CVE-2023-36609
📋 TL;DR
This vulnerability affects TBox RTUs running OpenVPN with root privileges. An attacker can set up a local OpenVPN server and push malicious scripts to gain root access on the TBox host. This impacts industrial control systems using vulnerable TBox RTUs.
💻 Affected Systems
- TBox RTUs
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of the TBox RTU with root access, allowing attackers to disrupt industrial operations, manipulate control systems, or pivot to other network segments.
Likely Case
Local attackers gaining root privileges on the TBox RTU to execute arbitrary commands, potentially disrupting industrial processes or stealing sensitive data.
If Mitigated
Limited impact if network segmentation prevents local access to OpenVPN ports and script execution is restricted.
🎯 Exploit Status
Exploitation requires setting up a malicious OpenVPN server and convincing the TBox RTU to connect to it, which typically requires some level of network access or social engineering.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Not specified in advisory; contact vendor for patched versions
Vendor Advisory: https://www.cisa.gov/news-events/ics-advisories/icsa-23-180-03
Restart Required: Yes
Instructions:
1. Contact TBox vendor for security updates. 2. Apply vendor-provided patches. 3. Restart affected TBox RTUs. 4. Verify OpenVPN no longer runs with root privileges.
🔧 Temporary Workarounds
Restrict OpenVPN Script Execution
linuxConfigure OpenVPN to not execute user-defined scripts or run with reduced privileges
Modify OpenVPN configuration to remove 'script-security' or set to lower level
Run OpenVPN as non-root user if possible
Network Segmentation
allIsolate TBox RTUs from untrusted networks and restrict OpenVPN connections
Configure firewall rules to limit OpenVPN connections to trusted servers only
🧯 If You Can't Patch
- Implement strict network segmentation to isolate TBox RTUs from potential attackers
- Monitor OpenVPN connections and script execution for suspicious activity
🔍 How to Verify
Check if Vulnerable:
Check if OpenVPN runs as root and accepts configuration scripts: 'ps aux | grep openvpn' and review OpenVPN config for script-security settingsCheck Version:
Contact vendor for specific version information; general system info: 'uname -a' and check device firmware versionVerify Fix Applied:
Verify OpenVPN no longer runs as root and script execution is disabled: 'ps aux | grep openvpn' should show non-root user, config should have restricted script-security📡 Detection & Monitoring
Log Indicators:
- OpenVPN connections from unexpected sources
- Script execution via OpenVPN push commands
- Root privilege escalation attempts
Network Indicators:
- Unexpected OpenVPN server connections from TBox RTUs
- Suspicious network traffic to/from TBox RTU OpenVPN ports
SIEM Query:
source="TBox" AND (process="openvpn" AND user="root") OR (event="script_execution" AND source="openvpn")