Flaw in global energy facility software shows critical infrastructure risks

Critical infrastructure worries in the U.S. and abroad are far from over. This week, security firm Tenable published research demonstrating a vulnerability affecting two software programs used by global energy management company Schneider Electric. The company’s systems are in place in facilities across North America, Western Europe and Asia.

Before publishing its research, Tenable notified Schneider Electric, allowing the company to patch its software vulnerabilities in early April while issuing guidance for affected plants to update their systems.

“There’s no doubt the discovery of this severe vulnerability comes at a time when critical infrastructure security is top-of-mind for organizations and government agencies everywhere,” Tenable Chief Product Officer Dave Cole said in a statement. Cole noted that this vulnerability exists at the relatively new intersection of IT and operational technology.

Tenable describes the flaw, present in InduSoft Web Studio and InTouch Machine Edition, as a remote code execution vulnerability possible when an overflow condition is triggered in the software.

As Tenable explains, that loophole could allow malicious code to be executed, granting hackers high-level access in any facility running the affected software:

A threat actor could send a crafted packet to exploit the buffer overflow vulnerability using a tag, alarm, event, read or write action to execute code.

The vulnerability can be remotely exploited without authentication and targets the IWS Runtime Data Server service, by default on TCP port 1234. The software implements a custom protocol that uses various ‘commands.’ This vulnerability is triggered through command 50, and is caused by the incorrect usage of a string conversion function.

The vulnerability, when exploited, could allow an unauthenticated malicious entity to remotely execute code with high privileges.

Critical infrastructure attacks are on the rise, and the results can be devastating. And while compromising a nuclear facility or power grid can result in exceptional consequences, the attacks generally follow the same rulebook that hackers use to compromise other, less high-consequence systems.

“It’s important to keep in mind that attackers are generally after one thing — access. Once they obtain it, their primary goal is typically to make sure long-term access can be maintained,” Ben Johnson, CTO and co-founder of Obsidian Security told TechCrunch.

“… If they compromise devices associated with critical infrastructure, they will find themselves with all kinds of leverage. So any flaw that makes obtaining access easier is a serious concern.”