Vulnerabilities Identified in Sensor Net Connect and Thermoscan IP Temperature Control Devices and Software
Multiple vulnerabilities have been identified in Proges Plus temperature monitoring devices and their associated software. The vulnerabilities affect the Sensor Net Connect temperature sensor device from the Pregres Plus-owned Plug&Track and the associated Thermoscan IP desktop application. The devices are used by pharmaceutical companies and hospitals for drug storage, where temperature needs to be carefully controlled.
The vulnerabilities were identified by researchers at Nozomi Network Labs, who tried to report the flaws to Proges Plus but never received a response. No patches have been released to fix the flaws at present and it is unclear when the vulnerabilities will be fixed. Nozomi Network Labs has disclosed limited details about the flaws to advise users of the devices and software about the risks, along with recommended mitigations to prevent exploitation of the flaws.
In total, 7 vulnerabilities were identified, four of which are in Sensor Net Connect and three are in Thermoscan IP, some of which can be chained to maximize the impact. The Sensor Net Connect vulnerabilities are a cross-site scripting flaw – CVE-2024-31199 which has a CVSS v3.1 score of 7.7; CVE-2024-3083, a cross-site request forgery flaw with a CVSS score of 6.6; CVE-2024-3082 – the plaintext storage of a password with a CVSS score of 4.2; and CVE-2024-31200 – an insertion of sensitive information into sent data issue with a CVSS score of 4.2.
The Thermoscan IP flaws are CVE-2024-31202 – an incorrect permission assignment for a critical resource with a CVSS score of 8.4; CVE-2024-31201 – an unquoted search path or element issue with a CVSS score of 6.2; and CVE-2024-31203 – a stack-based buffer overflow flaw with a CVSS score of 4.0.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
The researchers provide examples of the types of attacks that could be conducted by exploiting the vulnerabilities. The most serious of the vulnerabilities is CVE-2024-31202 which could be exploited to perform Local Privilege Escalation (LPE) attacks. A user with basic access to the application, which could be an employee, a maintenance contractor, or a third-party application, could create new accounts and assign them administrative privileges. With administrative access, sensitive data could be exfiltrated or the integrity of the temperature monitoring system could be compromised. Log files could also be altered to hide any malicious activities.
The vulnerabilities could be exploited in a denial-of-service attack, resulting in changes to temperatures that could result in the spoilage of medicines and vaccines. Such an attack could result in the unavailability of critical medications and vaccines and substantial financial losses.
Until patches are released, the researchers recommend implementing strict access controls, including preventing regular clients from accessing the web configuration interface. Logs and accounts should also be monitored and reviewed to identify suspicious activities early, thus preventing or limiting the harm that can be caused.
