The U.S. Computer Response Readiness Team—a part of the Department of Homeland Security—has issued a bulletin (PDF) warning of software vulnerabilities in two software applications widely used in China to help control public utilities, chemical and manufacturing plans, and even weapons systems. The vulnerabilities are classic heap-based buffer overflow errors, the same type of exploit that has been repeatedly leveraged by malware authors for Windows and other operating systems.
If exploited successfully, the flaws could enable attackers to execute arbitrary programming on the systems, or perform a remote denial of service attack. Successful attacks could be highly destructive, shutting down plants and utilities or potentially creating dangerous conditions in chemical or manufacturing facilities that could lead to much larger problems. Exploitation of the problems in weapons systems could be potentially disastrous.
The U.S.’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) says it has coordinated with NSS Labs researcher Dillon Beresford (who uncovered the problems), as well as Sunway and the China National Vulnerability Database, and patches are available now that address both problems. However, it could take months for industries and operations to install the patches, leaving a potential window of vulnerability where the bugs could be exploited. There are currently no known exploits in the wild.
Sunway applications are mainly used in China, but are also utilized in parts of Asia, Africa, Europe, and the Americas, according to the advisory.
In an era when cyberattacks against corporations and infrastructure are increasingly common, the vulnerabilities highlight the potential risk of Internet based attacks against infrastructure systems. The Sunway software in question is used in supervisory control and data acquisition (SCADA), SCADA systems often control critical infrastructure and manufacturing processes, but were often developed before the Internet became widely available and, in many cases, were never intended to be part of network systems. Although companies have increasingly built Internet-enabled interfaces to SCADA systems, the systems themselves often have never undergone significant security audits.
Last year, the sophisticated Stuxnet worm targeted Siemens WinCC industrial control software in an apparent attempt to hamstring Iran’s uranium enrichment efforts, demonstrating how industrial systems can be vulnerable to Internet-based attacks.