US ICS-CERT Urges Admins to Mitigate New SCADA Risk

The US Department of Homeland Security has issued an alert urging IT administrators in the energy sector to take steps to mitigate two serious vulnerabilities in SCADA products.

The alert came late last week from the department’s ICS-CERT, and concerns two bugs discovered by independent researcher Maxim Rupp in products built by US firm Environmental Systems Corporation (ESC).

Crucially, the products affected – ESC 8832 Version 3.02 and earlier versions – don’t have enough memory space to implement a patch, meaning a firmware upgrade is out of the question.

The alert continued:

Successful exploitation of these vulnerabilities may allow attackers to perform administrative operations over the network without authentication.

Impact to individual organizations depends on many factors that are unique to each organization. NCCIC/ICS-CERT recommends that organizations evaluate the impact of these vulnerabilities based on their operational environment, architecture, and product implementation.”

Both bugs have been given a CVSS v3 base score of 7.5.

The first – CVE-2016-4501 – is an authentication bypass vulnerability which could allow an attacker to make unauthorized modifications to the device’s configuration.

The second – CVE-2016-4502 – is a privilege management bug which could allow a hacker to “gain access to functions, which are not displayed in the menu for the user by means of brute force of a parameter.”

An attacker with only low skill could exploit these two vulnerabilities remotely, ICS-CERT warned.

To mitigate the risk of such an exploit, ESC recommends admins either upgrade the device, block Port 80 with a firewall, or manage the device not through the web interface but alternative means.

The affected product is used mainly in the energy sector in the United States, the advisory claimed.

Internet-connected SCADA systems are increasingly exposed to remote cyber attacks – especially those in mission critical deployments where administrators are reluctant to schedule downtime to patch them.

Last Christmas a major attack on power stations in Ukraine led to a serious power outage.  

What’s Hot on Infosecurity Magazine?