Overview
With the advent of the Industry 4.0 era, automated production and manufacturing systems are introducing built-in web browsers in HMI (Human-Machine Interface) devices, granting users direct access to PLCs (Programmable Logic Controllers), controllers, and embedded devices. Users can modify system parameters through the web interface to achieve efficiency and cost-saving objectives. While these features offer convenience, reduce equipment setup costs, and even boost work efficiency, they also introduce cybersecurity risks. Without adequate protection, there’s potential for unauthorized changes to critical system parameters or even malicious control of the connected devices, resulting in system malfunctions or damage.
In this blog post, TXOne Networks PSIRT and its Threat Research team discloses 3 vulnerabilities which impact Weintek cMT3000 HMI Web CGI. Two of these vulnerabilities could allow an attacker to conduct “Stack-Based Buffer Overflow (CVE-121)”, and one of the vulnerabilities is related to “Improper Neutralization of Special Elements used in an OS Command (OS Command Injection)” attack. Based on our research, in certain scenarios, these vulnerabilities allow hackers to develop exploit scripts. We found three distinct vulnerabilities, as listed below:
- CVE-2023-38584 (CVSS v3 base score: 9.8): Stack-Based Buffer Overflow CWE-121
- CVE-2023-40145 (CVSS v3 base score of 8.8): Improper Neutralization of Special Elements Used in An OS Command (‘OS Command Injection’) CWE-78
- CVE-2023-43492 (CVSS v3 base score of 9.8): Stack-Based Buffer Overflow CWE-121
Background Information
The cMT3000 series HMI devices, manufactured by Weintek, support the PLC web browser functionality. They allow direct access and configuration of PLCs, controllers, and embedded devices within the HMI, eliminating the need to purchase an additional device specifically for web browsing. This empowers the HMI with enhanced connectivity capabilities, but it also increases the network’s attack surface.
Weintek cMT3000 HMI Web CGI codesys.cgi Stack-based Buffer Overflow
Technical Details
CODESYS (short for Controller Development System) is a development environment designed for programming controller applications in accordance with the international industrial standard IEC 61131-3. CODESYS is employed across a broad spectrum of industrial automation and control systems. The codesys.cgi is a Common Gateway Interface (CGI) script linked with the CODESYS web server. Within the cMT3000 series, the cgi-bin directory, which is a standard location for storing CGI scripts on a web server, contains a script with a vulnerability. This script utilizes the strcpy() function, which is infamously known for leading to buffer overflow vulnerabilities when unwisely deployed. The central concern is that this function copies a source string into a buffer without verifying the source string’s length. This oversight is what may result in potential “stack-based buffer overflow” scenarios. By using this vulnerability, an anonymous user (an individual without authenticated access) can exploit this gap to circumvent the login authentication procedure. More alarmingly, they can then run arbitrary commands on the device.
Figure 1: By crafting a key with a size greater than 512, an attacker can cause “strcpy()” to result in a stack-based buffer overflow in “json_valuepath”
Weintek cMT3000 HMI Web CGI command_wb.cgi Post-Auth Command Injection
Technical Details
Within the cMT3000 series, command_wb.cgi has a command injection vulnerability located in function3. In this function, it parses the path parameter from the decrypted JSON string. If an attacker knows the command encryption key, they can control the path parameter. Consequently, after authentication, even an anonymous user can execute arbitrary commands on the system. This vulnerability could lead to scenarios described as “HMI Web CGI command_wb.cgi Post-Auth Command Injection”.
Figure 2: In function3, it parses the path parameter from the decrypted JSON string
Figure 3: The attacker can control the path parameter once they obtain the command encryption key
Weintek cMT3000 HMI Web CGI command_wb.cgi Stack-based Buffer Overflow
Technical Details
Within the cMT3000 series, the “command_wb.cgi” script in the “cgi-bin” directory contains multiple stack-based buffer overflow vulnerabilities due to the use of “strcpy()” without validating the length of the source string. Specifically, when len(v13) > 512 and len(v14) > 512, a buffer overflow occurs in the stack memory. Consequently, after initial authentication, even an anonymous user can bypass subsequent login authentication and control the code flow.
Figure 4: When len(v13) > 512 and len(v14) > 512, a buffer overflow occurs in the stack memory
Mitigations
Weintek recommends users update to the following versions of their product:
- cMT-FHD: OS version 20210211
- cMT-HDM: OS version 20210205
- cMT3071: OS version 20210219
- cMT3072: OS version 20210219
- cMT3103: OS version 20210219
- cMT3090: OS version 20210219
- cMT3151: OS version 20210219
Furthermore, all products from TXOne Networks incorporate the updated signature rules for these vulnerabilities to protect your devices from potential attacks. We have also listed the rules below:
- 1233332 ICS Weintek cMT3000 HMI Web CGI Stack-based Buffer Overflow -1
- 1233336 ICS Weintek cMT3000 HMI Web CGI Stack-based Buffer Overflow -2
