Skip to main content

DHS warns of Chinese infrastructure software vulnerabilities

China Qinshan Nuclear Plant II (under construction)
Image used with permission by copyright holder

The U.S. Computer Response Readiness Team—a part of the Department of Homeland Security—has issued a bulletin (PDF) warning of software vulnerabilities in two software applications widely used in China to help control public utilities, chemical and manufacturing plans, and even weapons systems. The vulnerabilities are classic heap-based buffer overflow errors, the same type of exploit that has been repeatedly leveraged by malware authors for Windows and other operating systems.

If exploited successfully, the flaws could enable attackers to execute arbitrary programming on the systems, or perform a remote denial of service attack. Successful attacks could be highly destructive, shutting down plants and utilities or potentially creating dangerous conditions in chemical or manufacturing facilities that could lead to much larger problems. Exploitation of the problems in weapons systems could be potentially disastrous.

Recommended Videos

The U.S.’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) says it has coordinated with NSS Labs researcher Dillon Beresford (who uncovered the problems), as well as Sunway and the China National Vulnerability Database, and patches are available now that address both problems. However, it could take months for industries and operations to install the patches, leaving a potential window of vulnerability where the bugs could be exploited. There are currently no known exploits in the wild.

Sunway applications are mainly used in China, but are also utilized in parts of Asia, Africa, Europe, and the Americas, according to the advisory.

In an era when cyberattacks against corporations and infrastructure are increasingly common, the vulnerabilities highlight the potential risk of Internet based attacks against infrastructure systems. The Sunway software in question is used in supervisory control and data acquisition (SCADA), SCADA systems often control critical infrastructure and manufacturing processes, but were often developed before the Internet became widely available and, in many cases, were never intended to be part of network systems. Although companies have increasingly built Internet-enabled interfaces to SCADA systems, the systems themselves often have never undergone significant security audits.

Last year, the sophisticated Stuxnet worm targeted Siemens WinCC industrial control software in an apparent attempt to hamstring Iran’s uranium enrichment efforts, demonstrating how industrial systems can be vulnerable to Internet-based attacks.

Geoff Duncan
Former Contributor
Geoff Duncan writes, programs, edits, plays music, and delights in making software misbehave. He's probably the only member…
Topics
The robot takeover comes another step closer — at Amazon
An Amazon robot working inside one of the company's warehouses.

Amazon is close to having more robots operating inside its warehouses than humans after the e-commerce giant announced this week that it now has more than a million robots working at its facilities around the world.

Over the years, Amazon has spent billions of dollars on the development and deployment of warehouse-based robots, which handle an array of tasks once performed by human workers.

Read more
This Lenovo ThinkPad laptop is over $1,400 off — hurry while stocks last!
The Lenovo ThinkPad T14 Gen 5 Intel laptop on a white background.

Now's an excellent time to take advantage of laptop deals from Lenovo, which has slashed the prices of a wide range of devices for its Black Friday in July sale. Lenovo's ThinkPad laptops are up to 45% off, and here's one of the most interesting offers available with such a discount — the Lenovo ThinkPad T14 Gen 5 at $1,440 off its estimated value of $3,199, so you'll only have to pay $1,759. That's an excellent price for this fantastic productivity tool, but you're going to have to push forward with your purchase as soon as possible because stocks may run out at any moment.

BUY NOW

Read more
Early Prime Day deal: Samsung’s 27-inch Odyssey G3 at its annual low price
Samsung Odyssey G3 gaming monitor on desk with keyboard and headset.

If you're ready to upgrade your monitor, this Samsung deal over at Amazon just might be your best bet. The 27-inch version of Samsung's Odyssey G3 is $130 right now, a full $100 off its regular $230 price and its lowest price of the year. It's a part of early Prime Day deals and a good sampling of what we can expect for the shopping holiday, which officially lands on July 8th. Tap the button below to see it for yourself or keep reading to see why we like this deal and why this should be your next monitor.

Buy Now

Read more