OPTO 22 SNAP PAC S1

Monitor7.5ICS-CERT ICSA-23-236-02Aug 24, 2023

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

OPTO 22 SNAP PAC S1 firmware version R10.3b contains multiple vulnerabilities: - Weak password brute-force protection allows attackers to guess credentials on the web server (port 443) and FTP service (port 21) - Improper access controls allow unauthenticated attackers to access certain device files after authentication - Resource exhaustion conditions can cause denial-of-service, making the controller unresponsive These vulnerabilities affect the SNAP PAC S1, a widely-deployed industrial automation controller used in critical infrastructure. Successful exploitation could allow unauthorized modification of control logic, process setpoints, or device configurations, or could disrupt operations by making the device unavailable.

What this means

What could happen

An attacker with network access to the SNAP PAC S1 could brute-force weak passwords to gain unauthorized access, potentially allowing them to modify control logic or setpoints, or they could cause the device to become unavailable by triggering a denial-of-service condition.

Who's at risk

Water authorities and municipal electric utilities operating OPTO 22 SNAP PAC S1 programmable automation controllers (PACs) for process control, pump stations, or SCADA systems should prioritize this immediately. The device typically controls critical process automation and is often in control networks that bridge operational and business systems.

How it could be exploited

An attacker on the network sends repeated login attempts to the web server (port 443) or FTP service (port 21) to guess weak credentials. Once authenticated, they can access device configuration files or execute commands. Alternatively, they can send crafted requests to cause the device to hang or stop responding, disrupting control operations.

Prerequisites

Network access to SNAP PAC S1 on TCP port 443 (HTTPS) or TCP port 21 (FTP)
Weak or default credentials on the device
Built-in web server enabled (default state)

Remotely exploitableNo authentication required for initial attack vectorLow complexity brute-force attackNo patch available (end-of-life product)Default credentials likely present on legacy installations

Exploitability

Low exploit probability (EPSS 0.1%)

Affected products (1)

ProductAffected VersionsFix Status

SNAP PAC S1 Firmware: R10.3bR10.3bNo fix (EOL)

Remediation & Mitigation

0/6

Do now

0/4

WORKAROUNDDisable the built-in web server through Network Security settings in OPTO 22 Pac Manager software when not actively needed

HARDENINGRestrict network access to HTTPS port 443 (TCP) at the firewall to only authorized engineering workstations

HARDENINGRestrict network access to FTP port 21 (TCP) at the firewall to only authorized maintenance systems

HARDENINGChange all default and existing user credentials to long, complex, unique passwords resistant to brute-force attacks

Mitigations - no patch available

0/2

SNAP PAC S1 Firmware: R10.3b has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGIsolate the SNAP PAC S1 and its network from the Internet and business network segments using firewalls and network segmentation

HARDENINGIf remote access is required, implement a VPN connection and keep VPN software updated to the latest version

CVEs (5)

CVE-2023-40706 CVE-2023-40707 CVE-2023-40708 CVE-2023-40709 CVE-2023-40710

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/745995db-0202-42b6-8c6b-5c2adbb9670e