It is open season on SCADA software right now. Last week, researchers at ReVuln, an Italian security firm, released a video showing off a number of zero-day vulnerabilities in SCADA applications from manufacturers such as Siemens, GE and Schneider Electric. And now a researcher at Exodus Intelligence says he has discovered more than 20 flaws in SCADA packages from some of the same vendors and other manufacturers, all after just a few hours’ work.
SCADA software, which is used to run systems at utilities, manufacturing plants and other critical points, has become a key target recently for security researchers as well as attackers and politicians. There have been relatively few documented attacks against SCADA installations, compared to the general population of Web apps or enterprise software, but they have happened. One well-known example would be the Stuxnet worm, which targeted Siemens software installed at the Natanz enrichment facility in Iran.
And while most security researchers still focus mainly on Web apps or widely deployed enterprise software, some have taken an interest in the more esoteric SCADA applications of late. Earlier this year, a pair of researchers disclosed a slew of vulnerabilities in the Tridium Niagara software, prompting ICS-CERT, which tracks flaws in SCADA and ICS (industrial control system) software, to issue an alert. One of the researchers involved in that work said that there is no comparison between the state of security in enterprise software and SCADA applications.
“It turns out they’re stuck in the Nineties. The SDL doesn’t exist in ICS,” Terry McCorkle said. “There are a lot of ActiveX and file format bugs and we didn’t even bother looking at problems with services. Ultimately what we found is the state of ICS security is kind of laughable.”
Now, a well-known researcher at Exodus Intelligence says that after spending a few hours on Thanksgiving morning looking for bugs in SCADA applications, he came up with more than 20, several of which are remote code-execution vulnerabilities. Aaron Portnoy, the vice president of research at Exodus, said that finding the flaws wasn’t even remotely difficult.
“The most interesting thing about these bugs was how trivial they were to find. The first exploitable 0day took a mere 7 minutes to discover from the time the software was installed. For someone who has spent a lot of time auditing software used in the enterprise and consumer space, SCADA was absurdly simple in comparison. The most difficult part of finding SCADA vulnerabilities seems to be locating the software itself,” Portnoy said in a blog post.
In fact, he said that locating the software was more difficult than finding the bugs themselves. Portnoy said he decided to go after the SCADA apps, which he’d never researched before, after seeing the video posted by ReVuln last week. In the video, ReVuln researchers say they have server-side remote code-execution flaws in software from GE, Schneider Electric, Siemens, Kaskad, ABB/Rockwell and Eaton. Portnoy also found flaws in Schneider Electric, Rockwell and Eaton apps, as well as in software from Indusoft and RealFlex.
ReVuln does not disclose vulnerabilities to vendors, but instead keeps the information to itself and sells it to customers. Portnoy, meanwhile, said he plans to disclose all of the bugs he found to ICS-CERT. Of the 23 bugs he discovered, Portnoy said that seven of them were remotely exploitable code execution flaws.
“Now, I realize I haven’t found nearly all the vulnerabilities in these products, but hopefully there is some overlap with those that were never going to end up in the hands of those able to fix them. I will probably take another (longer than one morning) shot at similar software sometime in the future, but for now it was just a nice way to pass the time,” he said.
Interesting follow up, what a company claims and what it actually does: aluigi.altervista.org/misc/aaron_eip_mail.txt
Did Aaron Portnoy steal these from ZDI like he stole Luigi’s bug from ZDI and then published it as his own under his own company name?
Wow, Luigi’s pr team is going all out today. They seem to be following his model of finding easy targets and still not being able to exploit them meaningfully.
Correction:
Scada software should not be referred to with the word “app”.
Why this matters to you…
SCADA is used to control valves via a network. By valves I mean used to mix chemicals in an industrial setting. Like a water treatement plant, or pumping station. This has been ignored for too long. If not for its double redundacy big issues could possibly occur.
That’s what I have been saying for 10 damn years!
I would like to see research on Honeywell experion and PHD, HIMA (SIS), Invensys (SIS), ABB, Emerson, Matrikon, osisoft, aspentech, and more Siemens. What would be especially interesting is the enterprise facing systems running on a web server.
Curious that this comes from an IP based in Italy… (hi Luigi :pPpPPpPppP)
What are the claims being made there? Seems like incomprehensible ranting…
what is this, i don’t even.
they practice responsible disclosure and ReVuln is jelly because it hurts their extortion business model? is that what theyre trying to say?
IIRC that claim was very clearly disproved (even ZDI acknowledged the fact). Nice try, though.
im sorry luigi but your princess is in another castle!
+1
He should go back to finding bugs in even softer targets like he used to: gaming software. that way he can impress his fellow 14 year old buddies.
bro, did you see his elite heap spray technique? that is so old school… the mark of a true ninja exploiter. this guy deserves our respect.
</sarcasm>
Yep, now you know Luigi Auriemma’s world
Luigi’s ego pwned
How many bugs have you found lately? Im guessing zero where as Luigi has discovered 500+ so show some respect.
you must be one of those previously mentioned 14 year old buddies who is impressed by someone fuzzing soft targets and finding crashes they have no skills to interpret. ya, luigi is really good at that but it doesnt deserve respect. cats can do the same thing prancing about the keyboard.