With the increasing concern of vulnerabilities impacting production systems, there is a need to layer defensive technologies to support critical infrastructure and maximize uptime. CISA publishes hundreds of ICS Common Vulnerabilities and Exposures (CVEs) annually, and it can be a challenge for operators to stay ahead of them.
As recently reported by the Cybersecurity & Infrastructure Security Agency (CISA), flaws have been identified in the Bently Nevada 3500 (BN3500) system that can allow threat actors to circumvent authentication. The flaws have officially been designated as CVEs and pose risks to organizations unless they’re mitigated, and Baker Hughes – Bently Nevada has already recommended that users follow its hardening guidelines to reduce the risk of exploitation.
In this blog we’ll take a look at the three specific vulnerabilities and explore how OPSWAT can help collaboratively address and mitigate potential risks from not just these but other vulnerabilities that are constantly emerging from other OT providers.
Vulnerability Overview
Baker Hughes – Bently Nevada 3500 System TDI Firmware version 5.05 has a vulnerability in their password retrieval functionality which could be used by an attacker to access passwords stored on the device.
Baker Hughes – Bently Nevada 3500 System TDI Firmware version 5.05 authentication secrets, used with the Connect Password, are passed in cleartext with every request to the device. An attacker could steal the authentication secret from communication traffic to the device and reuse it for arbitrary requests.
Baker Hughes – Bently Nevada 3500 System TDI Firmware version 5.05 accepts out-of-sequence messages from older communications. This could allow an attacker to replay older captured packets of traffic to the device to gain access.
Securing BN3500 with MetaDefender Industrial Firewall
MetaDefender Industrial Firewall is a cybersecurity solution designed specifically for industrial networks. It works by monitoring network traffic and applying deep packet inspection (DPI) to identify and protect against cyberthreats, using a learning mode to understand normal network behavior before switching to a monitoring mode to detect anomalies. When threats are identified, MetaDefender Industrial Firewall can take action, such as blocking or alerting, to safeguard critical systems. It's specifically designed for industrial control systems (ICS) and helps protect against cyberattacks in critical infrastructure environments. Now let’s dive deeper into how MetaDefender Industrial Firewall enhances the security of the BN3500 system.
MetaDefender Industrial Firewall categorizes the BN3500 protocol into four distinct policies:
- Serial Read Only
- Serial Read/Write
- TDI Read Only
- TDI Read/Write
In the below use case, MetaDefender Industrial Firewall permits only one device to access and read activity from the BN3500 system. All other connections are automatically blocked. Here's the policy breakdown:
Mitigating Risk
Where these vulnerabilities involve unauthorized access to the Bently Nevada 3500 System, MetaDefender Industrial Firewall's policy-based approach can play a crucial role in mitigating this risk. MetaDefender Industrial Firewall allows administrators to define strict policies that specify the allowed source and destination IP addresses and permitted activities (such as Read, Read/Write, or Full Access).
With these policies in place, if an attacker attempts to access the Bently Nevada 3500 System TDI with different source IP addresses or activities that don't match the defined policies, MetaDefender Industrial Firewall will effectively block these unauthorized access attempts. This ensures that only legitimate connections from trusted sources with approved activities can interact with the system, significantly reducing the risk of unauthorized password retrieval.
In the specific case of CVE-2023-36857, which involves the acceptance of out-of-sequence messages, MetaDefender Industrial Firewall ensures that only properly sequenced messages are allowed. Any attempt to replay older captured packets or send out-of-sequence messages will be detected by MetaDefender Industrial Firewall and blocked, preventing attackers from gaining unauthorized access to the system.
Trusted globally to defend what’s critical, discover how MetaDefender Industrial Firewall can help secure your most essential assets.
