A trio of researchers have uncovered 25 security vulnerabilities in various supervisory control and data acquisition (SCADA) and industrial control system (ICS) protocols.
The researchers, Adam Crain, Chris Sistrunk, and Adam Todorski–though Todorski has not yet been credited with finding any of the disclosed bugs–are conducting this research with a sponsorship from Automatak, a firm – started by Crain – that provides security support for the makers and maintainers of the sorts of ICS and SCADA equipment that control much of the world’s critical infrastructure and industrial machinery.
Thus far, the researchers have published the details of just nine vulnerabilities, each of which is remotely exploitable, though they claim that they have discovered another 16 bugs, but the details of those flaws are pending as they communicate with the affected vendors. Every publicly disclosed bug appears to have been acknowledged and fixed by the vendor, though that does not mean that the maintainers of vulnerable systems have installed the patches.
All their research is part of Project Robus. Deriving its name from the Latin noun for a source of strength, the project is an ongoing search for zero day vulnerabilities in SCADA and ICS software. Despite it’s responsibility for controlling much of the world’s critical infrastructure and industrial processes, SCADA and ICS protocols are notoriously vulnerable to exploit, a particularly concerning reality given human reliance on water and power plants.
Specifically, Crain and Sistrunk uncovered two bugs in IOServer. An improper input validation vulnerability in its DNP3 Driver software and another in the same piece of software’s master station. Each bug could potentially cause an infinite loop if an attacker were to send a maliciously crafted TCP packet. The only way out of the loop would be to perform a manual restart.
The pair also found a DNP3 input validation issue in Schweitzer Engineering Laboratories’ real-time automation controllers exploitable under similar conditions. An attacker could send the device into in infinite loop, and, depending on device settings, its controllers may have to reload configuration settings upon restart.
Crain and Sistrunk also determined that they could send a specially crafted TCP packet into Kepware Technologies’ DNP master driver for the KEPServerEX communications platform by exploiting yet another input validation vulnerability. The result, again, would be an infinite loop but also a denial of service condition. The system would require a restart in order to recover. Essentially the same vulnerability exists in DNP master driver for the TOP server OPC server, multiple Triangle MicroWorks’ products, some with third-party components, and MatrikonOPC SCADA DNP3 OPC server.
The last two bugs exist in SUBNET Solutions’ SubSTATION Server software and Alstom’s e-terracontrol software. Each vulnerability could give an attacker the ability to impact the availability of the respective products.
The potential impact of all of these bugs obviously depends on the configuration settings of the equipment.
The researchers discovered these flaws using a customized smart fuzzer that they will give the public access to as an open source tool in March.
Automatak claims it discloses vulnerabilities to the vendor and ICS-CERT, working with the affected vendors to validate patches and improve testing.