Full Report
Researcher Jose Bertin described the exploitation of several vulnerabilities in a Tekon-Automatics automation solution. We analyze the real scope of what has happened and offer our take on whether this can be considered ethical vulnerability disclosure.
Analysis Summary
# Vulnerability: Multiple Critical Flaws in Tekon-Automatics Industrial Solutions
## CVE Details
- **CVE ID:** CVE-2022-26210, CVE-2022-26211, CVE-2022-26212, CVE-2022-26213, CVE-2022-26214
- **CVSS Score:** 9.8 (Critical)
- **CWE:** CWE-22 (Path Traversal), CWE-287 (Improper Authentication), CWE-306 (Missing Authentication for Critical Function)
## Affected Systems
- **Products:** PK-70 programmable controllers; Tekon OPC Server; Tekon-Contract software (used for managing heat and power engineering systems).
- **Versions:** All versions released prior to March 2022.
- **Configurations:** Systems exposed directly to the internet via port 80 (Web interface) or specific industrial protocol ports (e.g., 2011/TCP).
## Vulnerability Description
The flaws stem from a lack of proper authentication and input validation in the web management interfaces and communication modules.
- **Path Traversal:** Allows unauthenticated attackers to read sensitive configuration files or system logs.
- **Broken Authentication:** The administrative interface can be accessed or bypassed, allowing unauthorized configuration changes.
- **Protocol Vulnerabilities:** Weaknesses in the proprietary communication protocols allow for remote command execution or manipulation of industrial process data directly on the PK-70 controllers.
## Exploitation
- **Status:** PoC available (Published by researcher Jose Bertin).
- **Complexity:** Low
- **Attack Vector:** Network (Remote)
## Impact
- **Confidentiality:** High (Access to configuration and process data)
- **Integrity:** High (Ability to modify controller logic and setpoints)
- **Availability:** High (Ability to crash the controller or disrupt industrial processes)
## Remediation
### Patches
- The vendor, Tekon-Automatics, has worked to release updated firmware and software versions. Users should contact the vendor directly for the most recent secure builds (Version recommendations typically follow post-March 2022 releases).
### Workarounds
- **Network Isolation:** Ensure industrial controllers (PK-70) are not accessible via the public internet.
- **VPN/Firewalling:** Use secure VPN tunnels for remote access and implement strict firewall rules (ACLs) to limit access to ports 80, 2011, and 443.
- **Port Disabling:** Disable the web server on the PK-70 if it is not required for daily operations.
## Detection
- **Indicators of Compromise:** Unusual traffic on TCP ports 80 or 2011; unauthorized administrative logins in system logs; unexpected changes to PLC (Programmable Logic Controller) logic.
- **Detection Methods:** Monitor for HTTP requests containing directory traversal sequences (e.g., `../`). Use ICS-aware intrusion detection systems (IDS) to monitor for abnormal protocol commands sent to Tekon devices.
## References
- **Vendor Advisory:** hxxps[://]tekon[.]ru/
- **Kaspersky Analysis:** hxxps[://]ics-cert[.]kaspersky[.]com/publications/blog/2022/03/31/vulnerabilities-in-tekon-automatics-solution-irresponsible-disclosure-and-scope-of-the-problem/
- **Researcher Original Report:** hxxps[://]github[.]com/j0be/ (Search for Tekon-Automatics)