Security researchers found a remotely exploitable critical vulnerability in a building management system used by businesses, hospitals, factories and other organizations to control things like ventilation, temperature, humidity, air pressure, lighting, secure doors and more. The vendor has released a firmware update, but hundreds of these systems are still exposed on the internet, highlighting the risks of remote management for ICS devices.
The vulnerability, tracked as CVE-2019-9569, was discovered by researchers from security firm McAfee and affects enteliBUS Manager (eBMGR), a control system that can be used to manage different I/O switches connected to things like sensors, alarms, motors, locks, valves and other industrial equipment. The system can also serve as a router for linking multiple Building Automation Control Network (BACnet) segments.
The eBMGR is made by a company called Delta Controls that’s headquartered in British Columbia, Canada, but which has offices and sells its products around the world. The discovered issue is a buffer overflow vulnerability located in the BACnet stack that results in remote code execution when exploited successfully. Attackers can trigger it by sending maliciously crafted packets to the vulnerable devices, which does not require authentication or user interaction.
To demonstrate the attack, the McAfee researchers created an exploit that deploys a malware program on the device which gives attackers remote control capabilities over the device. While they don’t plan to release exploit code at this time, the researchers presented their findings at the DEF CON security conference in Las Vegas.
“Consider for a moment a positive pressure room in a hospital, the kind typically used to keep out contaminants during surgeries,” McAfee security researcher Mark Bereza said in a blog post. “Managing rooms such as these is a typical application for the eBMGR and it does not take an overactive imagination to envision what kind of damage a bad actor could cause if they disrupted such a sensitive environment.”
Steve Povolny, the head of Advanced Threat Research at McAfee, tells CSO that since BACnet is a UDP-based protocol, the vulnerability can easily be exploited by broadcasting messages to the entire network. He also added that devices can be attacked over the internet and that it’s not unusual for such control systems to be exposed for remote management.
Vulnerable devices found worldwide
Between February and April, McAfee found nearly 600 eBMGR controllers running vulnerable firmware versions (571848 and prior) on the internet. However, other publicly exposed Delta Controls devices share the same firmware as eBMGR and are also likely to be vulnerable. McAfee estimated the total number of targets at around 1,600, but many more exist inside enterprise networks and can be attacked if not properly isolated from the other systems.
Most of the internet-connected controllers are located in North America with 53% in the U.S. and 35% in Canada. However, vulnerable devices were also observed in the U.K., Ireland, Italy, Germany, New Zealand, Singapore, Japan, Australia and other countries.
An analysis of their IP addresses revealed that almost a third of them are operated by organizations from the education sector, followed by telecommunications, real estate, medical, food, government, hospitality and banking.
“Consider some of the industries we found that could be impacted,” the McAfee researchers said. “Industries such as hospitals, government and telecommunication may have severe consequences when these systems malfunction.”
While inside a hospital a potential attack can impact human life, in a datacenter scenario attackers could disable the temperature controls and alarm and let the servers crash and suffer physical damage, which could lead to significant downtime and loss of data.
Delta Controls responds effectively
McAfee commended Delta for its response to this issue and its commitment to the vulnerability coordination and fixing process. While the company observed new eBMGR controllers being connected to the internet during the monitoring period, it also observed many more being taken offline.
“We encourage research groups to responsibly disclose vulnerabilities to our team,” Delta Controls said in a statement on its website. “Likewise, Delta Controls, Inc., is committed to regularly communicating cybersecurity information to our customers and our industry.”
The focus of much ICS security research is on PLCs and SCADA systems used in manufacturing plants, public utilities, gas and oil refineries and other critical infrastructure environments. However, attacks against building automation systems like eBMGR could also have an impact on human life and these devices are more likely to be left exposed on the internet for remote management purposes.
“A principle of least privilege policy may be appropriate, and a network isolation or protected network segment may help provide boundaries of access to adversaries,” said Douglass McKee, a senior security researcher with McAfee’s Advanced Threat Research team. “An awareness of security research and an appropriate patching strategy can minimize exposure time for known vulnerabilities. We recommend a thorough review and validation of each of these important security tenants to bring these critical assets under the same scrutiny as other infrastructure.”