PDQ Manufacturing, Inc. LaserWash, Laser Jet and ProTouch

Act Now9.4ICS-CERT ICSA-17-208-03Jul 27, 2017

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

PDQ Manufacturing LaserWash, Laser Jet, and ProTouch series car wash systems contain authentication bypass and unencrypted communications vulnerabilities (CWE-287, CWE-311). The devices are remotely exploitable with no user interaction required and low attack complexity. Public exploits are available. No vendor patches are available for any affected product version.

What this means

What could happen

An attacker could remotely access the car wash control system without credentials, allowing them to read sensitive operational data and potentially command the equipment to cycle, stop, or alter its behavior, disrupting service and damaging customer vehicles.

Who's at risk

Car wash facility operators and manufacturers who deploy PDQ LaserWash M5, 360/360 Plus, AutoXpress/AutoExpress Plus, LaserWash G5/G5 S Series, ProTouch AutoGloss, ProTouch ICON, ProTouch Tandem, and LaserJet systems. Any facility with internet-facing or insufficiently protected control systems is at heightened risk.

How it could be exploited

An attacker on the network (or internet if the device is exposed) can connect directly to the car wash control system's network port without providing valid credentials. The attacker can then issue commands to query or manipulate the equipment's operational parameters and behavior.

Prerequisites

Network or internet-accessible connection to the car wash control system
No valid credentials required
Standard TCP/IP network access

remotely exploitableno authentication requiredlow complexitypublic exploits availableno patch availableaffects operational equipment

Exploitability

Low exploit probability (EPSS 0.2%)

Affected products (8)

8 EOL

ProductAffected VersionsFix Status

LaserWash AutoXpress and AutoExpress Plus: all versionsAll versionsNo fix (EOL)

ProTouch AutoGloss: all versionsAll versionsNo fix (EOL)

ProTouch ICON: all versionsAll versionsNo fix (EOL)

LaserJet: all versionsAll versionsNo fix (EOL)

LaserWash G5 and G5 S Series: all versionsAll versionsNo fix (EOL)

ProTouch Tandem: all versionsAll versionsNo fix (EOL)

LaserWash M5: all versionsAll versionsNo fix (EOL)

LaserWash 360 and 360 Plus: all versionsAll versionsNo fix (EOL)

Remediation & Mitigation

0/4

Do now

0/1

WORKAROUNDRestrict network access to car wash control systems using firewall rules—allow only connections from authorized management workstations on specific ports

Mitigations - no patch available

0/3

The following products have reached End of Life with no planned fix: LaserWash AutoXpress and AutoExpress Plus: all versions, ProTouch AutoGloss: all versions, ProTouch ICON: all versions, LaserJet: all versions, LaserWash G5 and G5 S Series: all versions, ProTouch Tandem: all versions, LaserWash M5: all versions, LaserWash 360 and 360 Plus: all versions. Apply the following compensating controls:

HARDENINGSegment car wash control systems onto a dedicated industrial network isolated from general corporate and guest networks

HARDENINGMonitor and log all network connections to car wash control systems for unauthorized access attempts

HARDENINGContact PDQ Manufacturing for security guidance and monitor for future vendor patches or end-of-life notifications

CVEs (2)

CVE-2017-9630 CVE-2017-9632

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/f3604f3d-9e3e-48d0-b83d-00235861d713