Nozomi Networks Labs Discovers Flaws in Energy and Industrial Machinery Protection Systems

Nozomi Networks has identified three vulnerabilities on the Bently Nevada 3500 rack model manufactured by Baker Hughes, a company that develops and deploys technology solutions for energy and industrial companies. These protection systems are typically installed in environments such as refineries, petrochemical plants, hydroelectric facilities, and wind farms to detect and prevent anomalies in rotating machinery like turbines, compressors, motors, and generators.

It is crucial to highlight that one of these vulnerabilities may allow an attacker to bypass the authentication process and obtain complete access to the device by simply crafting and sending a malicious request. As the development of a patch is not planned due to legacy limitations, technical details have voluntarily been omitted from this article. By raising awareness about these vulnerabilities, Nozomi Networks aims to empower industrial organisations to proactively take steps to fortify their critical infrastructure against potential threats.

Background

Nozomi Networks Labs decided to investigate the security posture of Bently Nevada 3500 systems. Such devices are used to continuously monitor critical parameters such as vibration, temperature, and speed indicators for anticipating and preventing mechanical failures in industrial machinery.

The system is composed of a chassis that supports the installation of several expansion modules and ethernet-based communication is handled through the Transient Data Interface (TDI /22), which was the main focus of Nozomi Networks’ research. Information is exchanged using a clear-text proprietary protocol spoken by the device and the 3500 System Configuration utility.

The rack was configured to enable password protection both at access-level (‘Connect Password’) as well as at configuration level (‘Configuration Password’) to simulate a realistic scenario where both protections are enabled. The proprietary protocol was then analysed, and reverse engineered to identify possible weaknesses both at the design level as well as at the implementation level. The results of this analysis led the Nozomi Networks Labs team to discover three additional vulnerabilities that were subsequently disclosed to the vendor.

Bently Nevada Vulnerabilities

High risk

1. CVE-2023-34437: Exposure of Sensitive Information to an Unauthorised Actor (CWE-200), CVSS v3.1 Base Score 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

To successfully exploit CVE-2023-34437 (Exposure of Sensitive Information to an Unauthorised Actor), an attacker only requires network access to reach the target device version with this vulnerability present to be able to exfiltrate both the ‘Connect’ and the ‘Configuration’ password by sending a malicious request. If no additional hardening measure is in place for the device, this information can be accessed and abused to fully compromise the machinery. This could impact the confidentiality, integrity and availability of processes and operations since extracted information can be leveraged to craft authenticated requests toward the target.

Medium risk

1. CVE-2023-34441: Cleartext Transmission of Sensitive Information (CWE-319), CVSS v3.1 Base Score 6.8 (CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L)
2. CVE-2023-36857: Authentication Bypass by Capture-replay (CWE-294), CVSS v3.1 Base Score 5.4 (CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N)

CVE-2023-34441 (Cleartext Transmission of Sensitive Information) and CVE-2023-36857 (Authentication Bypass by Capture-replay) require that an attacker gains access to one or more requests captured from a data transmission. Such a scenario might occur either as a consequence of a Man-in-the-Middle (MITM) attack, or by gaining access to verbose traces recorded by traffic inspection solutions. In terms of impact, CVE-2023-34441 was evaluated to have a higher severity than CVE-2023-36857 because all authenticated requests contain the same secret key to authenticate access, even if they belong to different sessions. This means that keys extracted from one packet can then be used to craft additional arbitrary authenticated requests toward the target for an indefinite amount of time since it is not temporarily associated to a specific session.

All these vulnerabilities were confirmed affecting firmware versions up to 5.05 and later of the /22 TDI Module (both USB and Serial version).

Recommended Mitigations

As part of the responsible disclosure process based on vulnerabilities reported by Nozomi Networks, Bently Nevada promptly provided customers with guidelines for hardening, suggesting possible ways to reduce impacts to 3500 systems in use. These principles include the following suggestions which could also be applied to reduce the severity of impacts from similar vulnerabilities:

1. RUN Mode vs CONFIG Mode: PLCs and control systems often implement physical keys to either put the device in RUN Mode or in CONFIG Mode. The latter is typically used by technicians during maintenance activities to enable writing permission of new configurations on the device. One common misconfiguration that might occur is to either forget to put back the device into RUN Mode after a maintenance activity or opt for a default always-on CONFIG Mode to facilitate remote changes. A best practice is to make sure that devices are always kept in RUN Mode whenever possible.
2. Network Segmentation: Design and implement proper network segmentation strategies to prevent unauthorised parties from interacting with critical assets. This is especially recommended for legacy solutions that are no longer actively supported by vendors.
3. Strong and Unique Passwords: Make sure to guarantee uniqueness in conjunction with robustness when choosing credentials. The former property is often underestimated but could provide defence in those scenarios where credentials extracted from a vulnerable machine or component could be easily reused over fully patched systems sharing the same credentials.
4. Non-default Enhanced Security Features: Check your device manual for security features that are not enabled by default. Often, these additional features could strongly reduce the likelihood or the impact of a specific vulnerability and mitigate ‘hard-to-patch’ situations. With respect to Bently Nevada devices, Nozomi Networks recommends customers review the various security levels made available through the configuration utility and choose the one that matches specific needs and security policy.

Summary

The vulnerabilities affecting Bently Nevada 3500 System machinery remain unpatched by the vendor. In the most severe scenario, these flaws may allow an attacker to fully compromise the device and alter its internal configuration, potentially leading to either incorrect measurements from monitored machines or in denial-of-service (DoS) attacks.

Nozomi Networks also reviewed some effective ways to harden operational technology (OT) devices to significantly reduce the impact associated with these newly discovered and disclosed vulnerabilities. For further information, it recommends asset owners review the hardening guidelines provided by Baker Hughes to confirm or improve the security posture of their operations. Nozomi Networks’ Threat Intelligence service has also been updated to detect and warn about possible vulnerable Bently Nevada installations.