A severe vulnerability in a widely used industrial control software could have been used to disrupt and shut down power plants and other critical infrastructure.
Researchers at security firm Tenable found the flaw in the popular Schneider Electric software, used across the manufacturing and power industries, which if exploited could have allowed a skilled attacker to attack systems on the network.
It's the latest vulnerability that risks an attack to the core of any major plant's operations at a time when these systems have become a greater target in recent years. The report follows a recent warning, issued by the FBI and Homeland Security, from Russian hackers.
The affected Schneider software, InduSoft Web Studio and InTouch Machine Edition, acts as middleware between industrial devices and their human operators. It's used to automate the various moving parts of a power plant or manufacturing unit, by keeping tabs on data collection sensors and control systems.
But Tenable found that a bug in that central software could leave an entire plant exposed.
An attacker can, without needing a password, send a malicious data packet design to force a stack buffer overflow -- effectively exhausting the memory address -- allowing the attacker to read and write arbitrary code on a vulnerable system.
That can lead to a "full compromise" of the affected server, said Tom Parsons, head of Tenable Research, in an email to ZDNet.
He explained that the stack-based buffer overflow attack can be leveraged in several malicious ways. First, an attacker can use the vulnerability to trigger a denial-of-service event by crashing the software, locking out remote administrators from their central operations. The bug can also be used to gain a foothold further into the network -- as well as other industrial devices -- or even send instructions to some physical control systems in the plant or unit.
Parsons said the attack method was relatively easy, requiring just a shell and an internet connection.
24 internet-connected things that really shouldn't be online
"If the affected devices and services are accessible via the internet, that's all it takes to compromise them," he said. "The attacker doesn't need physical access to the plant or device."
But he said it's rare to see an affected server directly connected to the internet.
The proof-of-concept exploit published Wednesday will only trigger a system shutdown, said Parsons, though an attacker could use the vulnerability to potentially remotely run malicious code.
The vulnerability has a severityscore of 9.8 according to the researchers -- falling short of the full 10 only because the exploit has not yet been made public.
There's good news for system administrators tasked with patching the flaw.
From the time of the bug's discovery to informing Schneider, it took the tech giant about two months to patch the bug. The company released a security advisory warning of the bugs in mid-April, and advised users to update their software.
"Patching should be fairly simple," said Parsons.
"The vulnerability is not present on any [connected industrial] devices, but instead on the middleware used to monitor and manage them," he said. "If the patch installs correctly, this will lead to minimal downtime for remote management and monitoring."