Baker Hughes Bently Nevada 3500

Monitor7.5ICS-CERT ICSA-23-269-05Sep 26, 2023

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Baker Hughes Bently Nevada 3500 Rack with TDI Firmware version 5.05 contains vulnerabilities (CWE-732: Incorrect Permission Assignment, CWE-319: Cleartext Transmission, CWE-294: Authentication Bypass) that allow unauthorized information disclosure and device access. No firmware update is available from the vendor.

What this means

What could happen

An attacker with network access to the device could steal sensitive configuration or operational data and potentially gain unauthorized access to the monitoring system, affecting your ability to safely monitor machinery vibration and health.

Who's at risk

Water and electric utilities with Bently Nevada 3500 machinery condition monitoring systems, particularly those used for critical equipment like rotating machinery (motors, pumps, compressors, turbines). The device provides vibration analysis and health diagnostics for equipment protection.

How it could be exploited

An attacker on the network could connect to the Bently Nevada 3500 device (no credentials or authentication required) and exploit cleartext transmission or permission weaknesses to extract sensitive information or bypass authentication controls. The device would need to be reachable from the attacker's network position.

Prerequisites

Network access to the Bently Nevada 3500 device
No authentication or credentials required

Remotely exploitableNo authentication requiredLow complexityNo patch availableCleartext transmission of sensitive data

Exploitability

Low exploit probability (EPSS 0.1%)

Affected products (1)

ProductAffected VersionsFix Status

Bently Nevada 3500 Rack (TDI Firmware): 5.055.05No fix (EOL)

Remediation & Mitigation

0/4

Do now

0/3

HARDENINGRequest hardening guideline document 106M9733 from bentlysupport@bakerhughes.com and implement vendor-recommended hardening measures to reduce exploitation risk

HARDENINGIsolate the Bently Nevada 3500 from the business network and internet; ensure the device is not directly accessible from external networks

HARDENINGPlace the device behind a firewall with restrictive inbound rules allowing only trusted engineering and monitoring workstations

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

WORKAROUNDIf remote access to the device is required, implement a VPN connection from authorized locations only and keep VPN software updated

CVEs (3)

CVE-2023-34437 CVE-2023-34441 CVE-2023-36857

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/ea28525a-af75-4bdf-8beb-692518073450