Researchers from Positive Technologies have discovered several vulnerabilities in APROL industrial process control systems from Austria-based B&R Industrial Automation.
According to the cybersecurity firm, the flaws impact 12 components of the APROL products, which are often used by oil and gas, energy, and mechanical engineering companies.
Release notes for a patched version of APROL show that the flaws are related to the FTP, finger, SSH, VNC, TbaseServer, LDAP server, web server, EnMon, IosHttp, AprolLoader, AprolSqlServer, and AprolCluster components.
The most dangerous of the security holes can allow a remote attacker to execute arbitrary code on the APROL system. Exploitation of the flaws can have serious consequences — depending on what the product is used for — including power outages and oil leaks.
Learn More About ICS Flaws at SecurityWeek’s 2019 ICS Cyber Security Conference
“The ability to run arbitrary code in the operating system of ICS components would allow attackers to disrupt technological process,” explained Paolo Emiliani, Industry and SCADA Research Analyst Security at Positive Technologies. “For instance, an attacker could send unauthorized commands controlling the equipment and change configuration settings, including program algorithms. These changes can cause abnormal operation modes or even an incident in production.”
Positive Technologies told SecurityWeek that the vulnerabilities can be exploited by an attacker who has access to the targeted organization’s network. The company says it’s unlikely that an organization would leave these systems exposed on the internet.
Positive Technologies said it took the vendor roughly 10 months to address the vulnerabilities.
Related: Several Industrial Automation Products Affected by WibuKey DRM Flaws
Related: Critical Flaws Found in Siemens Telecontrol, Building Automation Products
Related: Rockwell Automation to Patch Publicly Disclosed Power Monitor Flaws
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- Exploitation of 55 Zero-Day Vulnerabilities Came to Light in 2022: Mandiant
- Organizations Notified of Remotely Exploitable Vulnerabilities in Aveva HMI, SCADA Products
- Waterfall Security, TXOne Networks Launch New OT Security Appliances
- Hitachi Energy Blames Data Breach on Zero-Day as Ransomware Gang Threatens Firm
- New York Man Arrested for Running BreachForums Cybercrime Website
- Exploitation of Recent Fortinet Zero-Day Linked to Chinese Cyberspies
- Mozilla Patches High-Severity Vulnerabilities With Release of Firefox 111
- Microsoft: 17 European Nations Targeted by Russia in 2023 as Espionage Ramping Up
Latest News
- Burnout in Cybersecurity – Can it be Prevented?
- Spain Needs More Transparency Over Pegasus: EU Lawmakers
- Ransomware Will Likely Target OT Systems in EU Transport Sector: ENISA
- Virtual Event Today: Supply Chain & Third-Party Risk Summit
- Google Suspends Chinese Shopping App Amid Security Concerns
- Verosint Launches Account Fraud Detection and Prevention Platform
- Ransomware Gang Publishes Data Allegedly Stolen From Maritime Firm Royal Dirkzwager
- Zoom Paid Out $3.9 Million in Bug Bounties in 2022
