The Cybersecurity and Infrastructure Security Agency (CISA) gave the Orpak SiteOmat software a vulnerability severity rating of 9.8 out of 10, revealing that it has several security vulnerabilities that require “low skill” to exploit. Some of the flaws include "use of hard-coded credentials, cross-site scripting, SQL injection, missing encryption of sensitive data, code injection and stack-based buffer overflow."
The software tracks the amount of fuel stored in a gas station’s tanks, including temperature and pressure. It also sets the price of the gas, and processes card payments. However, while the user interface is password protected, CISA explained that the software also had a hard-coded password set by the manufacturer, which could easily give a hacker access to the system configuration. Once in the system, a cybercriminal could do anything from accessing payment information to shutting down the system entirely.
In addition, CISA stated that the Orpak SiteOmat software has several other flaws that can be remotely exploited, including code injection and buffer overflow vulnerabilities.
"Successful exploitation of these vulnerabilities could result in arbitrary remote code execution, resulting in possible denial-of-service conditions and unauthorized access to view and edit monitoring, configuration and payment information," the advisory explained.
The flaws were discovered by Ido Naor, a security researcher with Kaspersky Lab. This is the second time he has been credited with finding a security issue. Last year, he found (along with his colleague Amihai Neiderman) the same issues in the SiteOmat, including another hard-coded password.
CISA noted that the bugs had been fixed by the company in a new software version, but customers must request the update from Orpak directly. A spokesperson for its parent company Gilbarco Veeder-Root did not immediately return a request for comment, according to reports.