08/08/17 Updated 02/04/19

Security notification

Remote access vulnerabilities in Pluto-platform

Overview

The Software team Pluto, within Innovation in Marel, has created a security update to address the remote access vulnerabilities in Marel applications operating the Pluto platform. This update will give the possibility to restrict remote access to each target with network port configuration.

Recommendations

Marel recommends setting up a software firewall to block all network ports except the ones that are needed for your system environment.

Background

Pluto-platform is a Linux based application framework that standard Marel applications are based on providing common services and configuration of the system behavior.

One way to remotely service the Marel applications is to use tools like VNC. Until now remote access via VNC has been unrestricted.

Vulnerability details

Pluto-based applications have been running with unrestricted network access for tools like VNC allowing users to get remote access to Marel applications without entering user name or password. In this way, a remote attacker can gain unauthorized administrative access to affected devices.

The recommended update will restrict the remote access through SSH (secure shell) using user name and password. SSH is a cryptographic network protocol for operating network services securely over an unsecured network.

Security update

Following procedure is needed in order to configure a firewall in Marel applications.

  • Software Update: Install newest iptables package and Linux kernel supporting iptables.
  • Configure the firewall: Configuration of the firewall is done by blocking all network ports on the target except the ones used in the application environment. Appropriate configuration of the iptables needs to be set up for each application environment.

The configuration of the firewall is only intended for service specialists trained in Marel solutions.

Support

For questions or concerns regarding the vulnerabilities or mitigations please send email to pluto-support@marel.com

Security notification

Hardcoded passwords, unrestricted upload vulnerabilities in M3000

Overview

The M3000 terminals come with services like ftp and telnet and can be connected to a remote viewer called M3000 desktop. These services allow unauthorized access to the M3000 device for command and control. This vulnerability could allow a remote attacker to gain unauthorized access to affected devices.

Recommendations

Marel reports that all M3000 terminal based products were at end-of-life in July 2012, and as such will not release product fixes to address the identified vulnerabilities.

Marel recommends users to protect network access with appropriate mechanisms (e.g., firewalls, VPN).

  • Minimize network exposure for all control system devices. Critical devices should never directly face the Internet.
  • Locate control system networks and remote devices behind firewalls, and isolate them from the business network.
  • When remote access is required, use secure methods, such as VPN.

Background

The M3000 terminal is a hardware controller released in 1997 and has been used to run application solutions since then. The end-of-life of the M3000 terminal was reported in July 2012.

Vulnerability details

A remote attacker does not have to enter a valid user name or password to gain access to the M3000 terminal through ftp, telnet or remote viewer like M3000 Desktop.

Support

For questions or concerns regarding the vulnerabilities or mitigations please send email to pluto-support@marel.com



Download the security notification