CISA Warns of Critical Flaws in TEM Opera Plus FM Transmitter Products Used in Critical Infrastructure
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an advisory regarding two critical vulnerabilities in the TEM Opera Plus FM Family Transmitter products, widely used in critical infrastructure sectors. These vulnerabilities, tracked as CVE-2024-41988 and CVE-2024-41987, pose significant risks, allowing potential attackers to gain unauthorized access and control over affected systems.
The first vulnerability, CVE-2024-41988, has received a CVSS score of 9.8, marking it as highly critical. This flaw allows access to an unprotected endpoint within the TEM Opera Plus FM system. By exploiting this vulnerability, attackers can upload a binary image to the MPFS File System—without any authentication. The MPFS serves as the backbone for the HTTP2 web server module but is also used by the SNMP module and other applications requiring basic storage capabilities.
The most concerning aspect is that exploiting this vulnerability enables attackers to overwrite the flash program memory that holds the web server’s core interfaces. By doing so, they can execute arbitrary code, compromising the system and potentially gaining full control over the transmitter’s operations.
Given the widespread use of TEM Opera Plus FM transmitters in critical infrastructure such as telecommunications, broadcast, and utility sectors, this vulnerability poses a direct threat to operational safety and data integrity.
The second vulnerability, CVE-2024-41987, has a CVSS score of 9.6, indicating a similarly high level of severity. This flaw arises from insufficient validation of HTTP requests within the TEM Opera Plus FM application interface. Attackers can leverage this vulnerability to perform actions with administrative privileges by luring a logged-in user into visiting a malicious website.
This vulnerability takes advantage of Cross-Site Request Forgery (CSRF) techniques, where an attacker tricks an authenticated user into executing malicious actions, such as altering system settings or triggering unwanted operations, without the user’s knowledge. If successfully exploited, the attacker can gain control over critical system functions—potentially disrupting essential services that rely on TEM transmitters.
Adding to the urgency of the situation, a public Proof of Concept (PoC) for these vulnerabilities, authored by security researcher Gjoko Krstic, has already been made available. CISA has flagged this PoC as a significant concern, as it provides a roadmap for attackers to exploit the vulnerabilities.
Despite multiple attempts, TEM has not responded to CISA’s requests for collaboration to mitigate these vulnerabilities, leaving users of the affected products with limited support from the manufacturer. This non-responsiveness only heightens the risk, as critical infrastructure organizations relying on these transmitters have fewer resources to defend against potential attacks.
In light of these critical vulnerabilities, CISA strongly urges all users of TEM Opera Plus FM Family Transmitter products to take immediate action to minimize their risk of exploitation. The agency offers the following defensive measures:
- Minimize network exposure: Ensure that all control system devices and systems are not directly accessible from the internet. Limiting exposure is crucial to reducing the attack surface.
- Isolate control system networks: Place control system networks and remote devices behind firewalls, ensuring they are separated from business networks to reduce the risk of lateral movement by attackers.
- Use secure remote access methods: When remote access is necessary, use Virtual Private Networks (VPNs) as an additional layer of protection. However, users should recognize that VPNs themselves can have vulnerabilities and must be kept up to date. The security of a VPN is only as strong as the devices connected to it.
