OPW Fuel Management Systems SiteSentinel

Act Now9.8ICS-CERT ICSA-24-268-01Sep 24, 2024

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

SiteSentinel contains an authentication bypass vulnerability (CWE-306) that allows an attacker with network access to obtain full administrator privileges without credentials. Successful exploitation gives an attacker complete control over the fuel management server, including the ability to modify fuel deliveries, transaction records, pricing, and system configurations. The vulnerability affects all versions prior to 17Q2.1. Dover Fueling Systems (parent company) has released a fix in version 17Q2.1, but users must contact authorized service providers to upgrade since the software is restricted to authorized distributors. No public exploitation has been reported, but the critical CVSS score (9.8) and ease of exploitation (no authentication required, network-based) present significant risk.

What this means

What could happen

An attacker with network access to SiteSentinel could bypass authentication and gain full administrator control of the fuel management server, allowing them to modify fuel delivery records, alter pricing, divert fuel shipments, or shut down operations.

Who's at risk

Fuel retailers, convenience store chains, and fleet operators using OPW SiteSentinel for automated fuel management and point-of-sale systems. This includes fuel card systems, pump controllers, and transaction servers at retail fueling stations and fuel distribution centers.

How it could be exploited

An attacker sends a crafted network request to the SiteSentinel server that exploits the authentication bypass weakness. No credentials are required. Once authenticated as an administrator, the attacker can execute any administrative function on the system, including configuration changes, fuel transaction manipulation, and user account modifications.

Prerequisites

Network access to the SiteSentinel server (typically port 80/443 or management interface)
No credentials required for exploitation
SiteSentinel version prior to 17Q2.1

remotely exploitableno authentication requiredlow complexityaffects transaction and financial systemsauthentication bypassfull administrative access

Exploitability

Low exploit probability (EPSS 0.0%)

Affected products (1)

ProductAffected VersionsFix Status

SiteSentinel: <17Q2.1<17Q2.117Q2.1

Remediation & Mitigation

0/4

Do now

0/4

HOTFIXUpgrade SiteSentinel to version 17Q2.1 or contact Dover Fueling Systems (DFS) to confirm your build includes required fixes

HARDENINGDeploy SiteSentinel behind a firewall with access control lists limiting connections to authorized endpoints only

HARDENINGIf remote access to SiteSentinel is required, implement a VPN and keep it updated to the latest version

HARDENINGRestrict network access to SiteSentinel management interfaces to trusted IP addresses and subnets

CVEs (1)

CVE-2024-8310

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/535b3786-6813-4ef4-b651-1cc61517e477