Recent weeks have proven to be challenging with several industrial control system (ICS) vendors issuing critical warnings about security bugs lurking around the ecosystem.
Claroty has privately disclosed details to industrial automation connectivity company Real Time Automation (RTA), informing the vendor of a critical vulnerability in its proprietary 499ES EtherNet/IP (ENIP) stack. Millions of EtherNet/IP devices are deployed on the factory floors of large and small manufacturing systems that enable communication using the industrial network protocol to reach customers and third party vendors.
Researchers at the New York-based operational technologies (OT) security firm identified that all versions of RTA EtherNet/IP TCP/IP stack before version 2.28 are vulnerable to a stack-based buffer overflow, which may allow an attacker to send a specially crafted packet that may result in a denial-of-service condition or remote code execution.
Operators of industrial control systems should investigate their RTA ENIP implementations and update to current versions, as the vulnerability could cause a denial-of-service situation, and depending on other conditions could expose a device running older versions of the protocol to remote code execution, Claroty said.
Using their detection tool, Claroty researchers were able to identify 11 devices using RTA’s ENIP stack from six different vendors, which are likely to be vulnerable.
RTA has identified that this vulnerability was indeed removed in a 2012 code update, though it is likely that many vulnerable implementations still exist in products currently in use, according to Claroty. However, vendors make a one-time purchase of protocol stacks such as RTA ENIP using an SDK or hardware implementation, without buying an additional support package, leaving integrations before that date vulnerable as they have not been updated.
“The older code in the RTA device attempted to reduce RAM usage by limiting the size of a particular buffer used in an EtherNet/IP Forward Open request,” said John Rinaldi, RTA’s CEO, chief strategist and business development manager. “By limiting the RAM, it made it possible for an attacker to attempt to overrun the buffer and use that to try to get control of the device. That line of code was changed a number of revision levels ago and is not an issue in current EtherNet/IP software revision levels.”
In August this year, Claroty researchers discovered that control systems vulnerabilities were most prevalent in energy, critical manufacturing, and water and wastewater sectors. It further identified in its report for the first six months of this year that over 70 percent of ICS vulnerabilities could be exploited remotely, highlighting the importance of protecting internet-facing ICS devices and remote access connections.
Following details from Claroty, the Industrial Control System Computer Emergency Response Team (ICS-CERT) put out an advisory, and estimated a Common Vulnerability Scoring System (CVSS) score of 9.8 out of 10, placing the risk in the ‘severity’ category. CVSS is an open framework for communicating the characteristics and severity of software vulnerabilities.
The Cybersecurity and Infrastructure Security Agency (CISA), part of the US Department of Homeland Security advised users to follow several defensive measures to cut down on the risk of exploitation of this vulnerability. Users must minimize network exposure for critical control system devices and/or systems, and ensure that they are not accessible from the Internet, apart from identifying control system networks and remote devices behind firewalls, and work towards isolating them from the business network.
Industrial control systems are particularly vulnerable as they are always available, 24/7 and any disruption to these systems could undermine the critical infrastructure on which other large numbers of businesses and households depend. The prevalence of several protocols and lack of standards also makes it difficult for them to communicate automatically. As a result of the huge investment involved, organizations with industrial assets typically deploy such assets for years at a time, which proves to be a challenge when security updates have to be made available to these older products.
Schneider Electric also identified nine high severity security bugs in its interactive graphical SCADA system (IGSS), which is used for monitoring and controlling industrial processes, and communicates with key industry-standard PLC drivers. These security vulnerabilities identified include improper restriction of operations within the bounds of a memory buffer, out-of-bounds write and out-of-bounds read. Successful exploitation of these vulnerabilities may result in remote code execution.
Another affected product identified has been the Paradox IP150 firmware version 5.02.09, as vulnerabilities were detected in its stack-based buffer overflow and classic buffer overflow. CISA observes that exploitation of these vulnerabilities could allow an attacker to remotely execute arbitrary code, which may result in the termination of the physical security system. The IP150 Internet module can control and monitor a control panel through an IP network (LAN / WAN / Internet).
With OT and ICS security issues increasingly becoming a concern for national security and critical infrastructure security, Claroty asked the very relevant questions on whether vendors of third-party libraries must offer security updates to their customers irrespective of the support contracts in place, and if these vendors must publish the third-party libraries that they are using in their software/firmware.