Experts from Positive Technologies ICS Security and Application Analysis departments found multiple vulnerabilities in 12 components of APROL industrial process automation systems made by B&R Automation (Austria)¹. This system is used in the oil and gas industry, energy, mechanical engineering, and other industries.
The most dangerous are five vulnerabilities (listed 5, 7, 8, 10, 11 in the manufacturer's notice) allowing remote attackers to run arbitrary code in the APROL system. Because vulnerable components are used in many types of industrial process automation systems, the possible effects of an attack exploiting the vulnerabilities depend on the system being exploited, but can include scenarios such as oil leaks and electricity outages.
"The ability to run arbitrary code in the operating system of ICS components would allow attackers to disrupt technological process. For instance, an attacker could send unauthorized commands controlling the equipment and change configuration settings, including program algorithms. These changes can cause abnormal operation modes or even an incident in production", says Paolo Emiliani, Industry and SCADA Research Analyst at Positive Technologies.
The identified vulnerabilities included errors in memory access in TbaseServer component, errors in AprolLoader and AprolSqlServer components, SQL injection in EnMon energy consumption monitoring and record system, with the possibility of introducing arbitrary commands in the web server.
Users of vulnerable versions need to install the latest version of APROL R.
According to Positive Technologies data, in 2018 the number of new vulnerabilities found in equipment of various manufacturers of industrial automation systems continued to grow (up 30 percent). So did the number of ICS components available on the Internet (by 27 percent).
¹Part of ABB Group.