Nozomi discovers flaws in Baker Hughes machinery protection systems

Nozomi Networks has identified three vulnerabilities on the Bently Nevada 3500 rack model manufactured by Baker Hughes, a company that develops and deploys technology solutions for energy and industrial companies. These protection systems are typically installed in environments such as refineries, petrochemical plants, hydroelectric facilities and wind farms to detect and prevent anomalies in rotating machinery like turbines, compressors, motors and generators.

Nozomi Networks said it is crucial to highlight that one of these vulnerabilities may allow an attacker to bypass the authentication process and obtain complete access to the device by simply crafting and sending a malicious request. As the development of a patch is not planned due to legacy limitations, technical details have voluntarily been omitted from the alert. By raising awareness about these vulnerabilities, Nozomi Networks says it aims to empower industrial organisations to proactively take steps to fortify their critical infrastructure against potential threats.

Background

The Bently Nevada 3500 system is composed of a chassis that supports the installation of several expansion modules and Ethernet-based communication is handled through the Transient Data Interface (TDI /22), which was the main focus of Nozomi Networks’ research. Information is exchanged using a clear-text proprietary protocol spoken by the device and the 3500 System Configuration utility.

The rack was configured to enable password protection both at the access level (‘Connect Password’) as well as at the configuration level (‘Configuration Password’) to simulate a realistic scenario where both protections are enabled. The proprietary protocol was then analysed and reverse-engineered to identify possible weaknesses both at the design level as well as at the implementation level. The results of this analysis led the Nozomi Networks Labs team to discover three additional vulnerabilities that were subsequently disclosed to the vendor.

Bently Nevada vulnerabilities

High risk

• CVE-2023-34437: Exposure of Sensitive Information to an Unauthorised Actor
   

To successfully exploit CVE-2023-34437 (Exposure of Sensitive Information to an Unauthorised Actor), an attacker only requires network access to reach the target device version with this vulnerability present to be able to exfiltrate both the ‘Connect’ and the ‘Configuration’ passwords by sending a malicious request. If no additional hardening measure is in place for the device, this information can be accessed and abused to fully compromise the machinery. This could impact the confidentiality, integrity and availability of processes and operations since extracted information can be leveraged to craft authenticated requests towards the target.

Medium risk

• CVE-2023-34441: Cleartext Transmission of Sensitive Information
• CVE-2023-36857: Authentication Bypass by Capture-replay
   

CVE-2023-34441 (Cleartext Transmission of Sensitive Information) and CVE-2023-36857 (Authentication Bypass by Capture-replay) require that an attacker gains access to one or more requests captured from a data transmission. Such a scenario might occur either as a consequence of a man-in-the-middle attack, or by gaining access to verbose traces recorded by traffic inspection solutions. In terms of impact, CVE-2023-34441 was evaluated to have a higher severity than CVE-2023-36857 because all authenticated requests contain the same secret key to authenticate access, even if they belong to different sessions. This means that keys extracted from one packet can then be used to craft additional arbitrary authenticated requests towards the target for an indefinite amount of time since it is not temporarily associated to a specific session.

All these vulnerabilities were confirmed to be affecting firmware versions up to 5.05 and later of the /22 TDI Module (both USB and Serial version).

Recommended mitigations

As part of the responsible disclosure process based on vulnerabilities reported by Nozomi Networks, Bently Nevada promptly provided customers with guidelines for hardening, suggesting possible ways to reduce impacts to 3500 systems in use. These principles include the following suggestions, which could also be applied to reduce the severity of impacts from similar vulnerabilities:

• RUN Mode vs CONFIG Mode: PLCs and control systems often implement physical keys to either put the device in RUN Mode or in CONFIG Mode. The latter is typically used by technicians during maintenance activities to enable writing permission of new configurations on the device. One common misconfiguration that might occur is to either forget to put the device back into RUN Mode after a maintenance activity or opt for a default always-on CONFIG Mode to facilitate remote changes. A best practice is to make sure that devices are always kept in RUN Mode whenever possible.
• Network segmentation: Design and implement proper network segmentation strategies to prevent unauthorised parties from interacting with critical assets. This is especially recommended for legacy solutions that are no longer actively supported by vendors.
• Strong and unique passwords: Make sure to guarantee uniqueness in conjunction with robustness when choosing credentials. The former property is often underestimated but could provide defence in those scenarios where credentials extracted from a vulnerable machine or component could be easily reused over fully patched systems sharing the same credentials.
• Non-default enhanced security features: Check the device manual for security features that are not enabled by default. Often, these additional features could strongly reduce the likelihood or the impact of a specific vulnerability and mitigate ‘hard-to-patch’ situations. With respect to Bently Nevada devices, Nozomi Networks recommends customers review the various security levels made available through the configuration utility and choose the one that matches specific needs and security policies.

Summary

The vulnerabilities affecting Bently Nevada 3500 System machinery remain unpatched by the vendor. In the most severe scenario, these flaws may allow an attacker to fully compromise the device and alter its internal configuration, potentially leading to either incorrect measurements from monitored machines or denial-of-service attacks.

Nozomi Networks also reviewed some effective ways to harden operational technology (OT) devices to significantly reduce the impact associated with these newly discovered and disclosed vulnerabilities. For further information, it recommends asset owners review the hardening guidelines provided by Baker Hughes to confirm or improve the security posture of their operations.