CVE-2024-43692 Dover Fueling Solutions (DFS) CVE debrief

Who should care

Organizations operating fueling station infrastructure, petroleum retail networks, fleet fueling operations, and industrial fuel management systems utilizing Dover Fueling Solutions MAGLINK LX or LX4 consoles. Critical infrastructure operators in the energy sector should prioritize patching due to potential operational disruption and safety implications.

Technical summary

The ProGauge MAGLINK LX CONSOLE web interface fails to enforce authentication on resource subpages, allowing direct URL access with full administrative privileges. An unauthenticated remote attacker can craft HTTP requests to protected endpoints without credential validation, resulting in complete confidentiality, integrity, and availability compromise of the console. The vulnerability is network-exploitable with low attack complexity and no required privileges or user interaction.

Defensive priority

critical

Recommended defensive actions

• Apply vendor patch version 4.19.10 through Dover Fueling Solutions authorized service organizations; contact DFS customer support at 877-679-8324 for North American installation assistance
• Deploy MAGLINK consoles behind network firewalls with strict ingress filtering to limit exposure
• Implement network segmentation to isolate fueling system consoles from untrusted networks
• Monitor for and install security updates on a timely basis per vendor guidance
• Consider operating MAGLINK consoles offline or air-gapped where operational requirements permit
• Review CISA ICS recommended practices for industrial control system defense in depth
• resourceLinkAnnotations: [source-item, ref-4, ref-5, ref-6, ref-7, ref-9, ref-10]

Evidence notes

CISA ICS advisory ICSA-24-268-04 documents this vulnerability with CVSS 3.1 score 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). Affected versions include ProGauge MAGLINK LX CONSOLE ≤3.4.2.2.6 and MAGLINK LX4 CONSOLE ≤4.17.9e. The vendor released patched version 4.19.10.

Official resources