Network Security, Security Strategy, Plan, Budget

14 flaws found that could take over industrial control systems

Several serious flaws have been discovered in licence management software used in industrial control systems. The vulnerabilities could allow an attack to remotely control such systems or carry out DoS attacks.

According to security researchers at Kaspersky Labs, 14 flaws have been discovered in Gemalto's SafeNet Sentinel. The product is used in many industrial and mission-critical IT systems around the world. The vulnerabilities potentially open remote access to intruders and allow them to hide their presence.

Reserchers were looking at the security of such control systems and came across the Hardware Against Software Piracy (HASP) licence management system which is part of the SafeNet Sentinel and is responsible for verifying licencing restrictions on the use of the software.

The solution's software part consists of a driver, a web application and a set of other software components. The hardware part is a USB token. The token needs to be connected to a PC or server on which a software licence is required.

In a blog post, researchers managed to gain remote access and communicate with the product on the open network port of 1947. As a result, it was possible to remotely execute arbitrary code on behalf of a privileged user of the system on a device with a critical component of the ACS TP.

In total, researchers managed to discover over a dozen flaws in the product. All of which were fixed by the developer. Vulnerabilities include various remote code execution vulnerabilities and Denial of Service flaws. These can be exploited using the most privileged systems rights, allowing hackers to execute any code they wanted.

According to the researchers, opening gate 1947 seems to be an undocumented feature that can be used for remote access.

"This appears to be an undocumented feature and can be used for stealthy remote access. This means that remote attackers can use these capabilities to gain access to the administrative panel of the Gemalto software, carry out attacks with system user privileges and conceal their presence after completing these attacks," said researchers.

The researchers added that Gemalto had notified all of its customers of the need to update the driver via their account dashboards. "However, this was apparently not sufficient: after we published information about the vulnerabilities identified, we were contacted by several developers of software which uses hasplms. It became clear from our communication with them that they were not aware of the problem and continued to use versions of the product with multiple vulnerabilities," researchers said.

Researchers urged users and companies that use Gemalto's SafeNet Sentinel to install the latest (secure) version of the driver as soon as possible or contact Gemalto for instructions on updating the driver.

" We also recommend closing port 1947, at least on the external firewall (on the network perimeter) – but only as long as this does not interfere with business processes," researchers added.

A spokesman for Gemalto told SC Media UK that based on the feedback from Kaspersky, "we are evaluating our current customer communication mechanisms to enhance the efficacy of future security bulletins to ensure our customers receive the updates in a timely manner. Gemalto takes the security of our products and the protection of our customers and their software very seriously, and we are committed to continuing to provide our customers with the most secure and advanced solutions to meet their needs in an ever changing dynamic market.”

Moreno Carullo, co-founder and CTO of Nozomi Networks, told SC Media UK that USB drivers have been a significant attack vector for several years with Stuxnet as the most notable example. "Operators should consistently employ all necessary precautions when allowing an external driver into an Industrial Control System (ICS), even if the source is well known. Malicious USBs could be used for disrupting the normal process operation (DOS) or for stealing credentials (NTLM relay attack). While blocking port 1947 is an option to mitigate the problem, it is also not a solution that is suited for all business processes," he said.

Stuart Facey, VP EMEA at Bomgar, told SC Media UK that legacy Industrial Control Systems can be more than 10 to 15 years old and are often not compatible with more state-of-the-art security systems. 

"Even so, the rise of internet enabled control systems and solutions has demanded forms of remote access for repairs, and has necessitated instant communication between the operations and security teams, as well as the support advisors themselves. Today, machinery can be monitored and accessed through mobile phone apps, and often service centres receive automated alerts from the machinery itself as a warning or in the case of a fault – these technological advances are transforming processes all round," he said.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.