Robotron Announces Data Exfiltration Vulnerability

Today, Robotron announced the presence of a bug in their RoboAlarm® product that has been exploited in the wild to exfiltrate control system configuration files from secure control systems. Robotron spokesperson Erich Mielke explained that this bug was actually an exploit of the JavaScript CVE-2021-23406 vulnerability. Robotron has an update available to fix the vulnerability. RoboAlarm is packaged as a component of many Robotron products, including all of their HMI stations. According to Robotron’s RoboAlarm advisory the vulnerability was reported by cYbrg0D. In a tweet published right after Robotron’s announcement, cYbrg0d explained that the current vulnerability could be expanded to include process information exfiltration by modifying a specific JavaScript module. General Turgidson, the Director for the National Critical Infrastructure Security Operations Center (CI-SOC), urged all companies that owned Robotron equipment to update their RoboAlarm systems immediately. “We have documented cases where this bug has been used to exfiltrate control system configuration data,” Turgidson explained at the CI-SOC morning press conference: “This information would provide an attacker with critical intelligence needed to execute an effective attack on an industrial control system.” Kate Libby, a spokesperson for Dragonfire Cyber, explained that RoboAlarm is a messaging application used by Robotron human-machine interfaces to send remote notifications about process upset conditions to managers and engineers in an organization. The messages typically include a screen shot of the HMI to provide more details for the recipient to make more informed judgements about an alarm condition. “The system uses a .PNG file for the screen shot,” Libby explained: “So this JavaScript within the RoboAlarm product converts configuration files into .PNG files for exfiltration.” In response to a question about the underlying vulnerablity Mielke reported that Robotron had not been aware of the JavaScript vulnerability until being informed about how it impacted their RoboAlarm product by cYbeg0D. “We are going back and reviewing all of the JavaScript code used in our products.” Mielke said. CAUTIONARY NOTE: This is a future news story –Future ICS Security NewsRead More