Full Report
Vulnerabilities in Martem TELEM-GW6/GWM data concentrators could enable remote attackers to gain control of the industrial process, cause denial of service and execute arbitrary code
Analysis Summary
# Vulnerability: Multiple Critical Flaws in Martem TELEM-GW6/GWM Data Concentrators
## CVE Details
- **CVE ID:** CVE-2018-10614, CVE-2018-10610, CVE-2018-10612, CVE-2018-10616, CVE-2018-10594, CVE-2018-10618, CVE-2018-10602, CVE-2018-10620
- **CVSS Score:** 9.8 (Critical) - *Composite score for the most severe flaws*
- **CWE:** CWE-22 (Path Traversal), CWE-287 (Improper Authentication), CWE-78 (OS Command Injection), CWE-79 (XSS), CWE-434 (Unrestricted Upload)
## Affected Systems
- **Products:** Martem TELEM-GW6 and TELEM-GWM Data Concentrators
- **Versions:** All firmware versions prior to v1.4.1
- **Configurations:** Devices exposed to the network with default settings or accessible web management interfaces.
## Vulnerability Description
The Martem TELEM series suffers from several critical security flaws that compromise the entire device lifecycle:
1. **Command Injection:** The web interface allows unauthenticated or low-privilege users to execute arbitrary OS commands via improperly sanitized input fields.
2. **Path Traversal:** Attackers can access sensitive system files (including credentials) outside the intended web root directory.
3. **Authentication Bypass:** Certain administrative functions do not properly validate session tokens or user identity.
4. **Unrestricted File Upload:** The firmware update and configuration mechanisms allow for the upload of malicious scripts that can be executed with root privileges.
## Exploitation
- **Status:** PoC concepts documented; no widespread "in the wild" exploitation reported at the time of publication, but high risk exists for targeted ICS environments.
- **Complexity:** Low
- **Attack Vector:** Network (Remote)
## Impact
- **Confidentiality:** Total (Exposure of process data and system credentials)
- **Integrity:** Total (Unauthorized modification of industrial process logic and configurations)
- **Availability:** Total (Ability to brick the device or cause a permanent Denial of Service)
## Remediation
### Patches
- **Recommended Version:** Upgrade to **Firmware v1.4.1** or later.
- Martem has released updated firmware that addresses the input validation and authentication logic errors.
### Workarounds
- **Network Segmentation:** Place data concentrators behind a firewall and isolate them from the business network and the public internet.
- **Access Control:** Restrict access to the management web interface to specific, trusted IP addresses using ACLs.
- **VPN/Tunneling:** Use secure encrypted tunnels (e.g., OpenVPN or IPSec) for all remote maintenance and data collection.
## Detection
- **Indicators of Compromise:**
- Unusual system reboots or service interruptions.
- Presence of unknown files in `/tmp/` or web server directories.
- Logic changes in the data concentration tables not authorized by engineering.
- **Detection methods:**
- Monitor web server logs for strings containing directory traversal sequences (e.g., `../`, `..%2f`).
- Audit specialized ICS network traffic for unexpected administrative commands originating from external IPs.
## References
- **Vendor Advisory:** hxxp[://]martem[.]eu/
- **Kaspersky ICS CERT:** hxxps[://]ics-cert[.]kaspersky[.]com/publications/reports/2018/05/28/vulnerabilities-in-martem-telem-gw6-gwm-data-concentrators/
- **CISA Advisory (ICSA-18-144-01):** hxxps[://]www[.]cisa[.]gov/news-events/ics-advisories/icsa-18-144-01