Vulnerabilities / Threats

3/26/2018
10:30 AM
Ang Cui
Ang Cui
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

The Overlooked Problem of 'N-Day' Vulnerabilities

N-days -- or known vulnerabilities -- are a goldmine for attackers of industrial control systems. It's time for a new defense strategy.

Security Researcher Joseph Pantoga contributed to this article.

Zero-day attacks tend to steal the spotlight when it comes to cybersecurity threats, but it is actually the known vulnerability — the "N-day" — that poses a much larger problem for many organizations and particularly those in the industrial sectors.

Whereas zero-days are a class of vulnerability that is unknown to a software developer or hardware manufacturer, an N-day is a flaw that is already publicly known but may or may not have a security patch available. There are countless known vulnerabilities in existence today, and many large commercial and governmental entities will find they have significant exposure within their broad network footprints.

However, the problem is far more acute for organizations that rely on industrial control systems (ICS) such as the energy, manufacturing, and infrastructure sectors. This is because ICS equipment can be extremely difficult to update and patch. To make matters worse, ICS firmware is often developed with insufficient built-in security controls, and product manufacturers can be slow to fix newly discovered vulnerabilities and threats.

For more than a year, our team analyzed unpatched N-day vulnerabilities in the firmware of widely used ICS devices in order to gain a better understanding of the problem. Some of these findings were recently presented at the S4x18 security conference in Miami. We found that N-days are extremely common in the ICS environment. Nearly all the operators who read this article are likely to have numerous N-days in their systems.

N-Days vs. Zero-Days
N-day vulnerabilities are a goldmine for attackers because the hard work has already been done. In certain cases, active exploits may already exist and be readily available from public disclosure documents. Compare this with zero-days, which are time-consuming and expensive to find and exploit — the reason why their use is declining among criminal groups.        .

While N-days pose a threat to any large network, industrial users are at an especially high risk because of specific circumstances unique to those environments:

  1. Systems must always be available. 
  2. No standardization. For example, in an ICS, as opposed to a standard computing environment, patching is often a manual proprietary process that requires unique software and knowledge for each vendor. 
  3. Patches rarely propagate between vendors that use shared code. This highlights an example we outlined at S4, where a vulnerability was reported to a vendor in the telecom sector, was patched by the software vendor (Intel/Windriver), but patches were not applied by a number of  other large vendors in ICS. 
  4. Extended lifetime. Systems are typically deployed in the field for over a decade and well past their support period. Vendors who desire to sell new products are disincentivized to routinely patch and support older products with security updates, even if they are still commonly found in the field.

Real-World Cases Illustrate the Risks
The industry has already seen a number of attacks on industrial targets that have exploited N-day vulnerabilities in ICS devices and protocols. Some examples include: 

  • CrashOverride or Industroyer: This malware was used in a December 2016 attack that disrupted operations at a Ukrainian electrical transmission substation. It exploited the known CVE-2015-5374 Denial of Service condition to the Siemens SIPROTEC relays.
  • TRITON or HatMan: Discovered in 2017, the ICS malware targets Schneider Electric's Triconex Safety Instrumented System (SIS) controllers' emergency shutdown capability.
  • BlackEnergy: This malware contained exploits for specific types of HMI applications, including Siemens SIMATIC, GE CIMPLICITY, and Advantech WebAccess. 

High-Risk Vulnerabilities
Many of the N-days we discovered in ICS firmware are critical in nature and could allow a hacker to gain remote access and total control over parts of an industrial operator's network or facility. These N-days could allow attackers to replicate the effects of CrashOverride, TRITON, BlackEnergy, or even Stuxnet much more easily, and at a much wider scale.

For example, in our research into the VxWorks 5.5.1 vulnerability (discussed above), we found that every major manufacturer had a product that remains unpatched against this N-day. In no case was this vulnerability listed for the individual ICS products, so vendors may not even know these vulnerabilities exist. The vulnerabilities can be exploited for such malicious purposes as manipulating settings and controls, physically damaging or destroying equipment, disrupting key operations, and stealing sensitive information.

Due to the large number of vulnerabilities we discovered and the long lead time on ICS patching (as well as the low patch penetration rate), we decided not to disclose individual vulnerabilities against named devices for fear of arming attackers while device operators would be unable to respond.

Patching Is Not the Answer
ICS N-days are not an easy problem to fix. Solutions are limited by technical complications and a slow-to-act supply chain. Nonetheless, there is a lot the industry can do to address the problem.

To start, the current reactive approach of patching known vulnerabilities is no longer tenable. Every component of the ICS environment should have strong security baked into the software, firmware, and hardware from the very start in order to lower the overall risk of N-days and other problems, and to mitigate or prevent damage from their exploitation.

The best solutions will combine intrusion detection and mitigation techniques to protect against known and unknown attacks without relying on continuous updates. By and large, these features do not exist, so it is incumbent upon manufacturers to develop or source this technology as quickly as possible.

Related Content:

Interop ITX 2018

Join Dark Reading LIVE for two cybersecurity summits at Interop ITX. Learn from the industry’s most knowledgeable IT security experts. Check out the security track hereUse Promo Code DR200 to register and save $200.

Dr. Ang Cui is the founder and CEO of Red Balloon Security in New York City, and a PI on DARPA LADS, as well as various other government agency funded research efforts. Dr. Cui is the inventor of Symbiote, a firmware defense technology for embedded devices, and FRAK, a ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
8 Ways Hackers Monetize Stolen Data
Steve Zurier, Freelance Writer,  4/17/2018
Securing Social Media: National Safety, Privacy Concerns
Kelly Sheridan, Staff Editor, Dark Reading,  4/19/2018
Firms More Likely to Tempt Security Pros With Big Salaries than Invest in Training
Sara Peters, Senior Editor at Dark Reading,  4/19/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How to Cope with the IT Security Skills Shortage
Most enterprises don't have all the in-house skills they need to meet the rising threat from online attackers. Here are some tips on ways to beat the shortage.
Flash Poll
[Strategic Security Report] Navigating the Threat Intelligence Maze
[Strategic Security Report] Navigating the Threat Intelligence Maze
Most enterprises are using threat intel services, but many are still figuring out how to use the data they're collecting. In this Dark Reading survey we give you a look at what they're doing today - and where they hope to go.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.