Security Experts:

Connect with us

Hi, what are you looking for?



ICS System with Public Exploits Cannot be Patched

ICS-CERT has released a security advisory for an ICS product used in the energy industry that cannot be patched, and there are publicly available exploits.

ICS-CERT has released a security advisory for an ICS product used in the energy industry that cannot be patched, and there are publicly available exploits.

According to the advisory, the Environmental Controls Systems (ECS) 8832 provides operators with an interface to control calibration functions such as switching on gas solenoids, performing the timing, and editing input/output settings. The ICS-CERT advisory ICSA-16-147-01 states that the vulnerabilities apply to ‘ESC 8832 Version 3.02 and earlier versions.’ Since 3.02 is the current version, that means that all devices in use are vulnerable.

Successful exploitation of the vulnerabilities would allow attackers to perform unauthenticated operations over the network.

The vulnerabilities were reported to ECS by Balazs Makany in February 2015. The problem is that ECS can do nothing about them. A presentation dated April 2016, explains some of the reasons. The presentation is designed to introduce the 8832’s successor product, the 8864; but it notes that the 8832 was designed 15 years ago and last updated in 2010. The last build of new units was in 2013, some of the parts cannot be replaced, and it will be obsoleted in 2019.

More to the point, however, it explains there is no available code space and it is impossible to make any further bug fixes, security updates or regulatory changes to the 8832. In other words, current users cannot fix the vulnerabilities for which exploits are in the public realm. The choice is between upgrading to the new 8864 (never an easy decision in an operational environment), or applying what little mitigation is available.

Mitigating controls are to reduce network exposure for all control system devices and ensure they are not accessible via the internet, isolate the operational network from the business network, and use a secure VPN from a secure device whenever remote access is necessary. In short, the only defense against these vulnerabilities is to do what all ICS networks should already do as a matter of course.

The ICS-CERT advisory describes two vulnerabilities: authentication bypass and privilege escalation. However, a public proof of concept exploit (also developed by Balazs Makany) for a session hijacking vulnerability lists five vulnerabilities as: insecure user session handling (session hijacking); insecure user session generation (predictable user session generation); insecure user authentication method (unencrypted protocol); insecure user management (lack of user names); and Insecure user session token transmission (Session token in HTTP GET).

For the privilege escalation vulnerability, ICS-CERT warns “An attacker can gain access to functions, which are not displayed in the menu for the user by means of brute force of a parameter.”

The basic timeline, which could be considered a little surprising, is: vulnerabilities reported in February 2015; exploit published in May 2015; ICS-CERT advisory published in May 2016.

ICS-CERT notes that “an attacker with a low skill would be able to exploit these vulnerabilities.”

Related: Learn More at the 2016 ICS Cyber Security Conference 

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...