A web-based SCADA system deployed mainly in the US energy sector sports vulnerabilities that may allow attackers to perform configuration changes and administrative operations remotely. What’s worse is that these holes can’t be plugged because the device has nowhere to put an update.
“Independent researcher Maxim Rupp has identified data controller vulnerabilities in the Environmental Systems Corporation (ESC) 8832 Data Controller,” ICS-CERT has noted in an advisory published on Thursday.
“ESC acknowledged that Balazs Makany reported these vulnerabilities on February 18, 2015. ESC has stated the ESC 8832 Data Controller has no available code space to make any additional security patches; so, a firmware update is not possible.”
The data controllers are used for automation and monitoring in various environments.
The two vulnerabilities are present in ESC 8832 Version 3.02 and earlier. Exploiting one allows for the bypassing of the authentication process for configuration changes, and exploiting the other allows an attacker to gain access to functions which are not displayed in the menu.
There is currently no indication that vulnerable systems are being attacked, but as detailed vulnerability information is publicly available, it could be just a matter of time until some of them are. ICS-CERT judges that low-skilled attackers would be able to exploit them.
Exploit PoC code a session hijacking vulnerability discovered by Makany in 2015 is available online.
The fact that these old devices can occasionally still be bought second-hand online can help attackers test attacks beforehand.
According to the manufacturer’s website, the 8832s are no longer manufactured or sold by them (they stopped in 2013).
“Though we will not be manufacturing new 8832s, ESC will continue to support the 8832 in future versions of our StackVision software until January 1, 2019. We will also continue to repair and service existing 8832 Data Controllers for as long as we can reasonably continue to get repair parts,” they state.
Effectively, the fact that implementing a firmware update is not possible should not be news to the organizations that use these devices – the last firmware update was back in March 2010 because of this same problem (no available code space).
Environmental Systems advises organizations – and has been advising them for a while – to ditch these controllers altogether and upgrade to newer products (their 8864 data controller, for example).
If that’s not possible, they advise blocking Port 80 with a firewall in front of the device, and educating operators and users to not use the web interface for device management.