Vulnerabilities / Threats
12/16/2011
11:04 AM
50%
50%

Security Researcher Details New SCADA Bugs

Supervisory control and data acquisition systems' programmable logic controllers could be remotely accessed and loaded with trojanized firmware.

The Department of Homeland Security (DHS) issued a security alert Monday for an Ethernet add-on for the Schneider Electric Quantum programmable logic controller (PLC). Such controllers can be used to help manage industrial processes inside everything from physical manufacturing plants and printing presses to prisons and power plants.

According to the DHS's Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), which released the alert Monday, the Schneider Electric Quantum Ethernet Module contains multiple, hardcoded credentials, which means that an attacker could use them to bypass the device's built-in authentication mechanism and access the module's functions.

The devices can be accessed remotely in three ways: via Telnet, the Windriver Debug port, or FTP. After accessing the device, an attacker would be able to view or alter the module's firmware, execute arbitrary code, or cause a denial of service. That's a concern since the Ethernet module is designed to allow the company's Quantum PLC to communicate with other systems and devices, via an Ethernet network. As a result, an attacker could theoretically access the Ethernet module, load "trojanized firmware," then use it to attack the PLC.

[ Insecure, Internet-connected industrial control systems are a national security threat. Learn why the Next DIY Stuxnet Attack Should Worry Utilities. ]

The vulnerability was spotted by supervisory control and data acquisition (SCADA) security researcher Ruben Santamarta, who detailed the related bugs Monday in a blog post. ICS-CERT said that Santamarta had notified it of the vulnerabilities prior to publishing details about them.

Santamarta also acknowledged that he was releasing information about the bugs when no patch yet exists. "I reported it to the ICS-CERT months ago, I would like to thank the ICS-CERT and the Schneider security team, they have taken these issues very seriously and are working on a patch. During the process they have been keeping me updated on every [decision]/progress. However, [some] time ago I decided to change my disclosure policy," said Santamarta.

Santamarta said the devices' firmware, which he reverse-engineered, was built using the VxWorks operating system, which may be the world's most popular embedded operating system. But VxWorks is often debugged using the Windriver Debug (WDB) agent, and as security researcher HD Moore discovered last year, when that agent is left enabled in devices that are in the field, anyone who's able to access the device could then read the device's memory or call its functions.

Furthermore, VxWorks itself is prone to a well-known password hashing vulnerability, which means that cracking administrator passwords in firmware built with the operating system is relatively easy to do. That's what Santamarta was able to accomplish.

To date, four Schneider Electric products, each of which may be running one of a number of different versions of firmware, have the vulnerabilities: Quantum (7 versions), Premium (8 versions), M340 (4 versions), and STB DIO (3 versions). According to ICS-CERT, Schneider Electric has so far developed fixes for only the most recent versions of firmware for the Quantum and M340, but they have yet to be released. The fixes have removed the modules' Telnet and Windriver services. Accordingly, said ICS-CERT, "organizations need to evaluate the impact of removing these services prior to applying this fix."

On a related note, ICS-CERT last week warned that thousands of industrial control systems are Internet-connected, yet not secured with firewalls or strong authentication. Furthermore, these systems can often be discovered by using free search tools, such as Shodan, that scour the Internet for devices that contain embedded Web servers.

Database access controls keep information out of the wrong hands. Limit who sees what to stop leaks--accidental and otherwise. Also in the new, all-digital Dark Reading supplement: Why user provisioning isn't as simple as it sounds. Download the supplement now. (Free registration required.)

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-8148
Published: 2015-01-26
The default D-Bus access control rule in Midgard2 10.05.7.1 allows local users to send arbitrary method calls or signals to any process on the system bus and possibly execute arbitrary code with root privileges.

CVE-2014-8157
Published: 2015-01-26
Off-by-one error in the jpc_dec_process_sot function in JasPer 1.900.1 and earlier allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted JPEG 2000 image, which triggers a heap-based buffer overflow.

CVE-2014-8158
Published: 2015-01-26
Multiple stack-based buffer overflows in jpc_qmfb.c in JasPer 1.900.1 and earlier allow remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted JPEG 2000 image.

CVE-2014-9571
Published: 2015-01-26
Cross-site scripting (XSS) vulnerability in admin/install.php in MantisBT before 1.2.19 and 1.3.x before 1.3.0-beta.2 allows remote attackers to inject arbitrary web script or HTML via the (1) admin_username or (2) admin_password parameter.

CVE-2014-9572
Published: 2015-01-26
MantisBT before 1.2.19 and 1.3.x before 1.3.0-beta.2 does not properly restrict access to /*/install.php, which allows remote attackers to obtain database credentials via the install parameter with the value 4.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
If you’re a security professional, you’ve probably been asked many questions about the December attack on Sony. On Jan. 21 at 1pm eastern, you can join a special, one-hour Dark Reading Radio discussion devoted to the Sony hack and the issues that may arise from it.