UPDATE: A week after a security researcher decided to cancel a technical discussion of security holes in industrial control software from Siemens, Inc., public exploits for the vulnerabilities are on hold while the company works to shore up systems running its Simatic programmable logic controller (PLC) software.
H.D. Moore, creator of the Metasploit penetration testing tool, said that new Metasploit modules targeting the Siemens S7 vulnerabilities are being held under embargo, pending word from Dillon Beresford, the NSS Labs researcher who wrote and submitted them to the free penetration testing platform.
In the meantime, Siemens has been quoted in published reports saying that its engineers are working on a fix for the vulnerabilities, which Beresford submitted to the company on May 8, ahead of a planned talk at the TakeDownCon security conference in Dallas. The company did not immediately respond to e-mail and phone requests for comment from Threatpost. Rick Moy, president and CEO of NSS Labs, said that Siemens has not requested any further help from Beresford or his company in researching the vulnerabilities.
“We certainly haven’t seen any patch though
they said they’re working on it and would let their customers know,” Moy wrote.
Moore said he has reviewed the code in the Siemens Metasploit modules,
but declined to release or discuss them without express permission from Beresford. He said its rare, but not unheard of, for MetaSploit to hold onto new exploits.
“We have about 5 instances of this on average each
year; a researcher that provides code for us to review prior to publication.
Its a chance for us to provide feedback on the modules and fix any bugs without
the normal time pressure,” Moore wrote.
The Metasploit Framework is a free penetration testing platform owned by Rapid 7.
When released to MetaSploit, the holes submitted could be used to test and possibly exploit a wide range of industrial systems running vulnerable versions of S7, the Siemens software. In an e-mail to Threatpost, Beresford said the vulnerabilities could allow remote attackers to start or stop Siemens Programmable Logic Controllers (PLCs) and harvest information from the devices.
The holes in question could allow remote attackers to “put the PLC CPU into STOP mode,” “put the PLC CPU into RUN mode” as well as dump the memory and scrape device information from the PLC, including the model, firmware version, serial number and PLC name, he wrote.
Beresford submitted the exploits to Metasploit, and notified both the U.S. Computer Emergency Response Team (CERT) and Siemens of the holes on May 8. Those submissions got the attention of U.S. CERT and from Siemens, who asked Beresford to suspend his TakeDownCon talk. Beresford complied with that request.The Siemens Simatic is a line of programmable logic controllers that are used to provide programmatic access to a wide range of physical devices, including industries such as water distribution and treatment, electricity generation, manufacturing and so on. Simatic PLCs and the Step 7 (S7) software that controls them were one of the targets of the Stuxnet worm, which was used to disable Iran’s uranium enrichment facilities at Nantaz.
Beresford is a well-known expert on security in industrial control systems. In recent months, he has published information about holes in other SCADA products at use both here and abroad. In January, he disclosed a critical hole in a SCADA application, KingView, from the Beijing based firm Wellintech. He has also publicized his research on vulnerabilities in Chinese government systems, which he say are woefully underprotected.
