Vulnerabilities in APROL systems could allow attackers to perform arbitrary code execution

• The vulnerabilities impact 12 components of the APROL products that are used by oil and gas, energy, and mechanical engineering companies.
• The 12 components include the FTP, finger, SSH, VNC, TbaseServer, LDAP server, web server, EnMon, IosHttp, AprolLoader, AprolSqlServer, and AprolCluster.

What is the issue?

Researchers from Positive Technologies have uncovered several vulnerabilities in APROL systems from B&R Industrial Automation.

What are the impacted products?

The vulnerabilities have impacted almost 12 components of the APROL products that are used by oil and gas, energy, and mechanical engineering companies.

The 12 components include the FTP, finger, SSH, VNC, TbaseServer, LDAP server, web server, EnMon, IosHttp, AprolLoader, AprolSqlServer, and AprolCluster.

More details on the vulnerabilities

The vulnerabilities could allow an attacker to launch arbitrary code execution causing power outages and oil leaks. Researchers noted that the vulnerabilities could be exploited by attackers who have access to the organization’s network.

Paolo Emiliani, Industry and SCADA Research Analyst Security at Positive Technologies, said that attackers could exploit the vulnerability and disrupt the technological processes by sending unauthorized commands controlling the equipment and changing configuration settings including program algorithms causing abnormal operation modes.

“The ability to run arbitrary code in the operating system of ICS components would allow attackers to disrupt the technological process,” Emiliani said.

Vulnerability Patched

Positive Technologies notified B&R Industrial Automation about the vulnerabilities and the vendor addressed them. However, it took nearly 10 months for the company to patch the vulnerabilities.