By Gregory Hale
Stuxnet has brought about a stronger awareness in industrial control and SCADA systems. So much so, security specialists are now looking under the hood and seeing if they can find any problems.
They just did. Italian security specialist Luigi Auriemma, who mainly focuses on detecting holes in games and media players, released a list of 34 vulnerabilities in SCADA products by Siemens Tecnomatix (FactoryLink), Iconics (Genesis 32 and 64), 7-Technologies (IGSS) and DATAC (RealWin).
Auriemma’s list includes the spectrum of potential security issues from remote file downloads and unauthorized file uploads to targeted attacks on services via integer, buffer and heap overflows. A hacker could also probably exploit some of the holes to inject and execute arbitrary code. The Stuxnet worm also exploited holes in WinCC, the successor to FactoryLink, to remotely infiltrate systems and manipulate the connected controls.
Auriemma released proof-of-concepts for most of the vulnerabilities. The expert said no one has released fixes yet for any of the holes, although it appears no one reported the holes to the manufacturers.
Auriemma wrote in his report, “In case someone doesn’t know SCADA (like me before the tests): It’s just one or more softwares (usually a core, a graphical part and a database) that allow people to monitor and control the various hardware sensors and mechanisms located in industrial environments like nuclear plants, refineries, gas pipelines, airports and other less and more critical fields that go from the energy to the public infrastructures and obviously also the small ‘normal’ industries.”
To make matters worse, vendor GLEG Ltd last week made available the “Agora+SCADA” exploit pack for the Immunity Canvas exploit framework. The pack contains 23 modules for attacking systems by various manufacturers – including nine zero-day exploits. Companies found include: Atvise SCADA – Zero day; Control Microsystems ClearScada – Zero day; DataRate SCADA WebControl and RuntimeHost – Zero day; Indusoft SCADA Webstudio – Zero day; ITS scada – (Previously known); Automated Solutions Modbus/TCP OPC Server – (Previously known); BACnet OPC client Advantech Studio Web server – (Previously known) Iconics – (Previously known).
In addition, security researcher Rubén Santamarta notified US ICS-CERT of a vulnerability in BroadWin WebAccess, a web browser-based HMI product (also sold as Advantech). According to the notice, ICS-CERT forwarded the vulnerability information to BroadWin.
Santamarta decided to publicly release the details of the vulnerability including exploit code.
SCADA system security issues are sensitive because users network controls more than ever, while the systems hardly have any protective features against potential attacks, are usually quite old, and rarely get updates. Some SCADA systems are accessible via the Internet, which makes them easy targets for attackers.
ICS-CERT recommended users minimize network exposure for all control system devices. Control system devices should not directly face the Internet. Locate control system networks and devices behind firewalls, and isolate them from the business network. If you need remote access, employ secure methods such as Virtual Private Networks (VPNs)
“These companies are not insignificant players in the SCADA/ICS market,” said Eric Byres, chief technology officer at Byres Security, in his blog. “Iconics has a very large number of installations in the oil, gas and water industries, while RealFlex is a significant player in the water/waste water sectors. FactoryLink (formerly an independent called US Data) is a Siemens acquisition and on the way out, but has some 80,000 installations around the world (at least according to the Siemens brochure). Indusoft claims 125,000 Human Machine Interface and SCADA systems operating worldwide. And Control Microsystems, now owned by Schneider Electric, is no minor player either. By my calculations, it adds up to something close to a million installed systems, a sign the HMI industry as a whole has some serious security issues.”
“Nearly all of these vulnerabilities come with proof of concept (POC) code. I am willing to bet that at least a half dozen workable exploits will be in public frameworks like Metasploit within two weeks,” Byres added.
“To make matters worse, these vendors seem to be acting like ostriches with their heads’ firmly in the sand,” Byres said. “It has been over 48 hours since these vulnerabilities were announced and only one vendor (Realflex) has acknowledged the issues or guidance for customers posted on their website. The rest are letting their customers spin in the wind. Didn’t they learn anything from seeing all the grief a slow response to Stuxnet caused Siemens?”
“One of the unfortunate facts about security is that if you can find one vulnerability, you can usually find lots more,” said Joel Langill, chief security officer at SCADAhacker.com in a guest appearance on Byres’ blog. “Vulnerabilities are not just bad luck – they are caused by a poor Software Security Assurance (SSA) process (or a complete lack of one). Next in line for blame are experienced professionals who do little in terms of security assessments prior to commissioning systems in actual production facilities.”
“So what about the four SCADA/HMI products that have Luigi Auriemma’s 34 Zero-day vulnerabilities? Would any of those have additional vulnerabilities, just waiting to be exposed to the world? After all, Luigi claims to have spent only two days per product. That isn’t much time – what if someone else started looking harder. So we decided to give it a shot,” Langill said.
“Sure enough, Eric (Byres) and I began working on one of the flawed HMI packages last night,” Langill said. “Within 5 minutes during my first scan, I found that it is susceptible to directory traversal attacks. In other words, the HMI software is allowing unrestricted access to most of the file system, including critical password files. Once someone has compromised these files, additional remote attacks are trivial.”
“Unlike Luigi, I filed a report with the ICS-CERT a few hours ago, copying the vendor,” Langill said. “CERT immediately followed up with my submittal, assigned it an ICS-VU tracking identifier, and requested some additional data from my research to review with the vendor.”