Users should install the latest version of APROL R industrial process automation systems made by B&R Automation to mitigate multiple vulnerabilities in 12 components of the system.
This system is used in the oil and gas industry, energy, mechanical engineering, and other industries, said researchers from Positive Technologies ICS Security and Application Analysis departments, who found the vulnerabilities.
The most dangerous are five vulnerabilities, which could allow remote attackers to run arbitrary code in the APROL system. Because vulnerable components are used in many types of industrial process automation systems, the possible effects of an attack exploiting the vulnerabilities depend on the system being exploited, but can include scenarios such as oil leaks and electricity outages, the researchers said in a post.
In one vulnerability, there were several memory access issues in the TbaseServer tbat have been fixed to reduce vulnerability to attacks. Additional pointer checks were also implemented.
In addition, a PHP script was vulnerable to SQL injections, allowing the user to “smuggle in” arbitrary SQL commands. This vulnerability was removed.
Also, some web scripts allowed execution of arbitrary unwanted commands on the web server. This possibility was removed in all scripts.
In another issue, the AprolLoader could be used to execute arbitrary unwanted commands via special attack scenario. This possibility was removed.
In addition, the following security holes have been closed in the AprolSqlServer:
1. Ability to execute arbitrary commands
2. Access to directories outside the working directory
3. Bypassing authentication
Also, the following security hole was closed in the SimbaEngine SDK used in the AprolSqlServer: Insufficient authentication options and memory leaks
“The ability to run arbitrary code in the operating system of ICS components would allow attackers to disrupt technological process. For instance, an attacker could send unauthorized commands controlling the equipment and change configuration settings, including program algorithms. These changes can cause abnormal operation modes or even an incident in production”, said Paolo Emiliani, industry and SCADA research analyst at Positive Technologies.
Users of vulnerable versions need to install the latest version of APROL R.
In 2018 the number of new vulnerabilities found in equipment of various manufacturers of industrial automation systems grew by 30 percent, according to Positive Technologies data. So did the number of ICS components available on the Internet, which grew by 27 percent.