Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

ICS/OT

ICS System with Public Exploits Cannot be Patched

ICS-CERT has released a security advisory for an ICS product used in the energy industry that cannot be patched, and there are publicly available exploits.

ICS-CERT has released a security advisory for an ICS product used in the energy industry that cannot be patched, and there are publicly available exploits.

According to the advisory, the Environmental Controls Systems (ECS) 8832 provides operators with an interface to control calibration functions such as switching on gas solenoids, performing the timing, and editing input/output settings. The ICS-CERT advisory ICSA-16-147-01 states that the vulnerabilities apply to ‘ESC 8832 Version 3.02 and earlier versions.’ Since 3.02 is the current version, that means that all devices in use are vulnerable.

Successful exploitation of the vulnerabilities would allow attackers to perform unauthenticated operations over the network.

The vulnerabilities were reported to ECS by Balazs Makany in February 2015. The problem is that ECS can do nothing about them. A presentation dated April 2016, explains some of the reasons. The presentation is designed to introduce the 8832’s successor product, the 8864; but it notes that the 8832 was designed 15 years ago and last updated in 2010. The last build of new units was in 2013, some of the parts cannot be replaced, and it will be obsoleted in 2019.

More to the point, however, it explains there is no available code space and it is impossible to make any further bug fixes, security updates or regulatory changes to the 8832. In other words, current users cannot fix the vulnerabilities for which exploits are in the public realm. The choice is between upgrading to the new 8864 (never an easy decision in an operational environment), or applying what little mitigation is available.

Mitigating controls are to reduce network exposure for all control system devices and ensure they are not accessible via the internet, isolate the operational network from the business network, and use a secure VPN from a secure device whenever remote access is necessary. In short, the only defense against these vulnerabilities is to do what all ICS networks should already do as a matter of course.

The ICS-CERT advisory describes two vulnerabilities: authentication bypass and privilege escalation. However, a public proof of concept exploit (also developed by Balazs Makany) for a session hijacking vulnerability lists five vulnerabilities as: insecure user session handling (session hijacking); insecure user session generation (predictable user session generation); insecure user authentication method (unencrypted protocol); insecure user management (lack of user names); and Insecure user session token transmission (Session token in HTTP GET).

For the privilege escalation vulnerability, ICS-CERT warns “An attacker can gain access to functions, which are not displayed in the menu for the user by means of brute force of a parameter.”

Advertisement. Scroll to continue reading.

The basic timeline, which could be considered a little surprising, is: vulnerabilities reported in February 2015; exploit published in May 2015; ICS-CERT advisory published in May 2016.

ICS-CERT notes that “an attacker with a low skill would be able to exploit these vulnerabilities.”

Related: Learn More at the 2016 ICS Cyber Security Conference 

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.