DoS, Injection Flaws Among Vulnerabilities Found in ICS, SCADA Routers

A group of security researchers uncovered and identified up to 17 vulnerabilities from an industrial router model series designed to provide multifunctional protection within industrial control systems (ICS), such as pumping and treatment, DCS, and PLC/SCADA in the water, oil and energy, and automated manufacturing sectors. The vulnerabilities reportedly include high severity injection commands and denial-of-service (DoS) flaws, as well as medium severity weaknesses related to password storage and encryption.

[READ: Compromising Industrial Robots: The Fallacy of Industrial Routers in the Industry 4.0 Ecosystem]

The Moxa EDR-810 Series router is described to protect critical facilities while maintaining fast transmission of data, featuring redundancy protection measures including industrial firewall, NAT, VPN, and L2 switching structures. While firmware flaws also affect earlier versions of the product, injections and weak password encryption are common weaknesses in ICS and supervisory control and data acquisition (SCADA) systems, especially as threat actors consistently try to exploit common vulnerabilities found in Human Machine Interfaces (HMIs).

Problems with the identified ICS routers were discovered on November 2017, with vulnerabilities that allowed an attacker to escalate privileges through a specially crafted HTTP POST, thereby gaining access to the root shell and enabling control of the targeted device (CVE-2017-12120, CVE-2017-12121, CVE-2017-12125, CVE-2017-14432 to 14434). Attackers could also exploit DoS flaws in the web server and Service Agent by sending specially designed HTTP URI and TCP ports of 4000 or higher (CVE-2017-14435 to 14437, CVE-2017-12124, CVE-2017-14438 to 14439). Medium severity vulnerabilities were related to weak encryption and storage of passwords, as well as exploitable cross-site request forgery (CSRF) to execute malicious code for device reconfiguration (CVE-2017-12123, CVE-2017-12126, CVE-2017-12127, CVE-2017-12129).

[RELATED: The SCADA That Cried Wolf: Who Is Really Attacking Your ICS Devices?]

While flaws like these crop up from security research and inspections, these vulnerabilities can be exploited by threat actors, as was the case for the Stuxnet and the Ukrainian power grid attack. ICS and SCADA systems are at the heart of countries’ vital infrastructures, such as power and water generation and distribution, and communication expanse and civil defense systems, to name a few. A study conducted and published by Trend Micro ZDI researchers found a number of reasons why vendors overlook uploading updates for their clients. Ultimately, ICSs must be protected from compromise as it is the central hub for managing major infrastructure. Some things that can be done to protect Industrial Control Systems:

  • Network Segmentation: Partition and define the system into specific security zones to isolate and to implement layers of protection, especially for the critical parts of the network.
  • Patch Management: Ensure that your overall control system security is safe from the newest vulnerabilities by regularly installing vendor-released software patches.
  • Intrusion Detection: Establish system-monitoring methods for early identification of malicious activity in the network, from inside the organization to all other possible points of entry.
  • Periodic Assessment and Audits: Periodic testing and verification ensures that the security components of a system are running as assigned, thereby reducing windows of opportunity for threat actors.
  • Incident Planning and Response: Identify and establish a comprehensive proactive and reactive response plan that allow members of the organization to prevent incidents from scaling, as well as to know how to identify these incidents when they happen and what to do when they occur. This also calls for collaborative assessment, planning, maintenance, and implementation.
Third party vendors may be called in and assigned different accountabilities and privileges to augment the organizational infrastructure. Trend Micro Tipping Point IPS, Deep Discovery, and Advanced Threat Protection are appliances that can detect malicious and unusual SCADA network traffic associated with a breach, providing solutions for network security for non-standard operating systems.
HIDE

Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.