6.4 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:P/A:N
9.1 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
0.003 Low
EPSS
Percentile
69.6%
This updated advisory is a follow-up to the updated advisory titled ICSA-16-147-01A Environmental Systems Corporation Data Controllers Vulnerabilities that was published June 2, 2016, on the NCCIC/ICS-CERT web site.
Independent researcher Maxim Rupp has identified data controller vulnerabilities in the Environmental Systems Corporation (ESC) 8832 Data Controller. ESC acknowledged that Balazs Makany reported these vulnerabilities on February 18, 2015. ESC has stated the ESC 8832 Data Controller has no available code space to make any additional security patches; so, a firmware update is not possible. ESC has released an advisory that identifies compensating controls to reduce risk of exploitation of the reported vulnerabilities.
These vulnerabilities could be exploited remotely.
An exploit that targets these vulnerabilities is publicly available. A Metasploit module has been released that allows an attacker to hijack a valid session that is in progress by a legitimate user.
The following ESC 8832 Data Controller versions are affected:
Successful exploitation of these vulnerabilities may allow attackers to perform administrative operations over the network without authentication.
Impact to individual organizations depends on many factors that are unique to each organization. ICS-CERT recommends that organizations evaluate the impact of these vulnerabilities based on their operational environment, architecture, and product implementation.
ESC is a US-based company that maintains offices in Austin, Texas.
The affected products, ESC 8832 Data Controller Versions 3.02 and earlier, are web-based SCADA systems. According to ESC, the 8832 Data Controller is deployed in the Energy Sector. ESC estimates that these products are used primarily in the United States.
The authentication process can be bypassed allowing unauthorized configuration changes to be made to the device because of incorrect implementation of the sessions.
CVE-2016-4501NVD, http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-4501, web site last accessed December 22, 2016. has been assigned to this vulnerability. A CVSS v3 base score of 9.1 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N).CVSS Calculator, https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N, web site last accessed December 22, 2016.
The device supports different accounts with distribution of system privileges. An attacker can gain access to functions, which are not displayed in the menu for the user by means of brute force of a parameter.
CVE-2016-4502NVD, http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-4502, web site last accessed June 02, 2016. has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).CVSS Calculator, https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, web site last accessed May 26, 2016.
These vulnerabilities could be exploited remotely.
There is a publicly available Metasploit module that allows an attacker to hijack a valid session.
An attacker with a low skill would be able to exploit these vulnerabilities.
ESCβs recommendation for mitigation is to upgrade the device. Alternatively, block Port 80 with a firewall in front of the device. Another alternative is to educate operators and users to not use the web interface for device management, because there are other means to manage the device. A security advisory is available to ESC users on the ESC support web site (login required):
ICS-CERT recommends that users take defensive measures to minimize the risk of exploitation of these vulnerabilities. Specifically, users should:
ICS-CERT reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
ICS-CERT also provides a section for control systems security recommended practices on the ICS-CERT web page. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
Additional mitigation guidance and recommended practices are publicly available in the ICSβCERT Technical Information Paper, ICS-TIP-12-146-01BβTargeted Cyber Intrusion Detection and Mitigation Strategies, that is available for download from the ICS-CERT web site.
Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to ICS-CERT for tracking and correlation against other incidents.
www.envirosys.com
public.govdelivery.com/accounts/USDHSCISA/subscriber/new?topic_id=USDHSCISA_138
twitter.com/CISAgov
twitter.com/intent/tweet?text=Environmental%20Systems%20Corporation%20Data%20Controllers%20Vulnerabilities%20%28Update%20B%29+https://www.cisa.gov/news-events/ics-advisories/icsa-16-147-01b
www.dhs.gov
www.dhs.gov/foia
www.dhs.gov/performance-financial-reports
www.facebook.com/CISA
www.facebook.com/sharer/sharer.php?u=https://www.cisa.gov/news-events/ics-advisories/icsa-16-147-01b&title=Environmental%20Systems%20Corporation%20Data%20Controllers%20Vulnerabilities%20%28Update%20B%29
www.instagram.com/cisagov
www.linkedin.com/company/cybersecurity-and-infrastructure-security-agency
www.linkedin.com/sharing/share-offsite/?url=https://www.cisa.gov/news-events/ics-advisories/icsa-16-147-01b
www.oig.dhs.gov/
www.surveymonkey.com/r/CISA-cyber-survey?product=https://www.cisa.gov/news-events/ics-advisories/icsa-16-147-01b
www.usa.gov/
www.whitehouse.gov/
www.youtube.com/@cisagov
mailto:?subject=Environmental%20Systems%20Corporation%20Data%20Controllers%20Vulnerabilities%20%28Update%20B%29&body=www.cisa.gov/news-events/ics-advisories/icsa-16-147-01b
6.4 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:P/A:N
9.1 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
0.003 Low
EPSS
Percentile
69.6%