CVE-2023-39463
📋 TL;DR
This vulnerability in Triangle MicroWorks SCADA Data Gateway allows authenticated remote attackers to bypass authentication and upload arbitrary files, leading to remote code execution with SYSTEM privileges. It affects installations using the trusted certification feature. Industrial control systems using this SCADA gateway are at risk.
💻 Affected Systems
- Triangle MicroWorks SCADA Data Gateway
📦 What is this software?
Scada Data Gateway by Trianglemicroworks
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with SYSTEM privileges, enabling attacker to disrupt industrial operations, steal sensitive data, or pivot to other critical systems.
Likely Case
Unauthorized file upload leading to remote code execution, potentially disrupting SCADA operations and compromising industrial control systems.
If Mitigated
Limited impact with proper network segmentation, authentication controls, and monitoring in place to detect exploitation attempts.
🎯 Exploit Status
Authentication bypass required but documented. ZDI advisory provides technical details that could facilitate exploitation.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 5.1.0.34 and later
Vendor Advisory: https://www.trianglemicroworks.com/products/scada-data-gateway/what's-new
Restart Required: Yes
Instructions:
1. Download latest version from Triangle MicroWorks website. 2. Backup current configuration. 3. Install update following vendor instructions. 4. Restart service/system. 5. Verify successful update.
🔧 Temporary Workarounds
Disable Trusted Certification Feature
windowsTemporarily disable the vulnerable trusted certification functionality if not required for operations.
Consult vendor documentation for specific configuration steps to disable OpcUaSecurityCertificateAuthorityTrustDir functionality
Network Segmentation
allIsolate SCADA Data Gateway from untrusted networks and implement strict firewall rules.
Configure firewall to restrict access to SCADA Data Gateway ports from authorized IPs only
🧯 If You Can't Patch
- Implement strict network segmentation and access controls to limit exposure
- Enable detailed logging and monitoring for file upload attempts and authentication bypass patterns
🔍 How to Verify
Check if Vulnerable:
Check installed version of SCADA Data Gateway. If version is below 5.1.0.34 and trusted certification feature is enabled, system is vulnerable.Check Version:
Check application version in About dialog or installation directory propertiesVerify Fix Applied:
Verify version is 5.1.0.34 or higher and test trusted certification functionality for proper file validation.📡 Detection & Monitoring
Log Indicators:
- Unusual file uploads to trusted certification directory
- Authentication bypass attempts
- Unexpected process execution with SYSTEM privileges
Network Indicators:
- Unusual traffic to SCADA Data Gateway authentication endpoints
- File upload requests to certification endpoints
SIEM Query:
source="scada_gateway" AND (event="file_upload" OR event="auth_bypass" OR process="unexpected_executable")