Power plant ICS threatened by an easy remotely exploitable flaw

Pierluigi Paganini May 31, 2016

The independent researcher Maxim Rupp reported an unpatchable flaw in the ICS Environmental Systems Corporation (ESC) 8832 Data Controller.

Vulnerable SCADA and industrial control systems represent the entry point in critical infrastructure for hacking attacks. In many cases, patch management of these systems is very complex and in some specific scenarios known flaws could not be fixed for various technical reasons.

Recently and ‘unpatchable’ vulnerabilities have been discovered in an industrial control system (ICS) used in many power plants. The bad news is that the flaw has been publicly disclosed and the exploit code has been already released.

The flaw could be exploited remotely and allow attackers to gain control of the target network, due to the risk related the exploitation the US Computer Emergency Response Team is planning to release a specific alert.

The security researcher Maxim Rupp reported a flaw in the Environmental Systems Corporation 8832 data controller for versions 3.02 and older, it has been coded as CVE-2016-4502 and ranked as a high-severity vulnerability due to the impact on the targeted infrastructure.

“Independent researcher Maxim Rupp has identified data controller vulnerabilities in the Environmental Systems Corporation (ESC) 8832 Data Controller. ESC acknowledged that Balazs Makany reported these vulnerabilities on February 18, 2015. ESC has stated the ESC 8832 Data Controller has no available code space to make any additional security patches; so, a firmware update is not possible.” reads the notice issued by the US-CERT. “ESC has released an advisory that identifies compensating controls to reduce risk of exploitation of the reported vulnerabilities.

ICS ESC 8832 Data Controller

The US-CERT is warning that an attacker with a low skill would be able to exploit these vulnerabilities as demonstrated in the PoC code published by Balazs Makany in the Exploit DataBase.

As explained in the advisory the flaw could not be fixed so organizations using the flawed devices need to substitute it or have to restrict remote access monitoring the attack surface.

Below the mitigation actions suggested by US-CERT:

“ESC’s recommendation for mitigation is to upgrade the device. Alternatively, block Port 80 with a firewall in front of the device. Another alternative is to educate operators and users to not use the web interface for device management, because there are other means to manage the device. A security advisory is available to ESC users on the ESC support web site (login required):”

www.envirosys.com(link is external).

If you appreciate my effort in spreading cyber security awareness, please vote for Security Affairs as best European Security Blog. Vote SecurityAffairs in every section it is reported. I’m one of the finalists and I want to demonstrate that the Security Affairs community a great reality.

https://www.surveymonkey.com/r/secbloggerwards2016

Thank you

Pierluigi

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – ICS, SCADA)



you might also like

leave a comment