Warning over 12 new security flaws found in industrial control systems

ICS flaws highlighted by Tenable come a decade after the Stuxnet worm targeted an Iranian uranium enrichment plant

Researchers have discovered 12 new vulnerabilities that could enable remote attackers to take control of critical infrastructure systems.

That's according to security firm Tenable, which has published a scathing report exploring security shortfalls in four major industrial control systems.

Tenable said that vendors of SCADA (Supervisory Control and Data Acquisition) systems "still have gaping holes in their PLC and HMI development environments" a decade after the Stuxnet worm targeted an Iranian uranium enrichment plant.

The firm claims that the vulnerabilities, discovered in the past 12 months, "indicate a lack of security standards in modern SCADA software" and create "a great opportunity for future attackers and the next high-profile attack on an industrial control system".

In a blog post, Tenable reverse engineer Joseph Bingham said: "The attack scenario cannot be understated as critical systems such as power, water, transportation, and manufacturing all rely on major PLC vendors."

"Over a period of a little more than nine months, Tenable Research found a dozen critical vulnerabilities in soft and hard ICS targets from four different vendors. The targeted vendors build OT solutions that rank among the most prevalent solutions in industries across the board."

Two vulnerabilities were found in the Fuji Electric V-Server, allowing a craft packet to be installed that causes "an out of bounds read which will crash the application server".

The vulnerabilities are:

• [Medium] CVE-2019-3946 An attacker with access to the filesystem to recover database credentials.
• [Medium] CVE-2019-3947 An unauthenticated attacker can crash the V-Server process causing a denial of service.

The researchers also found six vulnerabilities affecting several parts of Schneider Electric's InduSoft Web Studio, which include stack buffer overflows and command execution vulnerabilities.

The vulnerabilities are:

• [Critical] CVE-2018-8840 A remote unauthenticated attacker can execute arbitrary code.
• [Critical] CVE-2018-10620 A remote unauthenticated attacker can execute arbitrary code.
• [Critical] CVE-2018-17914 A remote unauthenticated attacker can execute arbitrary code.
• [Critical] CVE-2018-17916 A remote unauthenticated attacker can execute arbitrary code.
• [Critical] CVE-2019-6545 A remote unauthenticated attacker can execute an arbitrary process.
• [Critical] CVE-2019-6543 A remote unauthenticated attacker can execute an arbitrary process.

Meanwhile, Schneider Electric's Modicon Quantum PLC has been infected by five vulnerabilities in its ethernet modules, letting attackers change user passwords after accessing an exposed URL.

The vulnerabilities are:

• [Critical] CVE-2018-7811 A remote unauthenticated attacker can gain administrator access by changing any user's password.
• [Critical] CVE-2018-7809 A remote unauthenticated attacker can gain access to the web interface by resetting the credentials to the default state.
• [Medium] CVE-2018-7810,7830,7831

And three vulnerabilities were discovered in RSLinx Classic, including a stack overflow and several memory corruption threats.

The vulnerabilities are:

• [Critical] CVE-2019-6553 A remote unauthenticated attacker can execute arbitrary code.
• [Critical] CVE-2018-14821 A remote unauthenticated attacker can execute arbitrary code.
• [Critical] CVE-2018-14829 A remote unauthenticated attacker can execute arbitrary code.

In addition to Stuxnet, more recently it was claimed that a Saudi Arabian oil refinery had been targeted with malware that, if successful, could have triggered a large explosion.