Perimeter
1/13/2011
04:45 PM
John H. Sawyer
John H. Sawyer
Commentary
50%
50%

Security Researcher Targets SCADA, Releases Exploit

Another exploit for SCADA software emphasizes the need for organizations to review their network design and device exposure before they become a victim.

The year has opened up with a bang, with security researcher Dillon Beresford taking the latest shot at supervisory control and data acquisition (SCADA) systems. Sunday night, Dillon contacted me about a new exploit he'd just published for a Chinese SCADA software called KingView. After sending e-mails to the vendor and CN-CERT with no response after three months, he released the exploit in hopes it would jump-start the company into action and realize the need to patch the serious flaw.

Dillon's recent exploit for KingView is just part of a disturbing trend during the past year in which we've seen more exploits for and focus on exploiting SCADA systems. SCADA systems are basically networked devices and software that do things like control water and gas levels in factories or cities, as well as the positioning flood gates in dams -- all things you'd want to keep as secure as possible and never allow directly on the Internet where a malicious attacker might find it, right?

Well, unfortunately, as we've seen with the buzz created by SHODAN and the resulting ICS-CERT bulletin (PDF) released in late October, these systems are being placed directly on the Internet and are being found with ease. At least it's comforting to know they are heavily secured and not exploitable in any way...

Sadly, that's not true, either, which I found in August when I was researching VxWorks vulnerabilities presented by HD Moore at B-Sides in Las Vegas; Dillon also assisted with by verifying HD 's research. Just by leveraging SHODAN, I was able to find large numbers of SCADA devices that run VxWorks sitting right on the Internet waiting to have their memory dumped, password cracked, or be rebooted using tools within the Metasploit Framework -- scary stuff.

Now, not even a month into 2011, we've seen the release of an exploit for what has been called "the most widely trusted and used supervisory control and data acquisition applications in China." The fact that it is popular is unsettling; I'm sure there have already been large scans of Chinese IP space looking for the vulnerable software listening on TCP port 777. Will we see a worm to follow and rolling blackouts in China?

While I tend to be optimistic and would really like to see this be the wake-up call necessary to get SCADA systems off of the Internet, properly secured, and vendors start making their products more secure, I'm just not sure it's going to happen. Maybe it will take a worm and blackouts to do it. Maybe government regulation. It's hard to say what exactly, but the reality is more SCADA software and hardware will be in the crosshairs of security researchers like Dillon. At least in this case, the tactic worked.

Oh, yeah. I almost forgot -- Dillon said he has more in the works, including a working Metasploit module to exploit the KingView vulnerability. If you're responsible for SCADA, then it's time to batten down the hatches. A storm is brewing.

John Sawyer is a Senior Security Analyst with InGuardians. The views and opinions expressed in this blog are his own and do not represent the views and opinions of his employer. He can be reached at [email protected]

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Five Things Every Business Executive Should Know About Cybersecurity
Don't get lost in security's technical minutiae - a clearer picture of what's at stake can help align business imperatives with technology execution.
Flash Poll
Dark Reading Strategic Security Report: The Impact of Enterprise Data Breaches
Dark Reading Strategic Security Report: The Impact of Enterprise Data Breaches
Social engineering, ransomware, and other sophisticated exploits are leading to new IT security compromises every day. Dark Reading's 2016 Strategic Security Survey polled 300 IT and security professionals to get information on breach incidents, the fallout they caused, and how recent events are shaping preparations for inevitable attacks in the coming year. Download this report to get a look at data from the survey and to find out what a breach might mean for your organization.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
Security researchers are finding that there's a growing market for the vulnerabilities they discover and persistent conundrum as to the right way to disclose them. Dark Reading editors will speak to experts -- Veracode CTO and co-founder Chris Wysopal and HackerOne co-founder and CTO Alex Rice -- about bug bounties and the expanding market for zero-day security vulnerabilities.