Applicable Model(s)

cMT Series

Title

cMT EasyWeb V1 Security Fixes

Date

06/03/2021

Rev

00

P/N

0907-5139

Summary

According to ICSA-21-082-01, security issues were found in EasyWeb V1.1 on cMT devices. EasyWeb provides the configuration web interface for cMT devices.

If these devices are exposed to an open network, like below, we strongly suggest customers to disconnect the device from the network and upgrade the operating system (OS).

If these devices are not connected to an open network, they may not be affected but we still suggest customers to upgrade the OS.

A device is said to be exposed to an open network if it can be accessed by a public IP (meaning an IP address NOT like 192.168.x.y, 172.16.x.y with 16 varied from 16 to 31, or 10.x.y.z). For example, you can directly access the device from your home with the firewall’s IP address.

In the example below, it can be accessed by typing http://1.2.3.4:80 in the web browser. Note that the firewall must have been configured to allow this operation.

A device accessible to the Internet (firewall is configured to forward the packet).


Description

A remote attacker may gain access to the system or remotely execute commands without authentication via the web server whose version is below v1.2.

If the device is connected an open network, we strongly suggest customers to:

  • Disconnect the device from the open network.
  • Upgrade the OS of the device.
  • (Optional) Use EasyAccess 2.0 (our secured VPN service) to access the device so there is no need to expose the device directly to the Internet. EasyAccess 2.0 is a VPN-based remote access solution providing secure connections between PC/Android/iOS and the devices.
EasyAccess2.0 Network Overview

Some examples of an open network:

  • Device is connected to a router which is configured to forward TCP port 80 to the device. In this case, you can access the device via a public IP not in the same network.
  • The device is connected to a network where guests or anyone have access to such as an open Wi-Fi network.

Affected Range

The security issues are found in the unpatched web service, EasyWeb V1.1, which is already running on the cMT products listed below. 

A device is affected only if the following two conditions are met:

  • It is connected to an open network where a remote attacker may have access to.
  • It is using the following OS version:

#
ModelAffected OS VersionAny Unit Shipped Before
1cMT-SVR-100/ cMT-SVR-102/ cMT-SVR-200/ cMT-SVR-202/ cMT-SVR-OPCUAAny OS older than 20210305June 14th, 2021
2cMT-G01/G02 Any OS older than 20210209June 14th, 2021
3cMT-G03/G04Any OS older than 20210222June 14th, 2021
4cMT3071/cMT3072/cMT3090/ cMT3103/cMT3151Any OS older than 20210218June 14th, 2021
5cMT-HDMAny OS older than 20210204June 14th, 2021
6cMT-FHD  Any OS older than 20210208June 14th, 2021
7cMT-CTRL01Any OS older than 20210302June 14th, 2021

Solution

Upgraded OS images have been prepared for the affected products and are available upon request from Maple Systems.

After downloading the corresponding OS images, please follow the OS upgrade guide carefully.

Do not power cycle the device during the update as the update will be interrupted and the device may be damaged. 

#ModelOS ImageOS Upgrade Guide
1cMT-SVR-1xx/2xx*cMT_SVR_OS_20210518.zip            See OS Upgrade Tech Note TN5141  (link URL)
2cMT-G01/G02*cMT_G01_G02_OS_20210518.zip
3cMT-G03/G04cMT_G03_G04_OS_20210222.zip
4cMT3071/cMT3072/ cMT3090/cMT3103/ cMT3151cMT3071_3072_3090_3151_OS_20210218.zip
5cMT-HDMcMT_HDM_OS_20210204.zip
6cMT-FHDcMT_FHD_OS_20210208.zip
7cMT-CTRL01cMT_CTRL_OS_20210302.zip
Scroll to Top