Ovarro TBox RTUs

Monitor7.2ICS-CERT ICSA-23-180-03Jun 29, 2023

Attack VectorNetwork

Auth RequiredHigh

ComplexityLow

User InteractionNone needed

Summary

Ovarro TBox RTUs contain multiple vulnerabilities affecting firmware versions 1.46 through 1.50.598 and all versions. The vulnerabilities include: CVE-2023-36607 and CVE-2023-36610 (weak SSH access controls allowing credential exposure), CVE-2023-36608 and CVE-2023-36609 (unspecified privilege escalation or information disclosure), CVE-2023-36611 (additional SSH-related access issue), and CVE-2023-3395 (plaintext password handling in configuration files). These issues could allow an attacker with network access and valid credentials to obtain sensitive system information, escalate privileges, or gain unauthorized access to device operations. No patches are currently available from the vendor.

What this means

What could happen

An attacker with network access and valid engineering credentials could SSH into a TBox RTU, expose passwords or other sensitive information, and escalate privileges to alter control logic, process setpoints, or device configuration. This could disrupt water treatment, power distribution, or other critical operations managed by the RTU.

Who's at risk

Water authorities and municipal utilities using Ovarro TBox RTUs for remote terminal control should be concerned. This includes operators of water distribution systems, treatment plants, power distribution networks, and other critical infrastructure using TBox MS-CPU32, MS-CPU32-S2, LT2, TG2, or RM2 units. Any organization with these RTUs on a network accessible to engineering staff or connected to corporate networks is at risk.

How it could be exploited

An attacker on the network can connect via SSH to the TBox RTU if SSH access is enabled. With valid or default user credentials obtained from configuration files (which may be stored in plaintext), the attacker can log in and retrieve encrypted or plaintext passwords from memory or files. The attacker can then use escalated privileges to modify device settings or operational parameters.

Prerequisites

Network access to the TBox RTU on port 22 (SSH)
Valid user credentials (default or previously disclosed)
SSH access enabled on the device (not disabled via firewall or application settings)
For some vulnerabilities: ability to read configuration files or access application data

remotely exploitablehigh CVSS score (7.2)no patch availableweak authentication handlingdefault or weak credentials likelyaffects remote terminal units controlling critical infrastructure

Exploitability

Low exploit probability (EPSS 0.1%)

Affected products (15)

15 EOL

ProductAffected VersionsFix Status

TBox LT2: <= 1.50.598≤ 1.50.598No fix (EOL)

TBox LT2: >= 1.46 | <= 1.50.598≥ 1.46 | ≤ 1.50.598No fix (EOL)

TBox LT2: *All versionsNo fix (EOL)

TBox TG2: <= 1.50.598≤ 1.50.598No fix (EOL)

TBox TG2: >= 1.46 | <= 1.50.598≥ 1.46 | ≤ 1.50.598No fix (EOL)

TBox TG2: *All versionsNo fix (EOL)

TBox RM2: <= 1.50.598≤ 1.50.598No fix (EOL)

TBox RM2: >= 1.46 | <= 1.50.598≥ 1.46 | ≤ 1.50.598No fix (EOL)

Remediation & Mitigation

0/8

Do now

0/4

WORKAROUNDDisable SSH access through the integrated firewall on all TBox devices

WORKAROUNDDisable user account SSH access by removing/emptying passwords in the TBox application for all user accounts

WORKAROUNDSet a password on the TBox application to enable encryption of stored credentials and configuration files

WORKAROUNDUse password-protected files within TBox software to prevent plaintext password exposure in memory

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXMonitor for patches from Ovarro through the Customer Support section of the Ovarro website

Mitigations - no patch available

0/3

The following products have reached End of Life with no planned fix: TBox LT2: <= 1.50.598, TBox LT2: >= 1.46 | <= 1.50.598, TBox LT2: *, TBox TG2: <= 1.50.598, TBox TG2: >= 1.46 | <= 1.50.598, TBox TG2: *, TBox RM2: <= 1.50.598, TBox RM2: >= 1.46 | <= 1.50.598, TBox RM2: *, TBox MS-CPU32: <= 1.50.598, TBox MS-CPU32-S2: <= 1.50.598, TBox MS-CPU32: >= 1.46 | <= 1.50.598, TBox MS-CPU32-S2: >= 1.46 | <= 1.50.598, TBox MS-CPU32: *, TBox MS-CPU32-S2: *. Apply the following compensating controls:

HARDENINGIsolate TBox RTUs from the business network and position behind a firewall with no direct Internet access

HARDENINGImplement network segmentation to restrict access to TBox devices to authorized engineering workstations only

HARDENINGIf remote access is required, deploy a secure VPN with current security patches

CVEs (6)

CVE-2023-36607 CVE-2023-36608 CVE-2023-36609 CVE-2023-36610 CVE-2023-36611 CVE-2023-3395

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/d86292c5-5ccf-43fe-a29e-001b357c1318