ESC Data Controllers Vulnerabilities

Thursday, May 26, 2016 @ 05:05 PM gHale


Environmental Systems Corporation (ESC) released an advisory that identifies compensating controls for data controller vulnerabilities in its 8832 Data Controller in an effort to reduce risk of exploitation, according to a report on ICS-CERT.

Independent researcher Maxim Rupp identified the vulnerabilities, but ESC acknowledged Balazs Makany reported them February 18, 2015.

RELATED STORIES
Sixnet Fixes Hard-Coded Credentials Issue
New Black Box Firmware Fixes Hole
Moxa MiiNePort Vulnerabilities
Siemens Fixes Information Disclosure Holes

ESC said the ESC 8832 Data Controller has no available code space to make any additional security patches, so a firmware update is not possible for the remotely exploitable vulnerabilities.

Detailed vulnerability information is publicly available that could end up used to facilitate the development of an exploit that targets these vulnerabilities.

ESC 8832 Version 3.02 and earlier versions suffer from the vulnerabilities.

Successful exploitation of these vulnerabilities may allow attackers to perform administrative operations over the network without authentication.

ESC is a U.S.-based company that maintains offices in Austin, Texas.

The affected products, ESC 8832 Data Controller Versions 3.02 and earlier, are web-based SCADA systems. The 8832 Data Controller sees use in the energy sector. ESC estimates these products end up used primarily in the United States.

The authentication process can end up bypassed allowing unauthorized configuration changes to the device because of incorrect implementation of the sessions.

CVE-2016-4501 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 7.5.

In addition, the device supports different accounts with distribution of system privileges. An attacker can gain access to functions, which do not end up displayed in the menu for the user by means of brute force of a parameter.

CVE-2016-4502 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 7.5.

Detailed vulnerability information is publicly available that could facilitate the development of an exploit that targets these vulnerabilities. An attacker with a low skill would be able to exploit these vulnerabilities.

ESC’s recommendation for mitigation is to upgrade the device.

Alternatively, block Port 80 with a firewall in front of the device. Another alternative is to educate operators and users to not use the web interface for device management, because there are other means to manage the device. A security advisory is available to ESC users on the ESC support web site (login required).