure. A BAS can offer many benefits, such as lower operational and energy costs, greater flexibility, higher resale value, and automated maintenance. However, a BAS also faces some challenges, such as privacy and data issues, capital investment, and persistent internet connections.
LOYTEC is a company that specializes in innovative building automation products and solutions. LOYTEC offers a range of products, such as building management systems, room automation systems, automation servers, I/O controllers, gateways, touch panels, lighting control systems, routers, interfaces, and software tools.
Emerging Threat Research team in TXOne Networks found 10 vulnerabilities on Loytec products in 2021 and contacted the vendor through Trend Micro ZDI (Zero Day Initiative) and ICS-CERT; However, there was no response from the vendor, so we decided to disclose these findings after two years. We really hope that the vendor will soon provide fixes or alternative solutions.
Affected Products
The TXOne Threat Research team has discovered several security vulnerabilities that affect a range of devices used in building automation. These vulnerabilities are present in devices like the LINX-212, LINX-151, and LIOB-586. These are programmable automation workstations specifically designed to manage various building applications. Additionally, the vulnerabilities also impact the LVIS-3ME12-A1 touch panel, the LWEB-802 visualization tool, and the L-INX Configurator configuration tool. It’s important for users of these devices to be aware of these security issues, as they could lead to the deactivation of the building’s safety systems and alarms, potentially compromising the security and safety of the premises:
- L-INX Automation Servers: These are programmable automation stations that offer various functions, such as alarming, scheduling, trending, e-mail notification, IEC 61131-3 programmable logic, and OPC server. They can also integrate various building systems and protocols, such as CEA-709 (LonMark), BACnet, KNX, Modbus, M-Bus, and DALI.
- L-IOB I/O Controllers and Modules: These are programmable automation stations and modules that extend LOYTEC devices with physical inputs and outputs. They can be used for various applications, such as HVAC, lighting, shading, security, and fire alarms. They also support various open protocols and standards, such as CEA-709 (LonMark), BACnet, KNX, Modbus, and DALI.
- L-WEB Building Management: This is a powerful software for running distributed building automation systems. It allows the user to visualize, operate, monitor, and optimize the building performance and energy consumption. It also supports various web services and interfaces, such as OPC UA, BACnet/WS, RESTful API, and MQTT.
- L-INX Configurator: This is a software tool that allows the user to configure and program various LOYTEC devices, such as L-INX Automation Servers, L-IOB I/O Controllers and Modules, L-DALI Controllers, L-GATE Universal Gateways, LIOB-AIR Controllers, and L-ROC Room Controllers. The user can use the L-INX Configurator to create and edit network variables, data points, schedules, alarms, trends, logic programs, and web pages for the LOYTEC devices.
Table 1: Vulnerability List and Affected Products
| CVE ID | Base Score | CVSS v3.1 Vector | Affected Products |
|---|---|---|---|
| CVE-2023-46380 | 7.5 HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N | · LINX-212 firmware 6.2.4 · LVIS-3ME12-A1 firmware 6.2.2 · LIOB-586 firmware 6.2.3 |
| CVE-2023-46381 | 8.2 HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L | |
| CVE-2023-46382 | 7.5 HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N | |
| CVE-2023-46383 | 7.5 HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N | · L-INX Configurator 7.4.10 |
| CVE-2023-46384 | 7.5 HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N | |
| CVE-2023-46385 | 7.5 HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N | |
| CVE-2023-46386 | 7.5 HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N | · LINX-151, Firmware 7.2.4 · LINX-212, firmware 6.2.4 |
| CVE-2023-46387 | 7.5 HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N | |
| CVE-2023-46388 | 7.5 HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N | |
| CVE-2023-46389 | 7.5 HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
Vulnerability Descriptions
Our research indicates that vulnerabilities like CVE-2023-46380, CVE-2023-46382, CVE-2023-46383, and CVE-2023-46385 allow for the reading of sensitive data, such as cleartext password. However, exploiting these vulnerabilities requires conducting a Man-in-the-Middle (MitM) attack on the network. CVE-2023-46382 is particularly noteworthy because it can be exploited without any technical skills. If the web user interface of the pre-installed LWEB-802 is exposed online, it can be easily accessed and controlled by anyone. We have found that some of these interfaces are publicly accessible online.
For CVE-2023-46387 and CVE-2023-46389, once attackers gain administrator-level access, they can easily retrieve files containing SMTP client credentials, which are used for alarm and reporting functions.
CVE-2023-46384 presents a different scenario, as it requires local access to a computer with the LINX Configurator installed. Anyone with local access to such a computer could potentially steal passwords.
The detailed descriptions of the vulnerabilities are as follows:
CVE-2023-46380: Insecure Permissions
Password change request on the web interface on LOYTEC devices is sent in clear text over HTTP, and this allows information theft and account takeover via network sniffing.
CVE-2023-46381: Improper Access Control
Authentication is missing on the web user interface for the preinstalled version of LWEB-802. If there is a project on a device, an unauthenticated user could create a new project on a web and access/control a graphical interface. An unauthenticated user also could edit or delete a current web project, change settings and delete system logs etc…
http://{IP}:{port}/lweb802_pre/
CVE-2023-46382 : Insecure Permissions
The web user interface on Loytec devices requires login credentials for critical information (Data, Commission, Config, etc…); however, username and password information is sent in clear text over HTTP. If anyone sniff network traffic, they could easily steal credentials.
CVE-2023-46383 : Insecure Permissions
Loytec LINX Configurator could be connected to Loytec devices with an administrator credential, and it could configure device settings. Since it uses HTTP Basic Authentication, which transmits usernames and passwords in base64-encoded cleartext, so anyone could easily steal credentials if they sniff network traffics. Once obtaining the admin password, attackers could connect and control Loytec devices via LINX configurator.
CVE-2023-46384 : Insecure Permissions
Following registry key contains hard-coded clear text admin password for recently connected Loytec device. (password cache) If an attacker succeeds in getting this registry key value, attackers could connect and control Loytec devices via LINX configurator.
Key: Computer\HKEY_CURRENT_USER\SOFTWARE\LOYTEC\LOYTEC LINX Configurator\OhioIni
Value name: ftp_pass
Value dada: <admin password>
CVE-2023-46385 : Insecure Permissions
When Loytec LINX Configurator connects to a device, it sends HTTP GET request to login. Since cleartext password is passed as an URL parameter, “password” without sufficient protection, anyone could easily steal credentials if they sniff network traffics. Once obtaining the admin password, attackers could connect and control Loytec devices via LINX configurator. http://{IP}:{port}/webui/config/system?username=admin&password=<admin password>&login=Login
CVE-2023-46386 : Insecure Permissions
‘registry.xml’ file contains hard-coded clear text credentials for SMTP client account. If an attacker succeeds in getting registry.xml file, the email account could be compromised. Password should be encrypted.
CVE-2023-46387 : Improper Access Control
‘/var/lib/lgtw/dpal_config.zml’ file is accessible via file download API. ‘dpal_config.wbx’ which is extracted from ‘dpal_config.zml’ includes sensitive configuration information such as SMTP client information. Authentication is required to exploit this vulnerability.
http://{IP}:{port}/DT?filename=/var/lib/lgtw/dpal_config.zml
CVE-2023-46388 : Insecure Permissions
‘dpal_config.wbx’ file contains hard-coded clear text credentials for SMTP client account. If an attacker succeeds in getting dpal_config.zml file, the email account could be compromised. Password should be encrypted.
CVE-2023-46389 : Improper Access Control
‘/tmp/registry.xml’ file is accessible via file download API. ‘registry.xml’ includes device configuration information which includes sensitive information such as SMTP client information. Authentication isrequired to exploit this vulnerability.
http://{IP}:{port}/DT?filename=/tmp/registry.xml
Mitigations
All products from TXOne Networks incorporate the updated signature rules for these vulnerabilities to protect your devices from potential attacks. We have also listed the rules below:
- 1234018 ICS LOYTEC LINX-212/LVIS-3ME12-A1/LIOB-586 Web User Interface Improper Authentication (CVE-2023-46381) state 1-F/Flow
- 1234114 ICS Loytec L-INX Automation Servers Information Disclosure (CVE-2023-46387)
- 1234114 ICS Loytec L-INX Automation Servers Information Disclosure (CVE-2023-46389)
References
[1] https://en.wikipedia.org/wiki/Building_automation
[2] https://www.cisco.com/c/en/us/solutions/enterprise-networks/what-is-building-automation.html
