Osprey Pump Controller 1.0.1 Authentication Bypass Credentials Modification

Title: Osprey Pump Controller 1.0.1 Authentication Bypass Credentials Modification
Advisory ID: ZSL-2023-5752
Type: Local/Remote
Impact: Privilege Escalation, Security Bypass, Manipulation of Data, System Access, DoS
Risk: (5/5)
Release Date: 27.02.2023

Summary

Providing pumping systems and automated controls forgolf courses and turf irrigation, municipal water and sewer,biogas, agricultural, and industrial markets. Osprey: door-mounted,irrigation and landscape pump controller.

Technology hasn\’t changed dramatically on pump and electric motorsin the last 30 years. Pump station controls are a different story.More than ever before, customers expect the smooth and efficientoperation of VFD control. Communications—monitoring, remote control,and interfacing with irrigation computer programs—have become commonrequirements. Fast and reliable accessibility through cell phoneshas been a game changer.

ProPump & Controls can handle any of your retrofit needs, from upgradingan older relay logic system to a powerful modern PLC controller, toconverting your fixed speed or first generation VFD control system tothe latest control platform with communications capabilities.

We use a variety of solutions, from MCI-Flowtronex and Watertronicspackage panels to sophisticated SCADA systems capable of controllingand monitoring networks of hundreds of pump stations, valves, tanks,deep wells, or remote flow meters.

User friendly system navigation allows quick and easy access to allcritical pump station information with no password protection unlessrequested by the customer. Easy to understand control terminology allowsany qualified pump technician the ability to make basic changes withoutsupport. Similar control and navigation platform compared to one of themost recognized golf pump station control systems for the last twentyyears make it familiar to established golf service groups nationwide.Reliable push button navigation and LCD information screen allows theuse of all existing control panel door switches to eliminate the commonproblems associated with touchscreens.

Global system configuration possibilities allow it to be adapted tovirtually any PLC or relay logic controlled pump stations being used inthe industrial, municipal, agricultural and golf markets that operatevariable or fixed speed. On board Wi-Fi and available cellular modemoption allows complete remote access.

Description

A vulnerability has been discovered in the web panel of Osprey pumpcontroller that allows an unauthenticated attacker to create an accountand bypass authentication, thereby gaining unauthorized access to thesystem. The vulnerability stems from a lack of proper authenticationchecks during the account creation process, which allows an attackerto create a user account without providing valid credentials. An attackerwho successfully exploits this vulnerability can gain access to the pumpcontroller\’s web panel, and cause disruption in operation, modify data,change other usernames and passwords, or even shut down the controllerentirely.

The attacker can leverage their unauthorized access to thesystem to carry out a variety of malicious activities, including:Modifying pump settings, such as flow rates or pressure levels, causingdamage or loss of control, stealing sensitive data, such as system logsor customer information, changing passwords and other user credentials,potentially locking out legitimate users or allowing the attacker tomaintain persistent access to the system, disabling or shutting downthe controller entirely, potentially causing significant disruption tooperations and service delivery.

Vendor

ProPump and Controls, Inc. – https://www.propumpservice.com | https://www.pumpstationparts.com

Affected Version

Software Build ID 20211018, Production 10/18/2021
Mirage App: MirageAppManager, Release [1.0.1]
Mirage Model 1, RetroBoard II

Tested On

Apache/2.4.25 (Raspbian)
Raspbian GNU/Linux 9 (stretch)
GNU/Linux 4.14.79-v7+ (armv7l)
Python 2.7.13 [GCC 6.3.0 20170516]
GNU gdb (Raspbian 7.12-6) 7.12.0.20161007-git
PHP 7.0.33-0+deb9u1 (Zend Engine v3.0.0 with Zend OPcache v7.0.33)

Vendor Status

[05.01.2023] Vulnerabilities discovered.
[07.01.2023] Vendor contacted.
[09.01.2023] No response from the vendor.
[10.01.2023] Vendor contacted.
[10.01.2023] CISA contacted through CVD.
[10.01.2023] Submitted to VINCE.
[12.01.2023] CISA/VINCE asked for more details.
[13.01.2023] Provided PoCs to CISA.
[13.01.2023] Provided PoCs to VINCE and discovered XSS in VINCE.
[26.01.2023] No response from VINCE.
[26.01.2023] CISA closes incident: INC000010422052. NCISS Score: Baseline – Negligible (White). A Baseline–Negligible priority incident is an incident that is highly unlikely to affect public health or safety, national security, economic security, foreign relations, civil liberties, or public confidence. No further actions required by CISA.
[26.02.2023] No response from the vendor.
[27.02.2023] Public security advisory released.

PoC

osprey_auth.py

Credits

Vulnerability discovered by Gjoko Krstic – <gjoko@zeroscience.mk>

References

[1] https://www.cisa.gov/news-events/news/cisa-national-cyber-incident-scoring-system-nciss

Changelog

[27.02.2023] – Initial release

Contact

Zero Science Lab

Web: https://www.zeroscience.mk
e-mail: lab@zeroscience.mk

Source: php.2575-3202-LSZ/seitilibarenluv/ne/km.ecneicsorez.www