CVE-2017-14728 – CVE-2017-14728 is an authentication bypass vuln... (How to Fix)

Q: What is the severity of CVE-2017-14728?

CVE-2017-14728 has a CVSS score of 9.8 (CRITICAL). CVE-2017-14728 is an authentication bypass vulnerability in SiteOmat BOS software that allows attackers to bypass authentication mechanisms and gain unauthorized access. All SiteOmat BOS versions prior to the exploit submission are affected, and the system doesn't enforce password changes, leaving SSH and HTTP authentication vulnerable.

📋 TL;DR

CVE-2017-14728 is an authentication bypass vulnerability in SiteOmat BOS software that allows attackers to bypass authentication mechanisms and gain unauthorized access. All SiteOmat BOS versions prior to the exploit submission are affected, and the system doesn't enforce password changes, leaving SSH and HTTP authentication vulnerable.

💻 Affected Systems

Products:

SiteOmat BOS (Station Controller Software)

Versions: All versions prior to exploit submission (specific version unknown)

Operating Systems: Unknown - Likely embedded/industrial OS

Default Config Vulnerable: ⚠️ Yes

Notes: Affects all SiteOmat BOS installations with default configurations. The exact vulnerable component is unspecified in the source code.

📦 What is this software?

Siteomat by Orpak

View all CVEs affecting Siteomat →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise allowing attackers to gain administrative access, manipulate station controller operations, and potentially disrupt critical infrastructure operations.

🟠

Likely Case

Unauthorized access to the SiteOmat system allowing configuration changes, data theft, and potential manipulation of station controller functions.

🟢

If Mitigated

Limited impact with proper network segmentation and access controls preventing external exploitation.

🌐 Internet-Facing: HIGH - The vulnerability affects both SSH and HTTP authentication, making internet-facing systems particularly vulnerable to remote exploitation.

🏢 Internal Only: HIGH - Even internally, the authentication bypass allows unauthorized access to critical station controller systems.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Authentication bypass vulnerabilities typically have low exploitation complexity. The CWE-798 (Use of Hard-coded Credentials) suggests potential hard-coded credentials or predictable authentication mechanisms.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown specific version - Contact Orpak for updated versions

Vendor Advisory: https://ics-cert.us-cert.gov/advisories/ICSA-19-122-01

Restart Required: Yes

Instructions:

1. Contact Orpak support for patched version 2. Backup current configuration 3. Apply vendor-provided patch 4. Restart system 5. Verify authentication mechanisms

🔧 Temporary Workarounds

Network Segmentation

all

Isolate SiteOmat systems from untrusted networks and implement strict firewall rules

Access Control Restrictions

linux

Implement IP whitelisting and restrict SSH/HTTP access to authorized IPs only

iptables -A INPUT -p tcp --dport 22 -s [TRUSTED_IP] -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -s [TRUSTED_IP] -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j DROP
iptables -A INPUT -p tcp --dport 80 -j DROP

🧯 If You Can't Patch

Implement strict network segmentation and zero-trust architecture around SiteOmat systems
Enable comprehensive logging and monitoring for authentication attempts and system access

🔍 How to Verify

Check if Vulnerable:

Check SiteOmat version against vendor advisory. Test authentication mechanisms for bypass possibilities.

Check Version:

Contact Orpak support or check system documentation for version information

Verify Fix Applied:

Verify with vendor that patched version is installed. Test authentication mechanisms to ensure proper validation.

📡 Detection & Monitoring

Log Indicators:

Failed authentication attempts followed by successful access
Unusual SSH or HTTP access patterns
Authentication logs showing bypass patterns

Network Indicators:

Unusual SSH/HTTP traffic to SiteOmat systems
Authentication requests from unexpected sources

SIEM Query:

source="siteomat" AND (event_type="auth" OR event_type="access") AND result="success" AND (src_ip NOT IN [authorized_ips])

📊 Metadata

CVE ID: CVE-2017-14728

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-798

Published: June 3, 2019

Last Updated: November 21, 2024

🔗 References

http://www.orpak.com/allproducts/siteomat-station-controller-sw/ Product,Vendor Advisory
http://www.securityfocus.com/bid/108167 Third Party Advisory,VDB Entry
https://ics-cert.us-cert.gov/advisories/ICSA-19-122-01 Third Party Advisory,US Government Resource
http://www.orpak.com/allproducts/siteomat-station-controller-sw/ Product,Vendor Advisory
http://www.securityfocus.com/bid/108167 Third Party Advisory,VDB Entry
https://ics-cert.us-cert.gov/advisories/ICSA-19-122-01 Third Party Advisory,US Government Resource

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2017-14728, you might also want to check these: