10 Unpatched Vulnerabilities Disclosed in Loytec Building Automation Solutions

The vulnerabilities can potentially be exploited to to take control of the targeted system and disable building security systems and alarms.

On December 5, 2023, industrial and operational technology security vendor TXOne Networks disclosed details of 10 unpatched vulnerabilities in building automation products made by Austrian company Loytec.

Context

According to reports, TXOne researchers discovered the vulnerabilities over two years ago.

According to reports, “The vulnerabilities are related to usernames and passwords being transmitted or stored in clear text, the lack of authentication, the exposure of admin passwords in a registry key, and the exposure of other potentially sensitive information.”

Security Week also noted that thus far, Loytec has been unresponsive to inquiries about the vulnerabilities.

Technical Details

According to reports, “the security holes impact LINX-212, LINX-151 and LIOB-586 programmable automation stations designed for controlling various building applications, LVIS-3ME12-A1 touch panels, the LWEB‑802 visualization tool, and the L-INX Configurator configuration tool.

An attacker — in some cases without authentication — could exploit the vulnerabilities to take control of the targeted system and disable building security systems and alarms.

However, exploiting some of the vulnerabilities is more complicated as it requires a man-in-the-middle (MitM) attack on the network or local access to the targeted product.”

TXOne provided additional details on the vulnerabilities to Security Week:

  • “CVE-2023-46380, CVE-2023-46382, CVE-2023-46383, and CVE-2023-46385 require a MitM position on the network to read sensitive data (cleartext password). On the other hand, CVE-2023-46382 doesn’t require any technical skills. If the web user interface of the preinstalled version of LWEB-802 is exposed to the internet, anyone could easily access and control it. We found some of the projects are exposed on the internet and accessible.
  • For CVE-2023-46387, CVE-2023-46389, these files could be easily accessed once an attacker is able to login as administrator. These files contain SMTP client credentials used for alert and report functions.
  • Only CVE-2023-46384 requires local access to the machine on which LINX Configurator is installed. Anyone who can locally access the machine could steal the password.”

Community Impact

Loytec provides automated facilities management, and is especially popular among telecommunications, retail, and healthcare organizations in Europe. Use cases on the company’s site include numerous office facilities in multiple European countries, suggesting that Loytec’s solutions are prominent in the European market for building automation.

Organizations in the retail, hospitality, and travel community are encouraged to determine whether they operate Loytec product, especially those affected by the disclosed vulnerabilities, and if so, to contact Loytec for mitigations and next steps.

More Recent Blog Posts

2024 RH-ISAC Cyber Intelligence Summit logo

Register for RH-ISAC Summit

Our biggest event of the year is coming up soon! Join RH-ISAC April 9-11 in Denver for our annual three-day conference featuring interactive, practitioner-led discussions, breakout sessions, and keynote presentations.