CVE-2021-40661: Remote Unauthenticated Directory Traversal on IND780 Operation Technology (OT) System

Summary:

A remote unauthenticated directory traversal vulnerability was identified affecting the exposed web interfaces of IND780 Advanced Weighing Terminal Operation Technology (OT) Systems.

This vulnerability could allow a remote unauthenticated adversary to access files on the affected system and perform further enumeration to identify the systems in use, which in turn could be abused to launch further attacks in future.

Affected Operation Technology (OT) System:

Mettler Toledo is a multinational manufacturer of scales and analytical instruments. According to their web description:

“It is the largest provider of weighing instruments for use in laboratory, industrial, and food retailing applications.”

https://en.wikipedia.org/wiki/Mettler_Toledo

The affected Operation Technology (OT) system identified was the Mettler Toledo’s IND780 Advanced Weighing Terminal. According to Mettler Toledo’s web description:

“The IND780 is a highly flexible terminal capable of supporting simple to complex, stand-alone to integrated weighing and control applications. A wide range of communications interfaces are available, including serial, Ethernet, USB and a variety of fieldbuses.”

https://www.mt.com/au/en/home/products/Industrial_Weighing_Solutions/Terminals-and-Controllers/terminals-bench-floor-scales/advanced-bench-floor-applications/IND780/IND780_.html

IND780 Advanced Weighing Terminal
Figure 1: IND780 Advanced Weighing Terminal OT System

Vulnerability Details:

A remote, unauthenticated, directory traversal vulnerability was identified within the web interface used by IND780 Advanced Weighing Terminals. It was possible to traverse the folders of the affected host by providing a traversal path to the ‘webpage’ parameter as shown on the example below:

http://<hostname_or_ip>/IND780/excalweb.dll?webpage=../../AutoCE.ini

Following Google search dorks reveal multiple OT instances that are accessible over the internet that appear vulnerable to this issue.

  • “excalweb.dll”
  • inurl:excalweb.dll

The following screenshot displays a proof-of-concept example of this vulnerability on one of the affected OT hosts:

Figure 2: Proof-of-Concept Directory Traversal on an Affected IND780 OT System

Affected OT Systems:

This vulnerability was originally identified via the web interfaces used by the following versions of IND780 Advanced Weighing Terminals:

  •  IND780 Advanced Weighing Terminal (Build 8.0.07 March 19, 2018) (SS Label “IND780_8.0.07”)
Figure 3: IND780 (Build 8.0.07 March 19, 2018)
  • IND780 Advanced Weighing Terminal (Version 7.2.10  June 18, 2012) (SS Label ‘IND780_7.2.10’)
Figure 4: IND780 (Version 7.2.10  June 18, 2012)

However, given the evidence it is quite possible that other versions of IND780 Advanced Weighing Terminals could also be affected by this vulnerability.

Possible Impact:

This vulnerability could allow a remote unauthenticated adversary to access files on the affected system. This could also allow the adversary to perform further enumeration against the affected host to identify the versions of the systems in use, to launch further attacks in future.

Remediation Suggestions:

  • Perform input validation of the ‘webpage’ parameter shown on the vulnerable URL highlighted above. The input validation should deny any path traversal attempts and serve files from a whitelisted folder location such as the current folder where accessible files should be stored.
  • Check for the same vulnerability in other versions (including previous) of the web interfaces used by the Advanced Weighing Terminals OT devices. Use the above remediation option for any similarly web interfaces on affected OT devices.

CVE Assignment:

This vulnerability has now been reserved the CVE ID of: CVE-2021-40661.

Update 31/10/2022 – CVE-2021-40661 has now been officially accepted and listed by MITRE and NIST:

  • https://nvd.nist.gov/vuln/detail/CVE-2021-40661
  • https://www.cve.org/CVERecord?id=CVE-2021-40661