Weintek’s HMI Found with Vulnerabilities which can Allow Attackers to Exploit Devices

Weintek’s human-machine interface (HMI) products include three types of critical vulnerabilities, according to a cybersecurity researcher – who specializes in industrial control systems (ICS). 

Customers should download relevant patches and follow measures to mitigate risks, according to a technical advisory posted by the company. The risk of abuse is higher if the devices are linked to an open network, according to the study. Customers can disconnect the devices from the network and update the operating system if the device is accessible by an open network. While devices that are not attached to an open network cannot be compromised, consumers are still encouraged to update their operating systems. If a computer can be accessed via a public IP address, it is said to be exposed to an open network. 

Marcin Dudek, a senior ICS/OT security researcher at Poland’s CERT Polska, identified the flaws; the security flaws have also been discovered in the Weintek cMT products’, EasyWeb, web-based configuration interface. HMIs (including screen-less HMIs), programmable logic controllers (PLCs), and gateways are all the affected products. 

A remote, unauthenticated attacker may use the flaws to conduct malicious JavaScript code with root privileges (CVE-2021-27446), remotely access critical information, and perform actions on behalf of an admin (CVE-2021-27444) and conduct malicious JavaScript code through a stored XSS vulnerability (CVE-2021-27442). 

There are even more than 170 cMT HMIs linked directly to the internet, according to Dudek, with networks located in Europe, Asia, and North America. According to the researcher, an attacker may exploit the first two flaws by sending a single query to the targeted computer. An attacker could take advantage of CVE-2021-27444 to extract the administrator password hash. 

In the worst-case scenario, an attacker might use the bugs to gain full control of the targeted system with root privileges, which could have significant implications in the actual world. 

“Having such high privileges, an attacker can have unlimited access to all functions of the HMI,” Dudek explained. “It could also be used as a proxy to get access to the internal network of an organization, or to have direct access to other industrial devices in the same network, such as PLCs.” 

Dudek also said that “he worked well with the vendor during the disclosure process. He said it took roughly two months to release all patches, but most of the fixes were ready one month after he reported his findings.” 

The impacted items are mainly used in the water and commercial facilities industries, according to the US Cybersecurity and Infrastructure Security Agency (CISA), which released an advisory for the Weintek CMT vulnerabilities this week.