myPRO

mySCADA myPRO^[1] is an industrial process visualization and management system that can be installed on Windows or Linux operating systems and allows you to visualize data from APCS using a web interface.

History

2024: Detection of a dangerous vulnerability, a fix is not available for Russians

In the mySCADA myPRO industrial process visualization and control system, FSTEC discovered a BDU:2024-05050^[2] vulnerability in early July^[3]a remote attacker to execute arbitrary code. The vulnerability is related to pre-installed credentials, that is, passwords from administrative accounts sewn into the software. The vulnerability hazard according to the CVSS 3.1 assessment method is 9.8 out of 10. It is indicated that in version myPRO 8.31.0 the error has been fixed, and it would be necessary to update to it, but the manufacturer - the Czech company - is configured against Russian users.

mySCADA

mySCADA is a simple and convenient tool for visualizing industrial processes, it was quite widespread in Russia before the sanctions, in which the product manufacturer, a Czech company, acts from a very tough position, - Rustem Khayretdinov, deputy general director of the Garda group of companies, explained the situation for TAdviser. - The system is accessed through a regular web browser. An additional advantage is the ability to write scripts in JavaScript, which allows users to expand the functionality of the system. In view of the above, such systems are not safe on their own, so they are usually designed without direct connection to the process loop. Therefore, with classical architecture, it is unlikely that a hacker will be able to gain control over technological processes, that is, harm industrial infrastructure and, moreover, human health and life.

At the same time, according to Vladimir Dashchenko, an expert on cybersecurityKaspersky ICS CERT, the situation may be dangerous.

This is a fairly critical vulnerability, since we are talking about a potential backdoor - this is undeclared software functionality, namely "sewn" authentication data, - he said in correspondence with TAdviser. - It is not clear whether they were forgotten or left with intent. When the company has implemented the best practices for secure development, then such situations cannot be missed. Exploitation of such a vulnerability can have very serious consequences for the technological process.

Indeed, GOST R 65939, adopted in Russia, defines the processes for developing secure software, which provides for verification, including for the presence of built-in credentials - this process must be carried out by the manufacturer himself. Moreover, FSTEC, by its requirements for using software that is tested for security, actually obliges software manufacturers to implement checks for the presence of built-in administrative privileges in the development pipeline. However, the Czech company does not seem to have implemented such procedures. As a result, users of its products have to either upgrade to the new version - 8.31.0, or follow the following recommendations of FSTEC:

• Segment networks to restrict access to the industry segment from other subnets
• restrict access from external networks (Internet) to the industrial segment;
• Use virtual private networks for remote access (VPN)
• use firewalls to limit the possibility of direct remote access.

It is necessary to follow the principles of layered protection of your assets, - Vladimir Dashchenko added to the recommendations of FSTEC. - Also use specialized security tools for industrial networks and automated systems, regularly train personnel and use early threat reporting services. I also recommend that third-party researchers check the software for undeclared capabilities and zero-day vulnerabilities.

Notes