A researcher has discovered two potentially serious vulnerabilities affecting Econolite traffic controllers. Exploitation of the security flaws can have serious real-world impact, but they remain unpatched. 

Cyber offensive researcher Rustam Amin informed the US Cybersecurity and Infrastructure Security Agency (CISA) that he had identified critical and high-severity vulnerabilities in Econolite EOS, a traffic controller software developed for the Econolite Cobalt and other advanced transportation controllers (ATC).

The California-based vendor’s website says it has deployed more than 360 systems, 150,000 traffic cabinets, 120,000 traffic controllers, and over 160,000 sensors. In December 2022, the company reported reaching more than 10,000 installations of its EOS software. 

Amin discovered two types of vulnerabilities. One, rated ‘critical severity’ and tracked as CVE-2023-0452, has been described by CISA as an issue related to the use of a weak algorithm for hashing privileged user credentials. 

“A configuration file that is accessible without authentication uses MD5 hashes for encrypting credentials, including those of administrators and technicians,” CISA said in its advisory.

The second issue, tracked as CVE-2023-0452 and rated ‘high severity’, is an improper access control issue. An attacker can view log, database and configuration files that can contain username and password hashes for users, including administrators and technicians. 

These vulnerabilities can allow a remote, unauthenticated attacker to gain full control of traffic control functions. 

Amin has conducted an internet search to see how many EOS systems are exposed to attacks from the web. He told SecurityWeek that he identified roughly 50 exposed controllers that are running older firmware. These systems are not affected by the flaws he discovered, but they are still not secure. 

In addition, he discovered approximately 30 controllers running 2018-2020 versions of the EOS software and these systems are vulnerable to remote attacks.

He also found roughly 500 instances of associated devices that can be found in the affected controllers’ proximity, including routers and cameras, which…