Dover Fueling Solutions ProGauge MAGLINK LX CONSOLE

Plan PatchCVSS 10ICS-CERT ICSA-24-268-04Sep 24, 2024

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

The ProGauge MAGLINK LX4 and LX consoles contain multiple critical vulnerabilities in their network service that allow an unauthenticated remote attacker to gain complete control of the system. The vulnerabilities stem from improper command injection handling, insufficient access controls, hardcoded credentials, missing authentication on critical functions, and cross-site scripting flaws. An attacker with network access can execute arbitrary code and fully compromise the console's operation, including control of fuel pump functions and transaction data.

What this means

What could happen

An attacker with network access to a ProGauge MAGLINK LX console could execute arbitrary commands on the device, potentially altering fuel pump settings, disabling dispensers, manipulating transaction records, or stopping fueling operations entirely.

Who's at risk

Fuel station operators and fleet fuel management organizations using Dover ProGauge MAGLINK LX fuel dispensing control consoles are affected. This includes convenience stores, truck stops, fleet fueling facilities, and other sites with automated fuel dispensing systems that rely on these consoles for pump operation and transaction management.

How it could be exploited

An attacker sends a specially crafted network request to the console's network interface (default or configured port). The vulnerability allows the attacker to bypass authentication and authorization controls, gain remote code execution, and take full control of the console without needing valid credentials.

Prerequisites

Network connectivity to the ProGauge MAGLINK LX console on its reachable port
Console must be connected to a network (vulnerability does not apply if device is offline)

remotely exploitableno authentication requiredlow complexitycritical CVSS score (10.0)affects fuel dispensing operations

Exploitability

Some exploitation risk — EPSS score 1.4%

Affected products (2)

2 with fix

ProductAffected VersionsFix Status

ProGauge MAGLINK LX4 CONSOLE: <=4.17.9e≤ 4.17.9e4.19.10

ProGauge MAGLINK LX CONSOLE: <=3.4.2.2.6≤ 3.4.2.2.64.19.10

Remediation & Mitigation

0/5

Do now

0/2

WORKAROUNDRestrict network access to the ProGauge MAGLINK LX console to authorized management and monitoring systems only using firewall rules

WORKAROUNDOperate the console offline or disconnected from the network until the firmware update can be applied

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpdate ProGauge MAGLINK LX4 CONSOLE to firmware version 4.19.10 or later

HOTFIXUpdate ProGauge MAGLINK LX CONSOLE to firmware version 4.19.10 or later

Long-term hardening

0/1

HARDENINGImplement network segmentation to isolate the fuel management console from general corporate IT networks and the internet

CVEs (6)

CVE-2024-45066 CVE-2024-43693 CVE-2024-45373 CVE-2024-43423 CVE-2024-43692 CVE-2024-41725

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/cc02bb34-e482-4567-894d-322433f208f6

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.