Summary: a remote unauthenticated directory traversal vulnerability was identified affecting the exposed web interfaces of IND780 Advanced Weighing Terminal Operation Technology (OT) Systems. This vulnerability could allow a remote unauthenticated adversary to access files on the affected system and perform further enumeration, which in turn could be abused to launch further attacks.
Affected OT system
Mettler Toledo is a multinational manufacturer of scales and analytical instruments. The affected system identified was the IND780 Advanced Weighing Terminal, a flexible terminal supporting weighing and control applications with serial, Ethernet, USB and fieldbus interfaces.
Vulnerability details
A remote, unauthenticated directory traversal was identified within the web interface used by IND780 terminals. It was possible to traverse the folders of the affected host by providing a traversal path to the 'webpage' parameter:
http://<hostname_or_ip>/IND780/excalweb.dll?webpage=../../AutoCE.ini
Search engine dorks ("excalweb.dll", inurl:excalweb.dll) revealed multiple OT instances accessible over the internet that appeared vulnerable. Confirmed affected builds included IND780 8.0.07 (March 2018) and 7.2.10 (June 2012); other versions may also be affected.
Impact and remediation
An adversary could access files on the affected system and enumerate versions in use to stage further attacks. Remediation: validate the 'webpage' parameter, deny traversal attempts, and serve files only from a whitelisted folder. Check other versions of the web interface for the same flaw.
CVE assignment
The issue was assigned CVE-2021-40661 and is listed by MITRE and NIST: nvd.nist.gov/vuln/detail/CVE-2021-40661.
This research was performed and responsibly disclosed by SIDSECURE. If you run internet reachable OT or industrial systems and want them assessed, get in touch.