Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

ICS/OT

ICS-CERT Issues Warning After Full Disclosure of SCADA Flaws

ICS-CERT, the section of U.S. CERT that deals with Industrial Control Systems, is issuing an advisory after a researcher exposed four separate flaws within Pro-face Pro-server, a popular data management server that offers real-time reporting of automated manufacturing and production environments. Each of the flaws can be targeted remotely to trigger DoS conditions, or code execution.

ICS-CERT, the section of U.S. CERT that deals with Industrial Control Systems, is issuing an advisory after a researcher exposed four separate flaws within Pro-face Pro-server, a popular data management server that offers real-time reporting of automated manufacturing and production environments. Each of the flaws can be targeted remotely to trigger DoS conditions, or code execution.

Researcher Luigi Auriemma is credited with the full disclosure of the flaws, and he is being condemned by ICS-CERT for releasing proof-of-concept code along with the vulnerability report without notification to the vendor (Pro-face) or ICS-CERT.

Pro-face’s Pro-server can be run as a standalone server, but Pro-face recommends that it be set as a Windows service during installation. According to ICS-CERT, Pro-face Pro-server can be found tied to SCADA systems within the oil and gas, food and beverage, and water and wastewater industries.

While it’s unclear how many Pro-face Pro-server’s are deployed and potentially vulnerable, the company claims that overall it’s products are installed in more than 300,000 factory-floor systems worldwide, with over 1.5 million operator interfaces in use today.

“ICS-CERT is aware of a public report of multiple vulnerabilities affecting Pro-face Pro-Server, a supervisory control and data acquisition/human-machine interface (SCADA/HMI) product. The vulnerabilities include invalid memory access, buffer overflow, unhandled exception, and memory corruption, with proof-of-concept (PoC) exploit code,” the advisory (PDF) states.

ICS-CERT has notified Pro-face and said they are working with them to develop mitigations. Currently there is no patch for the flaws, which impact versions 1.30.000 and earlier of Pro-server.

SecurityWeek has contacted Auriemma to ask about his thoughts on full disclosure and ICS-CERT’s take on his methods. This article will be updated if we hear from him. Likewise, SecurityWeek has also contacted Pro-face for their reaction and additional information.

Earlier this month, researcher Dillon Beresford worked with ICS-CERT and Progea to resolve issues with in the Progea Movicon application. Unlike the Pro-face Pro-server disclosure however, there were no known attacks and the proof-of-concept code was withheld from the public.

Related Reading: A New Cyber Security Model for SCADA

Related Reading:  Are Industrial Control Systems Secure?

Related Reading: How to Make the Smart Grid Smarter than Cyber Attackers

Related Reading:  The Increasing Importance of Securing The Smart Grid

Related Reading: Stuck on Stuxnet – Are Grid Providers Prepared for Future Assaults?

Written By

Click to comment

Expert Insights

Related Content

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Vulnerabilities

Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

Vulnerabilities

Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.