The U.S. CERT has issued a security advisory firms using industrial control systems software from the Chinese firm Sunway in the U.S. after a researcher discovered remotely exploitable holes that could be used to knock out or take control systems running the company’s software. The ICS-CERT, the Computer Emergency Readiness Team for the industrial control sector, issued an advisory on June 14 after heap overflow vulnerabilities were discovered in Sunway’s Force Control and pNetPower products by NSS Labs researcher Dillon Beresford.
Sunway patched both holes and released software updates for affected systems.
Beresford has been on a crusade in recent months to call attention to the lax state of application security in the industrial control and critical infrastructure sectors. Recently, ICS CERT issued an advisory covering holes he had discovered in Siemens Step 7 (S7) controllers. Despite the aspiring super power’s formidable cyber offensive capabilities, China’s infrastructure is extremely vulnerable to cyber attack, Beresford has argued, citing his own research into critical infrastructure deployments within China.
The holes – both heap-based buffer overflows – affect Web server components for the Force Control Version 6.1 and pNetPower Version 6 products. Both products are used in China and in Europe and the Americas, where they control critical infrastructure, such as networks of pipelines used in the petroleum and petrochemical fields, as well as in defense, transportation and the energy sector. According to the ICS-CERT bulletin, the vulnerabilities discovered by Beresford could be used by a remote attacker to perform a denial of service attack on systems running the software – essentially knocking it off line. They could also be used to run malicious code against the ForceControl and pNetPower server applications.
Heap overflows are a kind of buffer overflow that affect computer memory that is dynamically allocated by software applications when they run. When heap vulnerabilities exist, attackers are able to corrupt the heap data in ways that change the way the application runs, such as overwriting internal pointers used by the application to force it to execute malicious code, or corrupting application data in a way that will cause the application to crash.
ICS-CERT advised Sunway customers to evaluate the impact of the vulnerability based on their environment, architecture and implementations before apply the patch.