Two vulnerabilities found in industrial control system software made in China but used worldwide could be remotely exploited by attackers, according to a warning issued on Thursday by the U.S. Industrial Control Systems Cyber Emergency Response Team (ICS-CERT).
The vulnerabilities were found in two products from Sunway ForceControl Technology, a Beijing-based company that develops SCADA (supervisory control and data acquisition) software for a wide variety of industries, including defense, petrochemical, energy, water and manufacturing, the agency said.
Sunway’s products are mostly used in China but also in Europe, the Americas, Asia and Africa, according to the agency’s advisory.
The problems could cause a denial of service issue or remote code exploitation in Sunway’s ForceControl 6.1 WebServer and its pNetPower AngelServer products. Both issues were found by Dillon Beresford, who works for the security testing company NSS Labs.
Sunway issued patches for the vulnerabilities on May 20 and thanked Beresford for his research in an advisory. ICS-CERT said there are no known exploits for the vulnerabilities, but computer security experts generally recommend patching software as soon as possible.
ICS-CERT added that its unlikely someone could create consistent exploit code for the two vulnerabilities, and that an attacker would need to have “intermediate” skills to exploit the problems.
SCADA software has come under increasing attention from security researchers, as the software has often not undergone rigorous security audits despite its use to manage critical infrastructure or manufacturing processes. SCADA systems are increasingly connected to the Internet, which has opened up the possibility of hackers remotely breaking into the systems.
Last year, researchers discovered a highly sophisticated worm called Stuxnet that was later found to target Siemens’ WinCC industrial control software. Stuxnet is widely believed to have been created with the intention of disrupting Iran’s uranium enrichment program.
Send news tips and comments to jeremy_kirk@idg.com