Researchers at BitSight TRACE found multiple 0-day vulnerabilities in ATG systems used to manage fuel storage tanks, posing risks to public safety and economic stability. These flaws could lead to physical damage, environmental hazards, and financial loss.
0-day flaws in Automated Tank Gauge systems
Automatic Tank Gauging (ATG) systems monitor and record fuel levels, volume, and temperature in storage tanks. These systems are essential for gas stations, military bases, airports, hospitals, and power plants, ensuring environmental compliance and efficient inventory management.
However, due to their internet connectivity, ATG systems are at risk of cyberattacks, making them potential targets for malicious actors who could disrupt critical infrastructure or cause environmental and economic damage. This vulnerability highlights the need for stronger security measures in these crucial systems.
All about the Vulnerability
BitSight TRACE discovered 11 critical vulnerabilities in ATG systems, including OS command injection, authentication bypasses, hardcoded credentials, and SQL injection. These flaws grant attackers full administrative control. Each vulnerability has a CVE identifier and high CVSS scores, emphasizing their severity.
| Product | Vulnerability Type | CVE | CVSS 3.1 Score |
| Maglink LX | OS Command Injection | CVE-2024-45066 | 10.0 |
| Maglink LX | OS Command Injection | CVE-2024-43693 | 10.0 |
| Maglink LX4 | Hardcoded Credentials | CVE-2024-43423 | 9.8 |
| OPW SiteSentinel | Authentication Bypass | CVE-2024-8310 | 9.8 |
| Proteus® OEL8000 | Authentication Bypass | CVE-2024-6981 | 9.8 |
| Maglink LX | Authentication Bypass | CVE-2024-43692 | 9.8 |
| Alisonic Sibylla | SQL Injection | CVE-2024-8630 | 9.4 |
| Maglink LX | XSS | CVE-2024-41725 | 8.8 |
| Maglink LX4 | Privilege Escalation | CVE-2024-45373 | 8.8 |
| Franklin TS-550 | Arbitrary File Read | CVE-2024-8497 | 7.5 |
Exploiting these vulnerabilities can lead to severe outcomes:
- Denial of Service (DoS): Attackers can disable ATG systems by altering settings or firmware.
- Physical Damage: Manipulating tank parameters could cause fuel leaks or disable alarms.
- Data Theft: Sensitive data may be stolen and sold.
- Network Intrusion: ATG systems could become gateways for further attacks.
These risks highlight the need for stronger security to protect these systems.
Mitigation
BitSight worked with CISA and vendors to address ATG vulnerabilities over six months. CISA has issued advisories to help secure systems. Organizations should disconnect ATGs from the internet and prioritize cybersecurity to prevent potential attacks.
Follow Us on: Twitter, Instagram, Facebook to get the latest security news!
Leave A Comment