Multiple Critical Vulnerabilities in Weintek HMI Products
: CVE-2024-55019 to CVE-2024-55027
1. EXECUTIVE SUMMARY
- Vendor: Weintek
- Equipment / Component: cMT-3072XH2; easyweb web interface and various CGI endpoints
- Web Version: V2.1.53
- OS Version: 20231011
- Vulnerabilities (summary):
- Default HMI service account credentials (developer, weintekOS)
- Persistent command injection via HMI name configuration
- Real-time command injection in DHCP configuration
- Unauthorized VNC access using built-in service accounts
- Unauthorized HMI control via reset_pj.cgi
- Unauthenticated file download / improper validation
- Hardcoded encryption keys in JSON communication
- Plaintext storage of user credentials
- Static default FTP account credentials
2. RISK EVALUATION
The identified vulnerabilities present critical security risks due to multiple, potentially chained attack paths:
- Authentication and Access Control Risks
- Built-in/default accounts and VNC authorization issues enable unauthorized HMI access.
- An attacker on the same network may be able to interact with or control industrial HMI interfaces without proper administrative credentials.
- Certain system control functions are exposed via web endpoints without sufficient authorization checks.
- System Integrity and Privilege Escalation
- Command injection vulnerabilities enable execution of system-level commands, potentially leading to privilege escalation.
- Insecure file upload/download mechanisms and insufficient input validation increase the risk of arbitrary code execution and system integrity compromise.
- Credential and Cryptography Risks
- Plaintext storage of credentials and hardcoded cryptographic keys allow attackers to discover credentials and decrypt sensitive communications.
- Static, unchangeable default service credentials create persistent access vectors.
- Unmodifiable Account Risks
- Built-in service accounts that cannot be disabled or modified by administrators create long-lived security weaknesses that are not addressable by end-user configuration.
Overall Impact: Combined, these issues allow an attacker with network access to fully compromise the HMI environment, potentially gaining persistent administrative control of the device and affecting connected industrial processes.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS