Industrial gateways are the backbone of modern connected infrastructure, acting as critical bridges between operational technology (OT) and information technology (IT) networks. These devices enable seamless communication between various industrial systems, such as sensors, controllers, and centralized management platforms, across diverse environments like manufacturing plants, smart buildings, and healthcare facilities. Understanding the role of industrial gateways, their vulnerabilities, and how to secure them is essential for safeguarding critical infrastructures.
In this blog post we uncover three vulnerabilities discovered by Nozomi Networks Labs while analyzing the Zettler 130.8005 device. These vulnerabilities include an authentication bypass, which could allow an unauthenticated attacker to take control over the device, and other issues that expose it to denial-of-service attacks.
Despite multiple responsible disclosure attempts, the vendor has not responded to address these issues. This lack of engagement leaves affected devices exposed to potential exploitation, heightening the need for alternative mitigation measures to protect critical systems as underlined in the “Remediations” section. Since the 130.8005 device was also distributed under other brands, such as EZ Care (a division of Schrack Seconet), it is possible that different variants of the product are also affected by the same vulnerabilities.
This article highlights the discovered security vulnerabilities, examines their possible consequences, and offers suggested mitigation measures. For a detailed overview of impacted devices and versions, please see the section titled “Vulnerability List and Affected Versions” below.
Research Scope
Nozomi Networks Labs conducted an in-depth vulnerability research analysis on the Zettler 130.8005 TCP/IP industrial gateway (Figure 1). This device, designed for DIN rail installation, facilitates communication between LonWorks cable lines and Ethernet networks. Its versatility and robust functionality make it a key component in various sectors, ranging from medical applications, such as nursing call systems and mobile communication, up to building automation systems like fire alarm networks. Additionally, the gateway enables cross-station communication via TCP/IP and VoIP protocols, supports remote diagnostics and maintenance through an integrated web server, and integrates with legacy systems for seamless functionality. This widespread usage highlights its critical role in ensuring operational efficiency and safety across diverse environments.
LonWorks, short for Local Operating Network, is an open standard networking platform (ISO/IEC 14908) developed by Echelon Corporation to meet the specific requirements of control applications. It enables devices to communicate over various media, including twisted pair cables, power lines, fiber optics, and wireless connections. Widely adopted in building automation, LonWorks facilitates the integration and management of systems such as lighting and HVAC (heating, ventilation, and air conditioning), enhancing operational efficiency and control. Since this technology cannot automatically integrate with standard LAN-based networks which are typical of IT environments, solutions like the 130.8005 industrial gateway, were created to overcome these limitations and facilitate remote monitoring.
Figure 2 illustrates a sample network diagram, showcasing how the Zettler 130.8005 functions as a bridge between the LON network and the Ethernet network in a medical environment. In this scenario, different types of equipment which are part of a nurse calling system used by patients to ask for support, are wired to the industrial gateway.
What Are the Impacts of These Vulnerabilities?
The two most impactful vulnerabilities are CVE-2024-12011 and CVE-2024-12013. CVE-2024-12011 allows an unauthenticated remote attacker to bypass the web interface's authentication, potentially enabling arbitrary modifications. However, this vulnerability is significantly mitigated by the prerequisite that the attacker must wait for a legitimate user to authenticate via the web application. Additionally, the attacker’s actions are confined to the permissions of the authenticated user and restricted to a brief window of time corresponding to the session duration.
CVE-2024-12013 highlights the use of default credentials, which provide access to certain filesystem resources. Default credentials, often pre-set by manufacturers for initial setup, are widely known or particularly easy to guess, making them a common target for attackers. If these credentials are not replaced by administrators, attackers can exploit them to bypass authentication and gain control over the device. The analysis of the web application revealed no immediate method to update the default credentials, therefore leaving the device vulnerable until a maintenance intervention is performed.
These vulnerabilities can be exploited to alter the device's configuration, potentially disrupting the proper communication of LON devices connected to the gateway. This disruption can have significant consequences for the operational integrity of industrial systems relying on these devices. For instance, improper configuration or interrupted communication may lead to system malfunctions, reduced efficiency, or even complete operational downtime. In environments like manufacturing plants, smart buildings, or healthcare facilities, such disruptions could result in production halts, compromised safety mechanisms, or delays in critical services, underscoring the severity of these vulnerabilities.
Vulnerability Spotlight
For this blog’s “Vulnerability Spotlight” we decided to focus on CVE-2024-12011, a Buffer Over-read (CWE-126) vulnerability that can be exploited to steal sensitive information. This issue is particularly significant for two key reasons. First, it can be exploited by unauthenticated users with the ability to interact with the device over the network; second, it once again highlights the enduring prevalence of memory corruption vulnerabilities inherent in memory-unsafe programming languages such as C and C++.
A buffer over-read vulnerability occurs when a program reads more data from a buffer than it is intended or allocated to access. Buffers are memory spaces used to temporarily store data like user input or file contents. If a program fails to validate data length, it can access memory beyond the buffer, exposing sensitive information such as passwords or encryption keys. Attackers exploit buffer over-reads to leak data or cause crashes, posing serious security risks. These vulnerabilities can also bypass protections like Address Space Layout Randomization (ASLR) and Position Independent Code (PIE), which obscure memory locations and make exploit writing harder for attackers. A notable example is the Heartbleed bug in OpenSSL, a library for secure internet communication. Heartbleed exploited a flaw in the TLS/DTLS heartbeat extension, enabling attackers to retrieve up to 64 kilobytes of memory beyond the buffer. This exposed private keys, session cookies, and passwords, undermining encrypted communication.
In a similar way, CVE-2024-12011 can be exploited by remote attackers when another user is logged into the system to leak the authentication token currently associated to its session. Figure 3 highlights the token returned as part of the response from the web server, notice how also other memory-related information is returned referring to garbage data and addresses present in the process memory.
Once this value is obtained, attackers can attempt to invoke post-auth APIs on the device to perform arbitrary modifications, provided the compromised user has sufficient permissions. Given that the web server uses the GoAhead framework, additional analysis was performed to investigate whether other projects relying on it might be similarly affected. While no vulnerabilities related to this specific issue were identified in the GoAhead codebase, other findings were discovered and are detailed in our related blog on GoAhead vulnerabilities that may affect web servers.
Vulnerability List and Affected Versions
The table below lists the vulnerabilities confirmed to be present in firmware version 12h of the Zettler 130.8005 TCP/IP gateway. Results are sorted by CVSS 3.1 score from most to least severe. As mentioned in the introductory section of this blog post, it is possible that other versions of the 130.8005 device, sold under different brand names (e.g., EZ Care by Schrack Seconet), are also affected by the same issues.
Remediations
Nozomi Networks Labs made extensive efforts to contact the vendor regarding the reported issues, reaching out through multiple communication channels over an extended period. This process included involving the Cybersecurity and Infrastructure Security Agency (CISA) and leveraging relationships with the vendor's past partners to facilitate communication. Despite these efforts, the vendor did not provide any response or acknowledgment to address the identified vulnerabilities. As a result, no updated firmware or patches were known to have been released to resolve these issues at the time this blog post was published.
Given the absence of a vendor response or a firmware update, customers are strongly urged to take proactive steps to secure their systems. Implementing robust security practices such as network segmentation using VLANs can help isolate the vulnerable devices from critical parts of the network. Additionally, creating and enforcing strict, device-specific access control rules through firewalls can significantly reduce the risk of unauthorized access or malicious activity targeting these devices.
