Industrial control software (ICS) from Fuji Electric is vulnerable to several high-severity arbitrary code-execution security bugs, according to a federal warning. Authorities are warning the flaws could allow physical attacks on factory and critical-infrastructure equipment.
Fuji Electric’s Tellus Lite V-Simulator and V-Server Lite are both affected by the vulnerabilities, which all carry a CVSS severity rating of 7.8. The two make up a comprehensive human-machine interface (HMI) system, used to remotely monitor and collect production data in real time, and control a variety of industrial and critical-infrastructure gear. It can be used to interface with various manufacturers’ programmable logic controllers (PLCs), temperature controllers, inverters and so on.
“Successful exploitation of these vulnerabilities could allow an attacker to execute code under the privileges of the application,” CISA explained.
The security bugs require “low skill level to exploit,” according to an advisory from the Cybersecurity and Infrastructure Security Agency (CISA) this week. They’re not exploitable remotely, so non-local attackers would have to gain initial access to the user’s computer before carrying out any malicious activities. However, Saryu Nayyar, CEO at Gurucul, told Threatpost that this is not too large of a hurdle.
“The most likely attack vector is through compromising a user’s desktop through any of a myriad of common methods, or otherwise gaining access to the environment and access to the affected platforms,” she said. “A malicious actor would then upload a file to the system which would take advantage of the exploit and enable them to compromise the server.”
Real-World Attack Scenarios
While best practice in industrial environments is to keep the physical equipment operating in an isolated environment (the operational technology or OT environment), increasingly platforms like the Tellus Lite V-Simulator and V-Server Lite connect IT resources to that formerly isolated footprint. That in turn opens up ICS to potentially physical attacks.
“One of the biggest challenges facing ICS and SCADA systems is that they are no longer on isolated networks – they are basically connected to the internet, although typically ‘firewalled’ off, explained Christian Espinosa, managing director at Cerberus Sentinel, speaking to Threatpost. “This greatly increases risk associated with a vulnerability.”
Nayyar said that in this case, the worst-case scenario would be an attacker executing a file that could cause extensive damage to manufacturing equipment on the line. But, “a more likely scenario is production slowdowns and the loss of valuable data about what is happening on the production lines,” she said.
The vulnerabilities could accomplish a couple of other primary objectives, according to Espinosa.
“Attackers could alter the data displayed on the HMI monitoring systems, so the humans monitoring the systems would be blind to an attack on the remote equipment,” he explained. He used the analogy of putting a loop in a camera feed that is monitored by a security guard, so that a criminal can carry out an intrusion without the guard noticing.
“Or, they could create a stimulus on the monitoring display designed to drive a prescriptive response,” he added, noting that this is akin to setting off fire alarms, causing the person monitoring the system to turn on sprinklers to extinguish the fire, while destroying equipment.
“Stuxnet actually took advantage of a similar vulnerability,” he said. “One of the exploits in Stuxnet was designed to make everything look okay on the HMI, so the operator would not be alerted to the fact that the centrifuges were spinning at an extremely high rate, causing them to break.”
Specific Fuji Electric Vulnerabilities
Five different kinds of security vulnerabilities exist in vulnerable versions of the Fuji Electric Tellus Lite V-Simulator and V-Server Lite. In all cases they were identified in the way the application processes project files, allowing an attacker to craft a special project file that may allow arbitrary code execution.
The bugs are:
- Multiple stack-based buffer overflow issues, collectively tracked as CVE-2021-22637;
- Multiple out-of-bounds read issues, collectively tracked as CVE-2021-22655;
- Multiple out-of-bounds write issues, collectively tracked as CVE-2021-22653;
- An uninitialized-pointer issue has been identified (CVE-2021-22639);
- And a heap-based buffer overflow issue also exists (CVE-2021-22641).
The platform is vulnerable in versions prior to v4.0.10.0. CISA said that so far, no known public exploits specifically target these vulnerabilities, but administrators should apply a patch as soon as possible.
“This attack is a specific exploit against a specific platform, and patches already exist – which is the first step in mitigating the attack,” Nayyar said. “In a more general sense, keeping systems patched is always a best practice. Manufacturing equipment should be operated in as isolated an environment as practical, in order to reduce exposure; and, control systems need to be protected with policy, process and technical cybersecurity safeguards that reduce the risk of unauthorized access.”
Kimiya, Khangkito – Tran Van Khang of VinCSS and an anonymous researcher, working with Trend Micro’s Zero Day Initiative, were credited with reporting the vulnerabilities to CISA.
Download our exclusive FREE Threatpost Insider eBook Healthcare Security Woes Balloon in a Covid-Era World, sponsored by ZeroNorth, to learn more about what these security risks mean for hospitals at the day-to-day level and how healthcare security teams can implement best practices to protect providers and patients. Get the whole story and DOWNLOAD the eBook now – on us!