CERT Warns Companies About the “Unupgradeable” ESC 8832 SCADA System
ICS-CERT published last week an advisory, warning companies to protect their ICS/SCADA systems if they use the Environmental Systems Corporation (ESC) 8832 Data Controller in their network.
The ESC 8832 is a management system that sits between the PLCs (programmable logic controllers) and a company’s servers, complete with a Web-based administration panel that lets employees modify PLC input/output settings without having to perform this task manually or via other computer programs.
This equipment is regularly found in the energy sector, especially in the oil and gas field, where they help calibrate and switch gas solenoids and other ICS/SCADA equipment.
There’s no room to make firmware updates
ICS-CERT, based on the work of security researcher Maxim Rupp, is now alerting companies not to use this component anymore because of two security issues. The problem that ICS-CERT highlights is that the component doesn’t have enough memory space to install firmware updates.
The two vulnerabilities Rupp discovered also exacerbate this situation because of their gravity.
One issue allows an attacker to gain access to administrator functions just by brute-forcing a parameter in the administration panel’s URL. The second one is an authentication bypass that lets an attacker modify the device’s configuration. Only ESC 8832 version 3.02 and earlier are affected.
ICS-CERT says that both issues can be exploited via a network connection, putting a company’s equipment at risk, even if the attacker is in a remote location, and not on site.
Exploit code exists online, but the issues can be mitigated
To make matters worse, a proof-of-concept exploit is also available online, simplifying an attacker’s work.
For companies that deployed these devices, the good part is that there are some mitigations available. ICS-CERT, first and foremost, recommends that these devices not be put on networks with Internet access, and kept either on air-gapped networks or accessed VLANs, where access is granted only via a VPN.
Second, these devices should be placed behind a firewall, which optionally blocks connections via port 80, through which an attacker could exploit the aforementioned flaws.
Environmental Systems Corporation, the company that manufactured ECS 8832, has stopped producing this model, and LTS support is scheduled to run out on January 1, 2019. The simplest upgrade would be to invest in the newer ECS 8864 model.