0-Day SCADA Exploits Publicly Exposed by Italian researchers


0-Day SCADA Exploits Publicly Exposed by Italian researchers
An Italian researcher has uncovered at least a dozen security flaws in software used in utilities and other critical infrastructure systems, prompting security advisories from the U.S. government. Security researcher Luigi Auriemma disclosed the attacks against six SCADA (Supervisory Control and Data Acquisition) systems including US giant Rockwell Automation.The step-by-step exploits allowed attackers to execute full remote compromises and denial of service attacks.Some of the affected SCADA systems were used in power, water and waste distribution and agriculture.Such zero-day information disclosure was generally frowned upon in the information security industry because it exposed customers to attack while published vulnerabilities remained unpatched.Attacks against SCADA systems were particularly controversial because exploits could affect a host of machinery from lift control mechanisms to power plants.

The advisories published by Luigi include short write-ups on each of the vulnerabilities, as well as proof-of-concept exploit code and examples. The affected products include those from Cogent, DAQFactory, Progea, Carel, and Rockwell, all of which fall under the general umbrella definition of SCADA.While some of the exploits include more advanced exploits, like heap and buffer overflows, some are simple Web directory traversal flaws requiring nothing more than a Web browser to exploit. An attacker can make a request like http://SERVER/..\..\..\..\..\..\boot.ini to the vulnerable Web server and retrieve files outside of the root directory of the Web server. In this example, the attacker can download the Windows boot.ini, which in and of itself is not a big concern, but does serve as good proof of the validity of the vulnerability and shows the ease in which the vulnerability can be exploited.

Starting at the top of the list of advisories on Luigi's site, I didn't have much luck finding servers using search strings based on product and company name. There were a few false positives, a few interesting telnet servers, but nothing of interest until I got to the Carel PlantVisor. There were 290 hits, and based on the server strings that identified the version (i.e., CarelDataServer 2.3.0.0, 2.2.0.0, 1.5.1.0), every single one is vulnerable. Additionally, a cursory glance at the SessionID for the Carel servers in the search results made me think it also suffers from a lack of entropy that could lead to easy session ID hijacking.

All of the vulnerabilities disclosed by Auriemma exist in the so-called Human Machine Interface (HMI) systems used to manage industrial control systems, said Joseph Weiss, managing partner at Applied Control Systems LLC and author of the book Protecting Industrial Control Systems from Electronic Threat.

"Vulnerabilities in HMI systems are not novel," but they should not be minimized, he said. Such vulnerabilities can be used to get at the downstream control system, he said. "You can use the HMI to get to the control device and you can use the control device to get to the HMI," he said. Without further analysis, it is too soon to say whether the flaws discovered by Auriemma are really critical or not, he said. A lot depends on the kind of applications for which the affected systems are used, he said. "Rockwell is a major manufacturer. They make a lot of systems, some of which are used in really critical applications," he added. There's no reason critical systems such as these should be exposed to the public.