The independent researcher Maxim Rupp reported an unpatchable flaw in the ICS Environmental Systems Corporation (ESC) 8832 Data Controller.
Vulnerable SCADA and industrial control systems represent the entry point in critical infrastructure for hacking attacks. In many cases, patch management of these systems is very complex and in some specific scenarios known flaws could not be fixed for various technical reasons.
Recently and ‘unpatchable’ vulnerabilities have been discovered in an industrial control system (ICS) used in many power plants. The bad news is that the flaw has been publicly disclosed and the exploit code has been already released.
The flaw could be exploited remotely and allow attackers to gain control of the target network, due to the risk related the exploitation the US Computer Emergency Response Team is planning to release a specific alert.
The security researcher Maxim Rupp reported a flaw in the Environmental Systems Corporation 8832 data controller for versions 3.02 and older, it has been coded as CVE-2016-4502 and ranked as a high-severity vulnerability due to the impact on the targeted infrastructure.
“Independent researcher Maxim Rupp has identified data controller vulnerabilities in the Environmental Systems Corporation (ESC) 8832 Data Controller. ESC acknowledged that Balazs Makany reported these vulnerabilities on February 18, 2015. ESC has stated the ESC 8832 Data Controller has no available code space to make any additional security patches; so, a firmware update is not possible.” reads the notice issued by the US-CERT. “ESC has released an advisory that identifies compensating controls to reduce risk of exploitation of the reported vulnerabilities.
The US-CERT is warning that an attacker with a low skill would be able to exploit these vulnerabilities as demonstrated in the PoC code published by Balazs Makany in the Exploit DataBase.
As explained in the advisory the flaw could not be fixed so organizations using the flawed devices need to substitute it or have to restrict remote access monitoring the attack surface.
Below the mitigation actions suggested by US-CERT:
“ESC’s recommendation for mitigation is to upgrade the device. Alternatively, block Port 80 with a firewall in front of the device. Another alternative is to educate operators and users to not use the web interface for device management, because there are other means to manage the device. A security advisory is available to ESC users on the ESC support web site (login required):”
Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer.
Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US.
Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines.
Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.