CVE-2017-14728

Vulnerability

Use of hard-coded credentials (CWE-798) in Orpak SiteOmat BOS allows remote attackers to authenticate without authorization. The application utilizes hard-coded username and password credentials for application login, affecting all SiteOmat BOS versions prior to a patched release [1]. The advisory notes that the software does not force administrators to switch passwords, leaving SSH and HTTP remote authentication open to public exploitation.

Exploitation

An attacker can exploit this vulnerability remotely without any prior authentication or user interaction (CVSS vector AV:N/AC:L/PR:N/UI:N). By simply using the hard-coded credentials, the attacker gains access to the web and SSH interfaces. No special privileges or network position is required beyond network access to the affected system.

Impact

Successful exploitation results in unauthorized access to view and edit monitoring, configuration, and payment information. The advisory warns that this could lead to arbitrary remote code execution and denial-of-service conditions, potentially compromising the entire fuel station management system [1].

Mitigation

Orpak has released software updates to address the vulnerability; consult the vendor for the specific patched version. As a workaround, administrators should change all default passwords immediately. The advisory recommends updating to the latest version of SiteOmat BOS [1].