Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Critical Vulnerability Discovered in Waste Automation, Results in Global Ecological Disaster

Washington, DC, Earth. April 1, 2014 — A critical vulnerability in the BNL Waste Allocator Load Lifter (Earth Class) industrial operating system, allowing remote privilege escalation and code execution through the injection of wOS control packets, has resulted in the compromise of waste removal automation on a global scale.

Washington, DC, Earth. April 1, 2014 — A critical vulnerability in the BNL Waste Allocator Load Lifter (Earth Class) industrial operating system, allowing remote privilege escalation and code execution through the injection of wOS control packets, has resulted in the compromise of waste removal automation on a global scale.

Of the millions of E class machines deployed globally that were compromised, one unit survived corruption. On this sole device, operators had actually applied a critical patch to the unit, allowing it to remain functional (if somewhat overwhelmed). The patch was released by BNL in June of 2007, after the original disclosure of the vulnerability by ICS-CERT, but sadly it was not widely deployed.

Wall•E “We told you that using unauthenticated and un-encrypted application layer protocols was a bad idea,” said … well, just about everyone for the past few years. “But BNL apparently wasn’t listening. Now we’ve only got one Wall•E left, and it can’t keep up with the world’s waste removal demands. We’re up a certain creek without a paddle, and the embarrassing thing is that we made the creek.”

Forensic analysis of compromised lifter units and tracing of the Command and Control path was unable to determine the source of the compromise, although general consensus is that it was either Iran, North Korea, or China. Or Russia. Or possibly North America. We don’t really know. In the wake of the resulting global disaster, which forced the evacuation of all nations of the Earth this weekend, it seems that it doesn’t really matter who started it because the Earth is now a useless pile of garbage.

The attack is still a concern as it highlights common weaknesses in Industrial Control Systems by many vendors. Luckily, the escape cruiser Axiom, which currently utilizes an unpatched version of a commercial industrial engineering software package (running on state of the art Windows Vista on circa-90’s Pentium M class computing platforms, to save costs), is “Generally considered safe from attack.” According to AUTO, the Axiom’s Automated piloting AI system. “The ship is protected by a Space Gap,” AUTO said, in a confident monotone, “Which is even more secure than an Air Gap, because it’s in space.”

The remaining Wall•E unit was busy watching “Hello Dolly” and was not available for comment.

Written By

Click to comment

Expert Insights

Related Content

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Vulnerabilities

Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Vulnerabilities

Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.