They’re both easy targets.
If you’ve been paying attention to the security industry for any length of time then you’re probably familiar with the non-disclosure vs responsible disclosure vs full disclosure stances researchers take with regard to vulnerabilities they discover. As the value of vulnerabilities has been steadily going up over the years, more and more individuals and organizations are aligning themselves with the non-disclosure crowd and not for the traditional reasons. These days there seem to be an increasing number of cases of individuals hiding behind non-disclosure for reasons that generally tend to end up revolving around them making more money than reputable outlets provide.
When I read that a new company out of Italy Malta called ReVuln has discovered vulnerabilities in SCADA software and decided not to inform the affected vendors, but rather sell the information privately to their customers, I was intrigued.
Here is some of the press coverage they received:
Security Firm Showcases Vulnerabilities in SCADA Software, Won’t Report Them to Vendors
ReVuln claims 0day vulnerabilities for SCADA systems
Security Firm ReVuln Showcases SCADA Zero-Days
ReVuln showcases vulnerabilities in SCADA software, but won’t report them to vendors
Exploit broker releases EXPLICIT VIDS of holes in industrial control kit
As ReVuln founder Luigi Auriemma is quoted as saying:
“ICS-CERT has just contacted us some minutes ago requesting more details but we don’t release information,” “[The vulnerabilities] are part of our portfolio for our customers so no public details will be released; they will remain private.”
For those of you who do not know, SCADA systems run things like power plants, airports, manufacturing facilities, and so on (read the wikipedia page for more info). While these may not be defined as “Internet infrastructure”, I would argue that they are even more crucial to the safety and security of the general populace (especially when you think about the national security implications of vulnerabilities in these systems).
On Thanksgiving day I had a morning’s worth of time to wait for a turkey to cook, so I decided to take a shot at finding as many SCADA 0day vulnerabilities as possible. As we at Exodus we responsibly report all vulnerabilities we deal with, my goal was to report any such findings for free to ICS-CERT, the group responsible for collaborating with SCADA vendors to ensure vulnerabilities are fixed.
Here’s a list of the vendors and types of vulnerabilities I found (23 in all):
Rockwell Automation
- 1 remote code execution vulnerability
- 1 denial of service vulnerabilty
- discovery that one piece of Rockwell software installs Adobe Reader 8 which is susceptible to an innumerable amount of remote code execution flaws
Schneider Electric
- 3 remote code execution vulnerabilities
- 1 denial of service vulnerability
Indusoft
- 1 denial of service vulnerability
RealFlex
- 8 denial of service vulnerabilities
Eaton Corporation
- 3 remote code execution vulnerabilities
- 2 denial of service vulnerabilities
- 1 arbitrary file download vulnerability
- 1 arbitrary file deletion vulnerability
- 1 arbitrary file upload/overwrite vulnerability
The most interesting thing about these bugs was how trivial they were to find. The first exploitable 0day took a mere 7 minutes to discover from the time the software was installed. For someone who has spent a lot of time auditing software used in the enterprise and consumer space, SCADA was absurdly simple in comparison. The most difficult part of finding SCADA vulnerabilities seems to be locating the software itself. I plan to put in a request to the ICS-CERT that they perhaps establish a repository of SCADA software for researchers like myself to audit (provided they agree to disclose the vulnerabilities, that is). Even a list of what software is of interest would be beneficial.
All of the vulnerabilities listed above will be responsibly disclosed to the ICS-CERT team just following the publication of this post.
Now, I realize I haven’t found nearly all the vulnerabilities in these products, but hopefully there is some overlap with those that were never going to end up in the hands of those able to fix them. I will probably take another (longer than one morning) shot at similar software sometime in the future, but for now it was just a nice way to pass the time.
Happy Thanksgiving.
–
Aaron
@aaronportnoy
I would highly recommend reading the article, “Demanding Software Security Assurance”, published in Control Magazine in 2011. The article addresses what industrial automation / SCADA system manufacturers can, and should do, to “build security” into their software development process.
http://www.controlglobal.com/articles/2011/SoftwareSecurity1102.html
If you’ve ever read the NERC standard you realize that whoever wrote it was looking at it from a purely forensic view and not anything to protect the systems in use by the power industry. It’s ludicrous.
Instead of securing the SCADA devices and software, they just keep logs. Not very smart.
SCADA – Supervisory Control and Data Acquasition
The PLCs do all the real work, the PLC code has all the fail safes.
It’s like claiming I can break into the bank by smashing the front window.
BTW many ATMs contain a Windows95 PC
Yes, the 0 days only affects to front-end software, but if you manipulate the output values and confuse to operator only in the front-end(SCADA), you can be very bad thinks.
I would certainly like to know a bit more on the specifics of the findings as it pertains to Schneider Electric Products and which flavor of their DDC/ SCADA platforms were found to have vulnerabilities. Could this be elaborated upon? Schneider offers quite a few SCADA packages. Simply saying Schneider Electric software has 3 remote code execution and 1 DDoS vulnerabilities does little beyond having me go wowie, what a Sherlock Holmes. Please identify the platforms/ products so that, as an integrator, I can better account for said vulnerabilities in network security design and mitigation strategies with the products we currently deploy and support.
Hi Rich,
The products affected are listed on our site at http://www.exodusintel.com/rip as we make the reports available. The details of the vulnerabilities and information regarding detection and mitigation are included in our intelligence feed offerings which our customers receive. If you have any inquiries you may e-mail us at info@exodusintel.com.
Was this test performed on publicly available software?
Besides vendors, can you list products and versions? Some of these vendors have multiple SCADA products.