ICS security: Popular building management system vulnerable to takeover

Security researchers found a remotely exploitable critical vulnerability in a building management system used by businesses, hospitals, factories and other organizations to control things like ventilation, temperature, humidity, air pressure, lighting, secure doors and more. The vendor has released a firmware update, but hundreds of these systems are still exposed on the internet, highlighting the risks of remote management for ICS devices.

The vulnerability, tracked as CVE-2019-9569, was discovered by researchers from security firm McAfee and affects enteliBUS Manager (eBMGR), a control system that can be used to manage different I/O switches connected to things like sensors, alarms, motors, locks, valves and other industrial equipment. The system can also serve as a router for linking multiple Building Automation Control Network (BACnet) segments.

The eBMGR is made by a company called Delta Controls that’s headquartered in British Columbia, Canada, but which has offices and sells its products around the world. The discovered issue is a buffer overflow vulnerability located in the BACnet stack that results in remote code execution when exploited successfully. Attackers can trigger it by sending maliciously crafted packets to the vulnerable devices, which does not require authentication or user interaction.

To demonstrate the attack, the McAfee researchers created an exploit that deploys a malware program on the device which gives attackers remote control capabilities over the device. While they don’t plan to release exploit code at this time, the researchers presented their findings at the DEF CON security conference in Las Vegas.

“Consider for a moment a positive pressure room in a hospital, the kind typically used to keep out contaminants during surgeries,” McAfee security researcher Mark Bereza said in a blog post. “Managing rooms such as these is a typical application for the eBMGR and it does not take an overactive imagination to envision what kind of damage a bad actor could cause if they disrupted such a sensitive environment.”

Steve Povolny, the head of Advanced Threat Research at McAfee, tells CSO that since BACnet is a UDP-based protocol, the vulnerability can easily be exploited by broadcasting messages to the entire network. He also added that devices can be attacked over the internet and that it’s not unusual for such control systems to be exposed for remote management.

Vulnerable devices found worldwide

Between February and April, McAfee found nearly 600 eBMGR controllers running vulnerable firmware versions (571848 and prior) on the internet. However, other publicly exposed Delta Controls devices share the same firmware as eBMGR and are also likely to be vulnerable. McAfee estimated the total number of targets at around 1,600, but many more exist inside enterprise networks and can be attacked if not properly isolated from the other systems.