Orpak SiteOmat

Act Now9.8ICS-CERT ICSA-19-122-01May 2, 2019

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Orpak SiteOmat versions prior to 6.4.414.139 contain multiple vulnerabilities including hardcoded credentials (CWE-798), cross-site scripting (CWE-79), SQL injection (CWE-89), cleartext transmission (CWE-311), code injection (CWE-94), and buffer overflow (CWE-121). Successful exploitation could result in arbitrary remote code execution, denial-of-service conditions, and unauthorized access to monitoring, configuration, and payment information.

What this means

What could happen

An attacker with network access to SiteOmat could execute arbitrary code on the system, altering process monitoring data, operational setpoints, or payment records, and potentially disrupting service delivery or causing denial-of-service outages.

Who's at risk

SiteOmat is a monitoring and management system used by water utilities, wastewater treatment plants, and other process industries for SCADA data collection and supervisory control. Organizations operating SiteOmat installations should prioritize this due to the critical remote code execution risk and potential to manipulate operational setpoints or payment systems.

How it could be exploited

An attacker on the network reachable by SiteOmat (or from the Internet if exposed) can exploit the hardcoded credentials and code injection vulnerabilities to gain unauthorized access and execute arbitrary commands on the SiteOmat server. This could be chained with SQL injection to manipulate the underlying database or cross-site scripting to compromise operator workstations accessing the web interface.

Prerequisites

Network access to SiteOmat web interface (HTTP/HTTPS)
No authentication required for initial exploitation due to hardcoded credentials or publicly documented default accounts
SiteOmat version prior to 6.4.414.139

Remotely exploitableNo authentication requiredLow complexity attackHigh EPSS score (14.3%)Affects supervisory monitoring and control systemsDefault/hardcoded credentials presentMultiple vulnerability types (injection, XSS, buffer overflow)

Exploitability

High exploit probability (EPSS 14.3%)

Affected products (2)

2 with fix

ProductAffected VersionsFix Status

SiteOmat:< 6.4.414.1226.4.414.139

SiteOmat:< 6.4.414.0846.4.414.139

Remediation & Mitigation

0/5

Do now

0/3

HARDENINGRestrict network access to SiteOmat to authorized workstations only; do not expose the web interface to the Internet or untrusted networks

HARDENINGPlace SiteOmat behind a firewall and isolate from the business network using network segmentation or DMZ

HARDENINGIf remote access is required, require VPN with multi-factor authentication rather than direct Internet exposure

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpdate SiteOmat to version 6.4.414.139 or later by contacting Orpak customer care (support@orpak.com, +972 3 577 6864, or online ticket system)

HARDENINGDisable any unnecessary accounts and services on the SiteOmat server; apply principle of least privilege to all operator and administrative accounts

CVEs (6)

CVE-2017-14728 CVE-2017-14850 CVE-2017-14851 CVE-2017-14852 CVE-2017-14853 CVE-2017-14854

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/ef036417-1dd4-47f2-84c4-49fc206f03cd