Vulnerability Patched in Schneider Electric ICS Gear

ID THREATPOST:31515080A1CF5F07BB63109CDF119BB7
Type threatpost
Reporter Michael Mimoso
Modified 2013-05-08T19:23:56


The Industrial Control System CERT released an advisory this week warning of a vulnerability in a popular sensor monitoring system used in a number of critical industries, including energy, water and manufacturing.

Aaron Portnoy of Exodus Intelligence discovered the flaw in the Windows-based management interface that governs Schneider Electric’s Accutech product. Accutech Manager enables field unit configuration and diagnostics of Accutech sensors. These sensors are battery-powered and wireless; they’re for telemetry applications in locations that are difficult to reach, such as hazardous areas or stranded measurement points, the company’s website said.

Accutech Manager is installed on technicians’ PCs and corporate LAN servers providing a dashboard into operations of the sensors. Portnoy found a heap overflow flaw in Accutech Manager 2.00.1 and older, ICS-CERT said. Schneider Electric has patched the vulnerability, the ICS-CERT advisory said. An attacker could exploit the vulnerability, gain administrator privileges and run malicious code.

“This vulnerability could affect the energy, water and wastewater, and critical manufacturing sectors,” the advisory said, adding that the vulnerability can be exploited remotely and exploit code had previously been published.

“The RFManagerService.exe process binds to Ports 2536/TCP and 2537/TCP by default. By sending an HTTP request outside the bounds of the buffer to Port 2537/TCP, an attacker can cause a heap-based buffer resulting in loss of confidentiality, integrity, and availability,” the advisory said, adding that the vulnerability has been assigned to CVE-2013-0658 and has been given the most critical CVSS score.

Until a patch is applied, Schneider recommends closing the Accutech Manager tool’s server component when not in use.

Researchers have been taking long looks at SCADA and ICS gear in recent months, and coming up with some scary bugs and renewed interest in vulnerability brokering similar to the market for IT flaws. At last week’s Kaspersky Lab Security Analyst Summit, researcher Billy Rios of Cylance told Threatpost he’s been approached before about selling his research to third parties, rather than reporting flaws to vendors.

Rios and fellow researcher Terry McCorkle demonstrated a zero day in the Tridium Niagara Framework, which manages building maintenance systems. The researchers did not release details on the vulnerability, but demonstrated how they were able to get root access to the framework installed on a Tridium device. They also discovered weak encryption and credentials stored in session cookies. Using the Shodan search engine, Rios and McCorkle found 21,000 devices online running the vulnerable framework, including hospitals, banks and military institutions.

Shodan was purpose-built to find Internet-facing critical infrastructure products; a recent project conducted by researchers at consultancy InfraCritical enumerated more than 500,000 devices linked to critical infrastructure in the United States, many of which protected by poor or default passwords.