Thanks to a freshly discovered flaw in a popularly used IoT platform, we could be looking at hundreds of thousands of vulnerable Industrial IoT devices as well as Industrial Control Systems. The platform, developed by Germany-based 3S Smart Software solutions, was discovered to be vulnerable to hacker attacks by CyberX, an industrial cyber-security startup.
According to CyberX, any devices using CODESYS Web Server v2.3 and prior is vulnerable to attacks. This software, part of the CODESYS WebVisu visualisation software, is developed by 3S Smart Software Solutions. Industrial IoT devices and control systems are used to monitor and control highly critical industrial infrastructure used in environments like oil rigs, power plants, chemical factories and even overall systems like HVAC systems.
Attackers being able to take advantage of flaws in the software could use it to carry out a number of malicious tasks, like syphoning off sensitive data, create convenient backdoors to be used later and more. Even beyond that, hackers could be causing actual immediate damage by deploying ransomware on the systems, or worse, sabotaging the controls and causing safety incidents and infrastructure damage.
These are the two particular vulnerabilities that have been discovered –
- CVE-2017-6027: A particular web server request can allow random file upload without any authorization to the CODESYS Web Server, resulting in the possibility of remote code execution.
- CVE-2017-6025: On the platform, the stack buffer could be easily overflowed by passing an overly long string to XML handling functions, since there is no string size verification before copying to memory.
Last year’s Mirai Botnet attack used IoT devices to power itself, which explains by itself the implications a vulnerability like this could pose. While 3S Smart Software Solutions have released a patch that fixes the vulnerability, security analysts concur that it will take some time to update all devices running older versions of the platform. Another problem that plagues the IIoT segment is that manufacturers often consider the update process too complicated to carry out in certain environments and for devices older than a certain time period – leading to vulnerabilities lasting much longer.
Source: CyberX Labs