ICS-CERT, the section of U.S. CERT that deals with Industrial Control Systems, is issuing an advisory after a researcher exposed four separate flaws within Pro-face Pro-server, a popular data management server that offers real-time reporting of automated manufacturing and production environments. Each of the flaws can be targeted remotely to trigger DoS conditions, or code execution.
Researcher Luigi Auriemma is credited with the full disclosure of the flaws, and he is being condemned by ICS-CERT for releasing proof-of-concept code along with the vulnerability report without notification to the vendor (Pro-face) or ICS-CERT.
Pro-face’s Pro-server can be run as a standalone server, but Pro-face recommends that it be set as a Windows service during installation. According to ICS-CERT, Pro-face Pro-server can be found tied to SCADA systems within the oil and gas, food and beverage, and water and wastewater industries.
While it’s unclear how many Pro-face Pro-server’s are deployed and potentially vulnerable, the company claims that overall it’s products are installed in more than 300,000 factory-floor systems worldwide, with over 1.5 million operator interfaces in use today.
“ICS-CERT is aware of a public report of multiple vulnerabilities affecting Pro-face Pro-Server, a supervisory control and data acquisition/human-machine interface (SCADA/HMI) product. The vulnerabilities include invalid memory access, buffer overflow, unhandled exception, and memory corruption, with proof-of-concept (PoC) exploit code,” the advisory (PDF) states.
ICS-CERT has notified Pro-face and said they are working with them to develop mitigations. Currently there is no patch for the flaws, which impact versions 1.30.000 and earlier of Pro-server.
SecurityWeek has contacted Auriemma to ask about his thoughts on full disclosure and ICS-CERT’s take on his methods. This article will be updated if we hear from him. Likewise, SecurityWeek has also contacted Pro-face for their reaction and additional information.
Earlier this month, researcher Dillon Beresford worked with ICS-CERT and Progea to resolve issues with in the Progea Movicon application. Unlike the Pro-face Pro-server disclosure however, there were no known attacks and the proof-of-concept code was withheld from the public.
Related Reading: A New Cyber Security Model for SCADA
Related Reading: Are Industrial Control Systems Secure?
Related Reading: How to Make the Smart Grid Smarter than Cyber Attackers
Related Reading: The Increasing Importance of Securing The Smart Grid
Related Reading: Stuck on Stuxnet – Are Grid Providers Prepared for Future Assaults?
