Easy remote exploit drops for unpatchable power plant controller
The fix? Kill features or replace
Unpatchable vulnerabilities have been disclosed in an industrial control system, of the kind used in power plants, that remote attackers can exploit to gain control of networks.
Exploitation code has been released prompting the US Computer Emergency Response Team to release the warning.
Independent researcher Maxim Rupp reported the flaw (CVE-2016-4502) in the Environmental Systems Corporation 8832 data controller for versions 3.02 and older.
It's a high-severity vuln that lets attackers change the system configuration.
"ESC has stated the ESC 8832 Data Controller has no available code space to make any additional security patches so a firmware update is not possible," the US Computer Emergency Response Team says in a notice.
"These vulnerabilities could be exploited remotely.
"An attacker with a low skill would be able to exploit these vulnerabilities."
Affected companies will need to buy new devices, or implement feature restrictions to eliminate exposure.
Admins are advised to block port 80, stop using the web interface for device management, and use alternatives. ®