ProPump and Controls Osprey Pump Controller (Update A)

Act Now9.8ICS-CERT ICSA-23-082-06Mar 23, 2023

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

The ProPump and Controls Osprey Pump Controller contains multiple vulnerabilities (CWE-331 weak randomness, CWE-598 cross-site request forgery, CWE-259 hardcoded credentials, CWE-78 OS command injection, CWE-79 cross-site scripting, CWE-288 authentication bypass, CWE-352 cross-site request forgery, CWE-77 improper command neutralization) that allow unauthorized access, credential theft, command execution, and administrative control without authentication. Affected versions: all firmware earlier than 20230518.

What this means

What could happen

An attacker with network access to the Osprey Pump Controller could gain administrative control, retrieve sensitive data, modify pump operating parameters, or shut down the system entirely, disrupting water or wastewater treatment operations.

Who's at risk

Water and wastewater utilities operating ProPump and Controls Osprey Pump Controllers in treatment plants, distribution systems, or lift stations. Any facility that relies on automated pump control should verify their controller firmware version and apply the update immediately.

How it could be exploited

An attacker on the network (or from the internet if the controller is exposed) sends specially crafted requests to the pump controller. The controller lacks proper authentication and input validation, allowing the attacker to execute commands, access configuration data, or modify operational settings without credentials.

Prerequisites

Network access to the Osprey Pump Controller (port and protocol unspecified in advisory)
No authentication required
Controller running firmware version earlier than 20230518

remotely exploitableno authentication requiredlow complexityhigh EPSS score (12.1%)affects critical infrastructurecritical CVSS (9.8)

Exploitability

High exploit probability (EPSS 12.1%)

Affected products (1)

ProductAffected VersionsFix Status

Osprey Pump Controller: <20230518.<20230518.20230518

Remediation & Mitigation

0/4

Do now

0/4

HOTFIXUpdate Osprey Pump Controller firmware to version 20230518 or later. Contact ProPump and Controls for assistance as no self-service update mechanism is available.

HARDENINGIsolate the pump controller network from the business network and the internet using firewalls and network segmentation.

HARDENINGRestrict network access to the pump controller to only authorized engineering workstations and control systems. Block all inbound access from untrusted networks.

WORKAROUNDIf remote access is required, implement a VPN solution and maintain it with the latest security patches.

CVEs (9)

CVE-2023-28395 CVE-2023-28375 CVE-2023-28654 CVE-2023-27886 CVE-2023-27394 CVE-2023-28648 CVE-2023-28398 CVE-2023-28718 CVE-2023-28712

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/61619090-b033-4e4f-a5ae-d52ba0e82346