A security researcher discovered several vulnerabilities in industrial control systems software from China that can be exploited remotely.
The vulnerabilities can be used to knock out or take over SCADA (supervisory control and data acquisition) systems from Chinese firm Sunway ForceControl Technology, the U.S. Department of Homeland Security’s Industrial Control Systems Cyber-Emergency Response Team said June 14 in its security advisory. The heap overflow vulnerabilities were discovered in Sunway’s Force Control and pNetPower products by NSS Labs researcher Dillon Beresford.
Sunway has patched both holes and released software updates for affected systems. ICS-CERT coordinated with Beresford, the China National Vulnerability Database and Sunway to resolve the problem.
A successful exploitation of these vulnerabilities “can result in adverse application conditions and ultimately impact the production environment on which the SCADA system is used,” said the ICS-CERT advisory.
The security bugs affect the Web server components in Force Control version 6.1 and pNetPower version 6, according to Beresford. The vulnerabilities could be used by a remote attacker to perform a denial-of-service attack on systems running the affected programs and knock it offline, according to the ICS-CERT bulletin. They could also run malicious code against the applications.
Force Control and pNetPower are widely used in Europe and the Americas to control critical infrastructure in the petroleum production, petrochemical, defense, transportation, water, manufacturing and energy industries. Sunway systems are also widely used in China to run weapons systems, utilities and chemical plants. If attackers launch a denial-of-service attack, the networks that control, for example, a petroleum pipeline or other sensitive systems would effectively be shut down, according to the bulletin.
Beresford has uncovered a number of security vulnerabilities in the SCADA systems recently, including issues in the Siemens Step 7 controllers. China’s infrastructure is extremely vulnerable to cyber-attack, Beresford found, with multiple issues in its systems that can be exploited by cyber-criminals.
The vulnerabilities are particularly worrying because the Stuxnet worm that targeted nuclear facilities in Iran exploited vulnerabilities in Siemens’ SCADA software. Stuxnet hijacked the control and behavior of programmable logic controller devices that handled nuclear material centrifuges and other systems in the nuclear plant.
SCADA systems are notoriously insecure because they were originally designed to operate on an “isolated network,” Avishai Wool, CTO of AlgoSec, told eWEEK. Attackers originally had to first gain physical access to the systems in order to attack critical infrastructure. Hacking SCADA systems also required a lot of technical know-how and proper equipment, according to Wool.
“SCADA offered security by obscurity,” Wool said.
Now that many SCADA systems are connected to the Internet and others are connected to broader IT industrial networks, the systems are vulnerable because they can’t differentiate between legitimate and malicious requests. In addition, there is no built-in authentication process to protect the session from being hijacked. SCADA was not designed with any security features at all, according to Wool.
The industry should replace the “overly simplistic protocols” with ones that provide authentication, access control, audit and encryption, Wool said. But until then, IT departments should implement sniffing, scanning, filtering, firewalls and networking intrusion detection systems to protect critical infrastructure.
The potential impact “depends on many factors that are unique to each organization,” ICS-CERT said in its advisory. Even though there are no known exploits for the two issues currently in the wild and an attacker would need to have “intermediate” skills to create consistent exploit code, security issues should be patched as soon as possible.
Heap overflow issues are a specific type of buffer overflow bugs that affect memory that is dynamically allocated when a software application is running. Attackers can exploit the problem to corrupt the heap data to change how the application runs and force it to execute malicious code or crash.