Critical vulnerabilities in a Delta Electronics operational technology (OT) monitoring product can allow hackers to hide destructive activities from the targeted organization’s employees.
The affected product is Delta’s InfraSuite Device Master and the existence of the vulnerabilities came to light in late November, when advisories were published by the US cybersecurity agency CISA and Trend Micro’s Zero Day Initiative (ZDI), which coordinated the disclosure on behalf of researchers Piotr Bazydlo and Nguyen Dinh Hoang.
InfraSuite Device Master is described by the vendor as a data center facility monitoring software that enables real-time monitoring of critical devices, including power and cooling systems, building sensors, and industrial control systems (ICS) such as programmable logic controllers (PLCs) and power meters.
Four types of vulnerabilities have been identified, including two that have been assigned a ‘critical severity’ rating. The critical flaws can be exploited by a remote, unauthenticated attacker to execute arbitrary code on the targeted system.
The other two security holes, rated ‘high severity’, can be exploited for remote code execution and to obtain sensitive information, such as plaintext credentials.
ZDI’s Dustin Childs told SecurityWeek that one of the critical vulnerabilities, tracked as CVE-2023-47207, can be exploited from the internet if the system is accessible from the web.
“A successful exploit would allow the attacker to gain administrative privileges,” Childs explained. “They would be able to take any actions an administrator would normally be able to perform.”
In a real world environment, Childs said, an attacker could exploit the vulnerabilities to compromise InfraSuite Device Master and hide potentially important alerts from the operator.
If the attacker uses other exploits to target an OT system within the victim’s environment in an attempt to cause disruption or damage, they could also hack the Delta monitoring product to hide messages indicating a problem with the OT system.
Childs said a perfect example of such an attack in the real world is Stuxnet, in which malware was designed to cause damage to ICS associated with centrifuges at the Natanz nuclear facility in Iran, while also attempting to hide the manipulation of centrifuge behavior.