PEPPERL+FUCHS CT50-Ex

Monitor7.6ICS-CERT ICSA-18-303-01Oct 30, 2018

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionRequired

Summary

Vulnerability in Pepperl+Fuchs CT50-Ex mobile data terminal running Android OS 4.4 and 6.0. A malicious third-party application can exploit improper privilege management (CWE-269) to gain elevated privileges and access sensitive information on the device. The vulnerability requires user interaction (application installation) and affects the original Honeywell manufacturer versions.

What this means

What could happen

An attacker could trick a site worker into installing a malicious app on their CT50-Ex device, allowing the attacker to gain administrative access and steal sensitive data from the mobile terminal such as credentials, process data, or engineering information.

Who's at risk

Water and electric utility field technicians and engineers who use Pepperl+Fuchs CT50-Ex mobile data terminals (Honeywell-manufactured versions running Android 4.4 or 6.0) for field work, system configuration, or data collection are at risk. Any organization using these devices for SCADA system access, meter reading, or remote troubleshooting should apply this update to prevent credential theft or system data exfiltration.

How it could be exploited

An attacker distributes a malicious application (e.g., via email or a compromised app source) to a site worker. When the worker installs and uses the app on their CT50-Ex mobile device, the malicious app exploits improper privilege controls to elevate to administrator-level permissions. The attacker then reads sensitive files or credentials stored on the device memory.

Prerequisites

User must install a malicious third-party application on the CT50-Ex device
The device must be running Android 4.4 or 6.0 (unpatched versions)
Access to an app distribution channel trusted by the user (email, app store alternative, USB installation)

Low attack complexityUser interaction requiredNo patch available for Android 4.4 devices (end-of-life)Mobile device used in field operationsDevice may store sensitive credentials or process data

Exploitability

Low exploit probability (EPSS 0.2%)

Affected products (1)

ProductAffected VersionsFix Status

CT50-Ex: running Android OS v4.4 and v6.0 the original manufacturer was Honeywell4.4 | 6.0No fix yet

Remediation & Mitigation

0/6

Do now

0/1

WORKAROUNDOnly obtain and install applications from trusted sources; audit currently installed applications on all CT50-Ex devices and remove any non-essential or unknown third-party apps

Schedule — requires maintenance window

0/4

Patching may require device reboot — plan for process interruption

HOTFIXFor Android 6.0 devices: update CT50-Ex firmware to CommonES 4.01.00.4134 or later

HOTFIXFor Android 6.0 devices: update ECP (Engineering Control Panel) to Version 2.30.00.0167 or later if applicable

HOTFIXFor Android 4.4 devices: update to CommonES 3.17.3445 or later

HARDENINGDisable Wi-Fi and Bluetooth on CT50-Ex devices when not in active use to reduce attack surface for malicious app distribution

Long-term hardening

0/1

HARDENINGEducate field staff on risks of installing applications from untrusted sources and establish a policy requiring approval before installing any new apps on mobile devices

CVEs (1)

CVE-2018-14825

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/6cd5e6c1-929c-4743-9780-9ccb70489960