Software powering Orpak fuel stations used insecure hard-coded credentials

• The software also had multiple security vulnerabilities that could be exploited remotely or someone with low skill.
• The hard-coded credential flaw was rated 9.8 out of 10 on the CVSS v3 scale.

Orpak Systems, known as Orpak, contained a string of security vulnerabilities in its fuel station management software, Siteomat. One of the serious flaws among them was the use of hard-coded usernames and passwords for application login. This flaw could have allowed attackers to conveniently access customer details, and then steal sensitive information.

Other flaws included those that led to remote code execution and denial of service(DoS) conditions. All these vulnerabilities were described in an advisory released by the Cybersecurity and Infrastructure Security Agency (CISA).

What are the vulnerabilities?

• The advisory detailed six vulnerabilities present in Orpak Siteomat. While four of them affected versions prior to 6.4.414.084, two flaws - stack-based buffer overflow and Code Injection flaw affected versions prior to 6.4.414.122.
• It also suggests that anyone with low skill could exploit these flaws. Furthermore, these flaws are remotely exploitable.
• The most critical among them was the hard-coded credential flaws (CVE-2017-14728), which had a CVSS v3 score of 9.8 out of 10.
• Other flaws are cross-site scripting (CVE-2017-14850, CVSS v3 6.1), SQL injection flaw (CVE-2017-14851, CVSS v3 9.4), authentication bypass (CVE-2017-14852, CVSS v3 8.6), code injection (CVE-2017-14853, CVSS v3 8.6) and stack-based buffer overflow (CVE-2017-14854, CVSS v3 9.1).
• Ido Naor of Kaspersky Labs discovered these vulnerabilities in the software.

Thousands of stations affected

TechCrunch indicated that the vulnerable Siteomat software impacted thousands of service stations across the US.

“A cursory search of Shodan, a search engine for publicly available devices and databases, revealed more than 570 Orpak systems are connected to the internet out of more than 35,000 service stations across 60 countries. Most of the exposed systems are located in the U.S,” TechCrunch reported.

What action was taken?

Upon learning the vulnerabilities, Orpak has released the latest software version 6.4.414.139 which remediates all these flaws. Owners are advised to update to this latest version.