OMNTEC Proteus Tank Monitoring (Update A)

Plan PatchCVSS 9.8ICS-CERT ICSA-24-268-06Sep 24, 2024

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

The OEL8000III K/X ATG Generation 3.0 tank monitoring device contains an authentication bypass vulnerability (CWE-306) that allows an attacker to perform administrative actions without providing valid credentials. The vulnerability affects only Generation 3.0; Generation 3.5 and later are not affected. OMNTEC recommends upgrading to Generation 3.5 or higher.

What this means

What could happen

An attacker who reaches your tank monitoring system over the network could perform administrative actions like changing configuration, stopping alarms, or altering tank level readings without needing to log in, potentially causing inaccurate inventory data or missed overflows.

Who's at risk

Water utilities and fuel/chemical storage facilities using OMNTEC Proteus tank monitoring systems, specifically those running the older Generation 3.0 firmware on OEL8000III K/X Automated Tank Gauges (ATGs). Any site with Generation 3.5 or 4.0 is not affected.

How it could be exploited

An attacker on your network or the internet sends crafted requests directly to the OEL8000III tank gauge without supplying valid credentials. The device accepts the requests and allows administrative functions like changing settings or disabling safety features.

Prerequisites

Network access to the OEL8000III device (TCP/IP connection from untrusted network)
Device running Generation 3.0 firmware
Administrative function requests must reach the device (no firewall blocking)

remotely exploitableno authentication requiredlow complexityaffects tank level monitoring and inventory controllegacy product without vendor fix option

Exploitability

Unlikely to be exploited — EPSS score 0.2%

Affected products (1)

ProductAffected VersionsFix Status

OMNTEC Proteus Tank Monitoring: OEL8000III_K/X_ATG_Generation_3.0OEL8000III K/X ATG Generation 3.0No fix yet

Remediation & Mitigation

0/4

Do now

0/2

HARDENINGRestrict network access to the tank monitoring device by placing it behind a firewall and blocking inbound connections from untrusted networks (business network and internet)

HARDENINGIf remote access to the tank gauge is required, use a VPN to isolate access and keep the VPN software updated

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade OEL8000III K/X ATG Generation 3.0 systems to Generation 3.5 or higher

Long-term hardening

0/1

HARDENINGIsolate the tank monitoring system network from the business IT network using network segmentation or an air gap

CVEs (1)

CVE-2024-6981

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/d2a5e7c4-0585-44e5-9f58-664323dba897

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.