Attackers can remotely login to a control system used by electric utilities and oil and gas companies via a backdoor to gain administrative access, according to the Department of Homeland Security.
Taiwan-based ORing Industrial Networking products have hard-coded credentials within the operating system on its networking servers, DHS Industrial Control Systems, Cyber Emergency Response Team (ICS-CERT) said in an alert released Wednesday. The vulnerability in ORing Industrial DIN-Rail Device Server 5042/5042+ systems was found by Reid Wightman, an independent researcher working with Digital Bond, according to the alert bulletin.
The vulnerability can be exploited remotely, and ICS-CERT said exploits targeting the system are known to be publicly available. Attackers can login to the system with administrative privileges, which means they can read and write to files and change settings, according to the alert.
Affected products are industrial serial device servers used for supervisory control and data acquisition systems, ICS-CERT said. ORing Industrial Networking devices are deployed across several sectors, including manufacturing, oil and gas, transportation, and electric utilities, and used in the United States, Europe, and Asia, according to the bulletin.
ICS-CERT released the alert because it has been “unable to successfully coordinate this vulnerability with ORing Industrial Networking because of the vendor’s unresponsiveness,” according to the bulletin.
A Common Vulnerability Scoring System base score of 10.0 has been assigned to the vulnerability, CVE 2012-4577. All versions of Industrial DIN-Rail Device Server IDS 5042 and 5042+ are affected, and it is possible other ORing Industrial Networking products may also be affected. There doesn’t appear to be an official fix to mitigate the flaw available at this time.
Organizations using affected ORing Industrial Networking products can take some “defensive measures” to protect against attackers remotely logging in, ICS-CERT said. The first step is to minimize network exposure for all control system devices. “Critical devices should not directly face the Internet,” ICS-CERT warned in the bulletin.
System networks and remote devices should be kept behind firewalls, and isolated from the business network, so that even if the attacker gets in, it’s harder to get into the business network where all the sensitive information is stored. Employees should also be reminded to use secure methods, such as Virtual Private Networks, to login remotely.
Users should also be reminded to not click on Web links or open unsolicited attachments in email messages. Of course, there is absolutely no reason why anyone should be surfing the Web or emailing on a system connected to industrial control systems.
“Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to ICS-CERT for tracking and correlation against other incidents,” ICS-CERT wrote in the bulletin.