The Power Focus 6000 is a controller that connects a wide range of Atlas Copco assembly tools by providing a common assembly platform. The device is widely used in manufacturing and industrial companies and can be controlled via the integrated HMI interface or remotely via a built-in WEB interface.

The vulnerabilities discovered by OTORIO, if successfully exploited, could lead to the disclosure of sensitive information as well as unauthorized takeover of active user sessions. This could potentially lead to operational delays and errors in production.

In the following article, OTORIO, an expert in OT security, goes into the details of these vulnerabilities and discusses possible countermeasures to protect against exploitation by unauthorized persons.

Details of the vulnerability

While working on the network of a manufacturing customer, OTORIO's Securoty researchers came across the Power Focus 6000. During a general investigation of the network, they discovered several vulnerabilities related to its WEB interface.

1. Unsanitized credential storage (CVE-2023-1897 CVSS 9.4)

The Power Focus 6000 web server performs an automatic login for any user using hard-coded credentials. When a user hits the WEB server, the browser sends an automatic request to the controller with the hard-coded credentials and gets a session ID. This vulnerability could allow an attacker to gain unauthorized access to the controller and set a PIN code to gain persistent access.

2. Insecure session ID handling (CVE-2023-1898 CVSS 9.4 )

The Power Focus 6000 web server uses a weak format for session IDs, namely simple integers, which makes it vulnerable to enumeration attacks: an attacker can send multiple HTTP requests with different session IDs until they find an active session . This represents a trivial type of brute force attack that can be performed even by an inexperienced attacker.

3. Lack of secure connection (CVE-2023-1899 CVSS 9.4)

By default, the Power Focus 6000 web server does not establish a secure connection (TLS/SSL), which exposes sensitive information during network communication between the user and the controller. This vulnerability could allow an attacker to intercept and collect critical data by monitoring network traffic.

Proposals for remedial action and resilience

The above vulnerabilities can be eliminated by the following measures:

a. Reduce the attack surface

• Disable the web interface:   If it is not required for operation, you should consider disabling the web interface entirely and thus completely eliminating the attack surface. It should be noted that operation can then only be activated with the device via the integrated HMI.
• Install network segmentation: The device has firewall features that allow it to filter incoming connections based on service port, IP address, and MAC address.
• Additional recommendation: Isolate the Power Focus device on a separate network to reduce the potential attack surface. If it is not possible to isolate the device, one should restrict the WEB-TCP port (the port on which the web server is running) to enable communication only with the necessary stations.

See the Power Focus 6000 User Manual for more details:

https://picontent.atlascopco.com/cont/external/short/html/Power_Focus_6000/en-US/18725177995.html

b. Set strong user and PIN codes

Set a strong and unique PIN code to access the device: The device allows you to set up a username of up to 32 characters and a four-digit PIN code. A stable username and PIN code provide an additional layer of authentication, preventing unauthorized access. Setting a PIN code prevents unauthorized attackers from gaining access to the device.

For more details, see the following guide:

https://picontent.atlascopco.com/cont/external/short/html/Power_Focus_6000/en-US/60269835.html

c. Observe the suggestions for security mechanisms in the manufacturer's manuals

User manuals usually contain detailed information about the configuration, settings and security features of industrial systems so that those responsible can understand and implement the necessary protective measures. By following the instructions in the user manual, they can ensure that Operational Technology (OT) systems are set up securely and have appropriate access controls, network segmentation and authentication mechanisms in place. All of this helps protect critical infrastructures from potential cyber threats, vulnerabilities and unauthorized access. Potential disruptions, data breaches and malicious activities can thus be prevented in advance.

Conclusion

The discovery of vulnerabilities in the Power Focus 6000 controllers should serve as a reminder of the importance of robust security measures for OT assets. The identified vulnerabilities, if exploited, could lead to financial risks due to delays in the manufacturing process. The fact that our team initially unintentionally discovered these vulnerabilities while conducting unrelated research underscores the importance and seriousness of these findings.

About OTORIO

OTORIO develops and markets the next generation of OT security and digital risk management solutions. The company combines the experience of leading government cybersecurity experts with cutting-edge digital risk management technologies to provide the highest level of protection for critical infrastructure and manufacturing industries. For more information, visit: http://www.otorio.com

Report Abuse