Auto-Maskin RP210E, DCU210E, and Marine Observer Pro (Android App)

Act Now9.8ICS-CERT ICSA-20-051-04Feb 20, 2020

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Multiple vulnerabilities in Auto-Maskin RP210E and DCU210E allow remote attackers to gain root access to the underlying operating system and perform read/write operations. Affected versions are 3.7 and earlier. Vulnerabilities include unencrypted transport (CWE-319), missing authorization validation (CWE-346), hardcoded and plaintext stored credentials (CWE-798, CWE-640, CWE-521). Auto-Maskin reports new firmware is available on their website to mitigate these issues.

What this means

What could happen

An attacker with network access to these devices could gain administrative (root) access to the operating system and read/write data stored on the device, potentially allowing them to modify setpoints, disable alarms, or corrupt configurations critical to water or marine operations.

Who's at risk

Water authorities, marine operators, and industrial facilities using Auto-Maskin RP210E (remote monitoring/control units) and DCU210E (data collection units) for process monitoring or automation should prioritize this. Any critical device used for alarm annunciation, setpoint control, or data logging is at risk.

How it could be exploited

An attacker on the network sends a specially crafted request to the device (port unspecified in advisory, likely management/web interface). The device fails to properly validate or encrypt the request due to missing input validation and unencrypted transport (CWE-319, CWE-346), and returns or accepts credentials/session tokens stored in plaintext (CWE-798, CWE-521), allowing the attacker to authenticate as root or bypass authentication entirely.

Prerequisites

Network access to the RP210E or DCU210E device (no indication of non-standard port; likely HTTP/HTTPS management interface)
No valid credentials required; vulnerabilities allow authentication bypass or credential recovery from plaintext storage

Remotely exploitableNo authentication requiredLow complexity attackNo patch available (as of advisory date)Root/administrative access achievablePlaintext credential storage

Exploitability

Low exploit probability (EPSS 0.2%)

Affected products (2)

2 EOL

ProductAffected VersionsFix Status

RP210E:≤ 3.7No fix (EOL)

DCU210E:≤ 3.7No fix (EOL)

Remediation & Mitigation

0/4

Do now

0/2

HARDENINGIsolate RP210E and DCU210E devices from the business network and restrict management access to a dedicated, air-gapped administrative subnet

HARDENINGEnsure devices are not directly accessible from the Internet; block inbound connections on management ports from external networks

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXDownload and apply the new firmware version available from Auto-Maskin's website to RP210E and DCU210E devices

HARDENINGIf remote access to these devices is required, route all traffic through a VPN with current security patches and monitor for unauthorized access attempts

CVEs (6)

CVE-2018-5402 CVE-2018-5401 CVE-2018-5400 CVE-2018-5399 CVE-2019-6560 CVE-2019-6558

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/45cdd730-e5d2-42a8-b7db-11bd1141d88e