Security Experts:

High-Risk Flaws Found in Process Control Systems From B&R Automation

Researchers from Positive Technologies have discovered several vulnerabilities in APROL industrial process control systems from Austria-based B&R Industrial Automation.

According to the cybersecurity firm, the flaws impact 12 components of the APROL products, which are often used by oil and gas, energy, and mechanical engineering companies.

Release notes for a patched version of APROL show that the flaws are related to the FTP, finger, SSH, VNC, TbaseServer, LDAP server, web server, EnMon, IosHttp, AprolLoader, AprolSqlServer, and AprolCluster components.

The most dangerous of the security holes can allow a remote attacker to execute arbitrary code on the APROL system. Exploitation of the flaws can have serious consequences — depending on what the product is used for — including power outages and oil leaks.

Learn More About ICS Flaws at SecurityWeek’s 2019 ICS Cyber Security Conference

“The ability to run arbitrary code in the operating system of ICS components would allow attackers to disrupt technological process,” explained Paolo Emiliani, Industry and SCADA Research Analyst Security at Positive Technologies. “For instance, an attacker could send unauthorized commands controlling the equipment and change configuration settings, including program algorithms. These changes can cause abnormal operation modes or even an incident in production.”

Positive Technologies told SecurityWeek that the vulnerabilities can be exploited by an attacker who has access to the targeted organization’s network. The company says it’s unlikely that an organization would leave these systems exposed on the internet.

Positive Technologies said it took the vendor roughly 10 months to address the vulnerabilities.

Related: Several Industrial Automation Products Affected by WibuKey DRM Flaws

Related: Critical Flaws Found in Siemens Telecontrol, Building Automation Products

Related: Rockwell Automation to Patch Publicly Disclosed Power Monitor Flaws

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.