EFACEC reports critical issues in their BCU 500 product
Take action: If you are using EFACEC BCU 500, review this issue carefully. The entire exploit scenario is not trivial and requires authenticated sessions, but given enough time an attacker will be able to compromise a vulnerable BCU 500 through scamming a human operator. Isolate the system from public internet, and plan for a patch.
Learn More
EFACEC has recently reported two security issues with its BCU 500 product, a component in electrical substations and power distribution systems.
The vulnerabilities identified include:
- CVE-2023-50707 (CVSS score 9.6) - Uncontrolled Resource Consumption - Through the exploitation of active user sessions, an attacker could send custom requests to cause a denial-of-service condition on the device.
- CVE-2023-6689 (CVSS3 score 8.2) - Cross-site Request Forgery - A successful CSRF attack could force the user to perform state changing requests on the application. If the victim is an administrative account, a CSRF attack could compromise the entire web application.
The affected version of the BCU 500 is specifically version 4.07. In response to this issue, EFACEC has released an updated version, BCU 500 version 4.08, which includes mitigations for these vulnerabilities. Additionally, the Cybersecurity and Infrastructure Security Agency (CISA) has recommended several defensive measures to minimize the risk of exploitation. These measures include limiting network exposure of control system devices, using firewalls and VPNs for additional security, and adhering to cybersecurity strategies and best practices for Industrial Control Systems (ICS).
