Marel Food Processing Systems (Update B)

Act Now9.8ICS-CERT ICSA-17-094-02BApr 4, 2017

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Marel food processing systems (Graders, Portioning Machines, Flowline, Packing, SensorX, Target Batchers, SpeedBatchers) using M3000 terminal and Pluto platform contain multiple vulnerabilities including hardcoded credentials (CWE-259), unrestricted file upload (CWE-434), and improper access controls (CWE-284). All versions of affected equipment are vulnerable. No patch is available from the vendor.

What this means

What could happen

An attacker could remotely access food processing equipment using default or hardcoded credentials, upload malicious files, and execute arbitrary commands on the control systems. This could allow manipulation of ingredient portioning, grading parameters, batching formulas, or packing settings, disrupting production and potentially affecting product quality or safety.

Who's at risk

Food processing facilities using Marel equipment should care. This affects any operation using Marel Graders, Portioning Machines, Flowline systems, Packing systems, SensorX machines, Target Batchers, or SpeedBatchers with the M3000 terminal or Pluto control platform—common in meat, fish, poultry, and prepared food manufacturing.

How it could be exploited

An attacker on the network (or from the internet if the M3000/Pluto terminal is exposed) could use hardcoded default credentials to log into the control interface, then upload malicious firmware or scripts via the unrestricted file upload vulnerability, and execute them to gain control of processing parameters or stop production lines.

Prerequisites

Network connectivity to the M3000 terminal or Pluto platform (may be reachable from company network or internet if not firewalled)
Knowledge of default/hardcoded credentials (low skill barrier)
No authentication bypass required if defaults are in use

Remotely exploitableNo authentication required (hardcoded/default credentials)Low complexity attackNo patch availableAffects food processing operations

Exploitability

Low exploit probability (EPSS 0.6%)

Affected products (14)

14 EOL

ProductAffected VersionsFix Status

Graders using M3000 terminal,All versionsNo fix (EOL)

Portioning Machines using M3000 terminal,All versionsNo fix (EOL)

Flowline systems using M3000 terminal,All versionsNo fix (EOL)

Packing systems using M3000 terminal,All versionsNo fix (EOL)

SensorX machines using M3000 terminal,All versionsNo fix (EOL)

Target Batchers using M3000 terminal, andAll versionsNo fix (EOL)

SpeedBatchers using M3000 terminalAll versionsNo fix (EOL)

Graders using Pluto platform,All versionsNo fix (EOL)

Remediation & Mitigation

0/6

Do now

0/3

HARDENINGRestrict network access to M3000 and Pluto terminals using industrial firewalls or access control lists. Only permit authorized engineering workstations and HMI servers to communicate with these devices. Block direct internet access.

WORKAROUNDChange all default credentials on M3000 and Pluto platforms immediately. Review and change hardcoded credentials to unique, strong passwords. Document new credentials in a secure vault.

WORKAROUNDDisable file upload functionality on M3000 and Pluto terminals if not required for normal operations. If file upload is necessary, implement strict file type validation and scan uploads for malware.

Mitigations - no patch available

0/3

The following products have reached End of Life with no planned fix: Graders using M3000 terminal,, Portioning Machines using M3000 terminal,, Flowline systems using M3000 terminal,, Packing systems using M3000 terminal,, SensorX machines using M3000 terminal,, Target Batchers using M3000 terminal, and, SpeedBatchers using M3000 terminal, Graders using Pluto platform,, Portioning Machines using Pluto platform,, Flowline systems using Pluto platform,, SensorX machines using Pluto platform,, Target Batchers using Pluto platform, and, SpeedBatchers using Pluto platform, Packing systems using Pluto platform,. Apply the following compensating controls:

HARDENINGImplement network segmentation to isolate food processing equipment on a dedicated VLAN or OT network with strict ingress/egress rules to business network and internet.

HARDENINGMonitor and log all access to M3000 and Pluto platforms. Establish alerting for failed login attempts and unusual file uploads or commands.

HARDENINGContact Marel to request a security update or end-of-life timeline. Evaluate replacement of affected equipment if no patch is forthcoming.

CVEs (3)

CVE-2016-9358 CVE-2017-6041 CVE-2017-9626

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/d4c23855-2ef5-4a94-9360-ef91019c6be7