Power plant controllers have been deemed vulnerable to remote exploits, allowing potential attackers to gain control of the networks and modify system configurations.
The flaw, publicly reported and documented by independent researcher Maxim Rupp, affects the Environmental Systems Corporation 8832 data controller for versions 3.02 and older. Because the affected systems do not support additional code space for patching or firmware upgrade, fixing the found vulnerabilities is no possible.
“Successful exploitation of these vulnerabilities may allow attackers to perform administrative operations over the network without authentication,” said the US Computer Emergency Response Team. “Impact to individual organizations depends on many factors that are unique to each organization. NCCIC/ICS-CERT recommends that organizations evaluate the impact of these vulnerabilities based on their operational environment, architecture, and product implementation.”
The vulnerability is also believed to be easily exploitable even by attackers with low skill levels, and mitigating the risk involves completely removing the affected devices from the infrastructure or restricting them from being accessed from outside the local network.
“Due to the predictable session generation and due to the lack of cookie based authentication in the web interface, it was confirmed that an attacker from a different source IP address can issue valid requests, impersonating the authenticated user,” reads the published exploit code. “The attack complexity is very low, no special software is required.”