Dover Fueling Solutions ProGauge MAGLINK LX CONSOLE

Act Now10ICS-CERT ICSA-24-268-04Sep 24, 2024

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Dover Fueling Solutions ProGauge MAGLINK LX and LX4 consoles contain multiple critical vulnerabilities (CWE-77 command injection, CWE-269 improper access control, CWE-259 hardcoded credentials, CWE-288 weak authentication, CWE-79 cross-site scripting) that allow remote attackers to gain full control of the fuel dispensing system without authentication. Affected versions are ProGauge MAGLINK LX CONSOLE 3.4.2.2.6 and earlier, and ProGauge MAGLINK LX4 CONSOLE 4.17.9e and earlier. Dover Fueling Solutions has released firmware update version 4.19.10 for the MagLink LX console to address these issues. Alternatively, affected consoles may be isolated from the network until patching can be completed.

What this means

What could happen

An attacker with network access to a ProGauge MAGLINK console could gain full remote control of the fuel dispensing system, potentially allowing them to manipulate fuel transactions, disable pumps, or access sensitive customer and transaction data.

Who's at risk

Fuel service station operators and fuel retailer IT managers responsible for ProGauge MAGLINK fuel dispensing consoles (LX and LX4 models). This affects any site running these consoles for managing fuel pump operations, transaction processing, and customer data.

How it could be exploited

An attacker sends a specially crafted network request to the ProGauge console (running an affected firmware version). The request exploits one or more of the underlying flaws (improper input validation, weak authentication, hardcoded credentials, or command injection) to execute arbitrary code or bypass access controls, gaining administrative-level control over the fuel dispensing system.

Prerequisites

Network reachability to the ProGauge console on its management port
No authentication required (CVSS vector PR:N)

remotely exploitableno authentication requiredlow complexityaffects operational systems (fuel dispensing)no patch available for LX 3.4.2.2.6

Exploitability

Moderate exploit probability (EPSS 1.4%)

Affected products (2)

2 with fix

ProductAffected VersionsFix Status

ProGauge MAGLINK LX4 CONSOLE: <=4.17.9e≤ 4.17.9e4.19.10

ProGauge MAGLINK LX CONSOLE: <=3.4.2.2.6≤ 3.4.2.2.64.19.10

Remediation & Mitigation

0/4

Do now

0/3

HOTFIXInstall the ProGauge MAGLINK LX console firmware update version 4.19.10 through Dover Fueling Solutions' authorized service organizations in North America, or contact DFS customer support at 877-679-8324

HARDENINGPlace ProGauge MAGLINK consoles behind a firewall and restrict inbound network access to trusted management stations only

WORKAROUNDDisconnect ProGauge consoles from the network (operate offline) until the firmware update can be applied

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HARDENINGMonitor and subscribe to Dover Fueling Solutions updates and technical bulletins via the DFS customer portal

CVEs (6)

CVE-2024-45066 CVE-2024-43693 CVE-2024-45373 CVE-2024-43423 CVE-2024-43692 CVE-2024-41725

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/cc02bb34-e482-4567-894d-322433f208f6