Flaws in Bently Nevada 3500 Allow Attackers to Bypass Authentication

Flaws in Bently Nevada 3500 Allow Attackers to Bypass Authentication

At the end of 2022, Nozomi Networks Labs began a research project on Bently Nevada Machinery Protection Systems manufactured by Baker Hughes, a company that develops and deploys technology solutions for energy and industrial companies. These protection systems are typically installed in environments such as refineries, petrochemical plants, hydroelectric facilities and wind farms to detect and prevent anomalies in rotating machinery like turbines, compressors, motors and generators. By raising awareness about these vulnerabilities, we aim to empower industrial organizations to proactively take steps to fortify their critical infrastructure against potential threats.

In this blog post, we present three vulnerabilities that we discovered on the Bently Nevada 3500 rack model, publicly disclosed in CVE-2023-34437, CVE-2023-34441 and CVE-2023-36857.

It is crucial to highlight that one of these vulnerabilities may allow an attacker to bypass the authentication process and obtain complete access to the device by simply crafting and sending a malicious request. As the development of a patch is not planned due to legacy limitations, technical details have voluntarily been omitted from this article. By raising awareness about these vulnerabilities, we aim to empower industrial organizations to proactively take steps to fortify their critical infrastructure against potential threats.

Background

Nozomi Networks Labs decided to investigate the security posture of Bently Nevada 3500 systems. Such devices are used to continuously monitor critical parameters such as vibration, temperature and speed indicators for anticipating and preventing mechanical failures in industrial machinery.

The system is composed of a chassis that supports the installation of several expansion modules and the Ethernet-based communication is handled through the Transient Data Interface (TDI /22) which was also the main focus of our research. Information is exchanged using a clear-text proprietary protocol spoken by the device and the 3500 System Configuration utility (Figure1).

Figure 1. Bently Nevada 3500 System Configuration utility.

The rack was configured to enable password protection both at access-level (“Connect Password”) as well as at configuration level (“Configuration Password”) to simulate a realistic scenario where both protections are enabled. The proprietary protocol was then analyzed and reverse engineered to identify possible weaknesses both at the design-level as well as at the implementation-level. The results of this analysis led the Nozomi Networks Labs team to discover three additional vulnerabilities that were subsequently disclosed to the vendor.

Bently Nevada Vulnerabilities:

High Risk

  1. CVE-2023-34437: Exposure of Sensitive Information to an Unauthorized Actor (CWE-200), CVSS v3.1 Base Score 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

To successfully exploit CVE-2023-34437 (Exposure of Sensitive Information to an Unauthorized Actor), an attacker only requires network access to reach the target device version with this vulnerability present to be able to exfiltrate both the “Connect” and the “Configuration” password by sending a malicious request. If no additional hardening measure is in place for the device, this information can be accessed and abused to fully compromise the machinery. This could impact the confidentiality, integrity and availability of processes and operations since extracted information can be leveraged to craft authenticated requests toward the target.

Medium Risk

  1. CVE-2023-34441: Cleartext Transmission of Sensitive Information (CWE-319), CVSS v3.1 Base Score 6.8 (CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L)
  2. CVE-2023-36857: Authentication Bypass by Capture-replay (CWE-294), CVSS v3.1 Base Score 5.4 (CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N)

CVE-2023-34441 (Cleartext Transmission of Sensitive Information) and CVE-2023-36857 (Authentication Bypass by Capture-replay) requires that an attacker gains access to one or more requests captured from a data transmission. Such scenario might occur either as a consequence of a Man-in-the-Middle (MitM) attack, or by gaining access to verbose traces recorded by traffic inspection solutions. In terms of impact, CVE-2023-34441 was evaluated to have a higher severity than CVE-2023-36857 because all authenticated requests, even if they belong to different sessions, contain the same secret key to authenticate access, even if they belong to different sessions. This means that keys extracted from one packet can then be used to craft additional arbitrary authenticated requests toward the target for an indefinite amount of time since it is not temporarily associated to a specific session.

All these vulnerabilities were confirmed affecting firmware versions up to 5.05 and later of the /22 TDI Module (both USB and Serial version).

Recommended Mitigations

As part of the responsible disclosure process based on vulnerabilities reported by Nozomi Networks, Bently Nevada promptly provided customers with some guidelines for hardening, suggesting possible ways to reduce impacts to 3500 systems in use. These principles include the following suggestions which could also be applied to reduce the severity of impacts from similar vulnerabilities:

  1. RUN Mode vs CONFIG Mode: PLCs and control systems often implement physical keys to either put the device in RUN Mode or in CONFIG Mode.The latter is typically used by technicians during maintenance activities to enable writing permission of new configurations on the device. One common misconfiguration that might occur is to either forget to put back the device into RUN Mode after a maintenance activity or opt for a default always-on CONFIG Mode to facilitate remote changes. A best practice is to make sure that devices are always kept in RUN Mode whenever possible.
  2. Network Segmentation: Design and implement proper network segmentation strategies to prevent unauthorized parties from interacting with critical assets. This is especially recommended for legacy solutions that are no longer actively supported by vendors.
  3. Strong and Unique Passwords: Make sure to guarantee uniqueness in conjunction with robustness when choosing credentials. The former property is often underestimated but could provide defense in those scenarios where credentials extracted from a vulnerable machine or component could be easily reused over fully patched systems sharing the same credentials.
  4. Non-default Enhanced Security Features: Check your device manual for security features that are not enabled by default. Often, these additional features could strongly reduce the likelihood or the impact of a specific vulnerability and mitigate “hard-to-patch” situations. With respect to Bently Nevada devices, we invite customers to review the various security levels made available through the configuration utility and choose the one that matches specific needs and security policy.

Summary

In this blog, we have revealed three vulnerabilities affecting Bently Nevada 3500 system machinery, which remain unpatched by the vendor. In the most severe scenario, these flaws could allow an attacker to fully compromise the device and alter its internal configuration, potentially leading to either incorrect measurements from monitored machines, or denial-of-service attacks.

We also reviewed some effective ways to harden OT devices to significantly reduce the impact associated with these newly discovered and disclosed vulnerabilities. For further information we invite asset owners to review the hardening guidelines provided by Baker Hughes to confirm or improve the security posture of their operations. For Nozomi Networks customers, our Threat Intelligence service has also been updated to detect and warn about possible vulnerable Bently Nevada installations.