CVE-2023-28398 – CVE-2023-28398 allows unauthenticated attackers... (How to Fix)

Q: What is the severity of CVE-2023-28398?

CVE-2023-28398 has a CVSS score of 9.8 (CRITICAL). CVE-2023-28398 allows unauthenticated attackers to create accounts and bypass authentication on Osprey Pump Controller version 1.01, gaining unauthorized access to industrial control systems. This affects organizations using this specific pump controller version in water/wastewater, industrial, or critical infrastructure environments.

📋 TL;DR

CVE-2023-28398 allows unauthenticated attackers to create accounts and bypass authentication on Osprey Pump Controller version 1.01, gaining unauthorized access to industrial control systems. This affects organizations using this specific pump controller version in water/wastewater, industrial, or critical infrastructure environments.

💻 Affected Systems

Products:

Osprey Pump Controller

Versions: Version 1.01

Operating Systems: Embedded/Proprietary

Default Config Vulnerable: ⚠️ Yes

Notes: This is an industrial control system (ICS) device used in critical infrastructure. Default configuration appears vulnerable.

📦 What is this software?

Osprey Pump Controller Firmware by Propumpservice

View all CVEs affecting Osprey Pump Controller Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system takeover allowing threat actors to disrupt pump operations, modify critical parameters, cause physical damage to equipment, or shut down essential water/wastewater services.

🟠

Likely Case

Unauthorized access leading to operational disruption, data manipulation, or temporary service interruption in affected pump control systems.

🟢

If Mitigated

Limited impact if proper network segmentation and access controls prevent external access to the vulnerable interface.

🌐 Internet-Facing: HIGH - The vulnerability allows unauthenticated exploitation, making internet-exposed systems immediately vulnerable to attack.

🏢 Internal Only: MEDIUM - Internal attackers or compromised internal systems could exploit this, but requires network access to the controller.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

The vulnerability description suggests trivial exploitation - creating accounts without authentication. No specific exploit code is publicly documented in the provided references.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check with vendor for updated version

Vendor Advisory: https://www.cisa.gov/news-events/ics-advisories/icsa-23-082-06

Restart Required: Yes

Instructions:

1. Contact Osprey vendor for patched firmware. 2. Backup current configuration. 3. Apply firmware update following vendor instructions. 4. Restart controller. 5. Verify authentication controls are functioning.

🔧 Temporary Workarounds

Network Segmentation

all

Isolate pump controller on separate VLAN with strict firewall rules preventing external access

Access Control Lists

all

Implement IP-based restrictions allowing only authorized management stations to access controller interface

🧯 If You Can't Patch

Implement strict network segmentation to isolate controller from untrusted networks
Deploy network monitoring and intrusion detection for authentication bypass attempts

🔍 How to Verify

Check if Vulnerable:

Check device version via web interface or serial console. If version is 1.01 and allows account creation without authentication, it's vulnerable.

Check Version:

Check via device web interface or vendor-specific CLI commands

Verify Fix Applied:

Attempt to create an account without valid credentials. Successful fix should require proper authentication for account creation.

📡 Detection & Monitoring

Log Indicators:

Unusual account creation events
Authentication bypass attempts
Access from unauthorized IP addresses

Network Indicators:

HTTP POST requests to account creation endpoints without authentication
Unusual traffic patterns to pump controller

SIEM Query:

source="pump-controller" AND (event_type="account_creation" OR auth_result="bypass")

📊 Metadata

CVE ID: CVE-2023-28398

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-287

Published: March 28, 2023

Last Updated: November 21, 2024

🔗 References

https://www.cisa.gov/news-events/ics-advisories/icsa-23-082-06 Third Party Advisory,US Government Resource
https://www.cisa.gov/news-events/ics-advisories/icsa-23-082-06 Third Party Advisory,US Government Resource

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-28398, you might also want to check these: