ICS System with Public Exploits Cannot be Patched

ICS-CERT has released a security advisory for an ICS product used in the energy industry that cannot be patched, and there are publicly available exploits.

According to the advisory, the Environmental Controls Systems (ECS) 8832 provides operators with an interface to control calibration functions such as switching on gas solenoids, performing the timing, and editing input/output settings. The ICS-CERT advisory ICSA-16-147-01 states that the vulnerabilities apply to ‘ESC 8832 Version 3.02 and earlier versions.’ Since 3.02 is the current version, that means that all devices in use are vulnerable.

Successful exploitation of the vulnerabilities would allow attackers to perform unauthenticated operations over the network.

The vulnerabilities were reported to ECS by Balazs Makany in February 2015. The problem is that ECS can do nothing about them. A presentation dated April 2016, explains some of the reasons. The presentation is designed to introduce the 8832’s successor product, the 8864; but it notes that the 8832 was designed 15 years ago and last updated in 2010. The last build of new units was in 2013, some of the parts cannot be replaced, and it will be obsoleted in 2019.

More to the point, however, it explains there is no available code space and it is impossible to make any further bug fixes, security updates or regulatory changes to the 8832. In other words, current users cannot fix the vulnerabilities for which exploits are in the public realm. The choice is between upgrading to the new 8864 (never an easy decision in an operational environment), or applying what little mitigation is available.

Mitigating controls are to reduce network exposure for all control system devices and ensure they are not accessible via the internet, isolate the operational network from the business network, and use a secure VPN from a secure device whenever remote access is necessary. In short, the only defense against these vulnerabilities is to do what all ICS networks should already do as a matter of course.

The ICS-CERT advisory describes two vulnerabilities: authentication bypass and privilege escalation. However, a public proof of concept exploit (also developed by Balazs Makany) for a session hijacking vulnerability lists five vulnerabilities as: insecure user session handling (session hijacking); insecure user session generation (predictable user session generation); insecure user authentication method (unencrypted protocol); insecure user management (lack of user names); and Insecure user session token transmission (Session token in HTTP GET).

For the privilege escalation vulnerability, ICS-CERT warns “An attacker can gain access to functions, which are not displayed in the menu for the user by means of brute force of a parameter.”

The basic timeline, which could be considered a little surprising, is: vulnerabilities reported in February 2015; exploit published in May 2015; ICS-CERT advisory published in May 2016.

ICS-CERT notes that “an attacker with a low skill would be able to exploit these vulnerabilities.”

Related: Learn More at the 2016 ICS Cyber Security Conference