PatchSiren cyber security CVE debrief
CVE-2024-45373 Dover Fueling Solutions (DFS) CVE debrief
A privilege escalation vulnerability in Dover Fueling Solutions ProGauge MAGLINK LX CONSOLE allows authenticated users to elevate their privileges to administrator. The flaw exists in the access control mechanism of the MAGLINK LX4 CONSOLE, where a valid user can modify their own privilege level without proper authorization checks. This vulnerability has a CVSS 3.1 score of 8.8 (HIGH severity), indicating significant risk due to the potential for complete system compromise by lower-privileged users. The attack vector is network-accessible with low attack complexity, requiring only low privileges and no user interaction.
- Vendor
- Dover Fueling Solutions (DFS)
- Product
- ProGauge MAGLINK LX CONSOLE
- CVSS
- HIGH 8.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-09-24
- Original CVE updated
- 2024-09-24
- Advisory published
- 2024-09-24
- Advisory updated
- 2024-09-24
Who should care
Organizations operating fueling stations, petroleum terminals, or industrial fuel management systems using Dover Fueling Solutions ProGauge MAGLINK LX or LX4 CONSOLE equipment. This includes fuel retailers, fleet operators, petroleum distributors, and critical infrastructure operators in the energy sector who rely on these systems for inventory management, tank monitoring, and fuel dispensing operations. Security teams responsible for OT/ICS environments and compliance officers managing NERC CIP or sector-specific security requirements should prioritize assessment and remediation.
Technical summary
The vulnerability stems from improper access control in the MAGLINK LX4 CONSOLE authentication and authorization subsystem. After successful authentication, the system fails to enforce privilege boundaries, allowing authenticated users to self-elevate to administrator status. This represents a broken access control weakness (CWE-269) where the application does not properly restrict users from gaining privileges by performing unauthorized actions. The CVSS vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H reflects network attack vector, low attack complexity, low privileges required, no user interaction, and high impacts to confidentiality, integrity, and availability.
Defensive priority
HIGH
Recommended defensive actions
- Apply software update version 4.19.10 for MagLink LX console through DFS authorized service organizations. Contact DFS customer support at 877-679-8324 for North American installation assistance.
- Install MagLink consoles behind firewalls to restrict network access and reduce attack surface.
- Monitor for and install security updates on a timely basis through the DFS proprietary portal available to registered customers.
- Consider operating MagLink consoles offline or disconnected from networks where operational requirements permit.
- Review and enforce principle of least privilege for all user accounts on affected systems.
- Implement network segmentation to isolate fueling system consoles from untrusted networks.
Evidence notes
CISA published advisory ICSA-24-268-04 on 2024-09-24 documenting this vulnerability. The source indicates that once logged in to ProGauge MAGLINK LX4 CONSOLE, a valid user can change their privileges to administrator. Affected versions include ProGauge MAGLINK LX CONSOLE <=3.4.2.2.6 and ProGauge MAGLINK LX4 CONSOLE <=4.17.9e.
Official resources
-
CVE-2024-45373 CVE record
CVE.org
-
CVE-2024-45373 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2024-09-24