The Italian Job – Multiple SCADA / ICS Vulnerabilities Go Public
Selling the concept of security for SCADA and ICS might still be struggling, but publishing vulnerabilities for SCADA and ICS equipment seems to be a growth industry.
Thirty-Four SCADA Product Vulnerabilities
On Monday an Italian “Security Researcher” published a raft of vulnerabilities (34 in all) against four SCADA products. Below are the affected products with links to the US-CERT announcements:
- Iconics Genesis32 and Genesis64 SCADA/HMI (ICS CERT link)
- Siemens Tecnomatix FactoryLink SCADA/HMI (ICS Cert link)
- RealFlex Technologies’ RealWin HMI/SCADA (ICS CERT link)
- 7-Technologies IGSS (Interactive Graphical SCADA System) (ICS CERT link)
Nine More Zero-day Exploits
Meanwhile, a Russian company, GLEG Ltd, last week began selling the “Agora+SCADA” exploit pack. The pack contains 23 modules for attacking systems by various manufacturers – including nine zero-day exploits. Companies and products affected by this pile of bad news include:
- Atvise SCADA - Zero day
- Control Microsystems ClearScada - Zero day
- DataRate SCADA WebControl and RuntimeHost - Zero day
- Indusoft SCADA Webstudio - Zero day
- ITS scada - (Previously known)
- Automated Solutions Modbus/TCP OPC Server - (Previously known)
- BACnet OPC client Advantech Studio Web server - (Previously known)
- Iconics (again!) - (Previously known)
Then last night, I learned that security researcher Rubén Santamarta had notified US ICS-CERT of a vulnerability in BroadWin WebAccess, a web browser-based HMI product (also sold as Advantech). According to the notice, ICS-CERT forwarded the vulnerability information to BroadWin. Unfortunately, BroadWin was not able to validate the vulnerability.
So Mr. Santamarta publicly released details of the vulnerability including exploit code… And in case you don’t know how to use that exploit code in a real SCADA system, Mr. Santamarta provides a very detailed presentation to help you.
Joel Langill and my team are working hard to analyze and test these vulnerabilities as fast as we can. We hope to have some mitigation white papers out in the next day or so. Check here for the status of the papers or sign up for automatic notification at http://www.tofinosecurity.com/user/register.
*** March 25 Update: The first paper is now available at http://www.tofinosecurity.com/professional/analysis-iconics-genesis-security-vulnerabilities
Concerns About the Release of the Vulnerabilities
Now while you are waiting for the white papers, I will comment on a number of things about this particular release of vulnerabilities that bother me.
First, these companies are not insignificant players in the SCADA/ICS market. If my memory serves me well, Iconics has a very large number of installations in the oil, gas and water industries, while RealFlex is a significant player in the water/waste water sectors. FactoryLink (formerly an independent called US Data) is a Siemens acquisition and on the way out, but has some 80,000 installations around the world (at least according to the Siemens brochure). Indusoft claims 125,000 Human Machine Interface and Supervisory Control and Data Acquisition systems (SCADA) operating worldwide. And Control Microsystems, now owned by Schneider Electric, is no minor player either. By my calculations, it adds up to something close to a million installed systems, a sign the HMI industry as a whole has some serious security issues.
Second, nearly all of these vulnerabilities come with proof of concept (POC) code. I am willing to bet that at least a half dozen workable exploits will be in public frameworks like Metasploit within two weeks (FYI, if you are willing to pay for them, all of the GLEG vulnerabilities are available for the Immunity Canvas exploit framework right now).
Vendors are not Responding
To make matters worse, these vendors seem to be acting like ostriches with their heads' firmly in the sand. It has been over 48 hours since these vulnerabilities were announced and only one vendor (RealFlex) has ANY acknowledgement of the issues or guidance for customers posted on their website. The rest are letting their customers spin in the wind. Didn’t they learn anything from seeing all the grief a slow response to Stuxnet caused Siemens?
*** March 24 th Update: Iconics posted a notice last night on their site. They have also informed me that they will announce the patch on their home page as soon as it is available. Still waiting for the others. ***
To add insult to injury, RealFlex, 7-Technologies IGSS, Iconics, Control Microsystems, Indusoft and Advantech previously have all had security vulnerabilities. Surely they should have set up a rapid response security plan by now?
Now to the US ICS-CERT's credit, they have learned from the past. They had basic awareness documents out Monday night (see links above). Nice work.
Again, we are working to develop mitigations for these products as fast as we can. Watch here for updates. In the meantime, if you have any of the above SCADA/ICS products, contact your vendor and ask for guidance. And if you get any, please let us know. The ICS community needs to work together to secure our critical systems.
ISSSource.com, March 23, 2011
More SCADA Vulnerabilities Found
DigitalBond, March 22, 2011
Interview with Luigi Auriemma of 34 0day ICS Vulnerabilities