Plenty of equipment running embedded Linux is affected

Sep 26, 2014 09:10 GMT  ·  By

Updating industrial control systems (ICS) to eliminate the recently discovered vulnerability in Bash command shell for Linux is a challenge difficult to overcome because patches may not even be available.

The concern regarding the Shellshock bug is mostly centered around unpatched web servers, which can be abused by attackers to serve malware, steal credentials or gain deeper access into the network of the target.

However, the impact of the bug expands beyond this, to ICS equipment, SCADA in particular, running Linux versions that may not even support upgrades anymore.

Updates in the case of ICS are often not an option

Reid Wightman of Digital Bond, a company offering security assessment services for control systems, says that in the industry of embedded devices it is common practice for developers not to prepare for patching scenarios.

“There is still an awful lot of embedded industrial control systems equipment being manufactured today which has no way to even apply update,” he said in a blog post.

The threat ICS running embedded Linux face is quite serious, because any utility reaching to the Bash command shell to execute commands is actually a potential attack vector.

The Shellshock bug can be exploited by sending an environment variable to Bash, with trailing malicious code. When the variable is interpreted, the nefarious command is also executed.

Apart from lacking the update possibility, some ICS equipment is used for long periods of time before the switch to a newer one is done, most of the times outliving the maintenance duration offered by the developer.

Another issue with patching things up consists in the fact that turning off the equipment could result in huge losses. Wightman told Threatpost that for this reason, the update can be executed during the maintenance window of the industrial control system, which is scheduled with a specific frequency.

“Many industrial components run Linux and use bash in a way that will be exploitable,” Wightman said. “Industrially hardened network switches, and even some programmable logic controllers (PLCs) and remote terminal units (RTUs) will likely be affected,” the researcher added.

ICS and SCADA are generally air-gapped

On the bright side, the possibility of an attack on these systems used in critical infrastructures is lower than in the case of a web server, mainly because they are secluded from the Internet.

This does not mean that risks are eliminated completely. Successful attacks on air-gapped systems have happened before, Stuxnet being the most suitable example.