Vulnerabilities / Threats
12/16/2011
11:04 AM
50%
50%

Security Researcher Details New SCADA Bugs

Supervisory control and data acquisition systems' programmable logic controllers could be remotely accessed and loaded with trojanized firmware.

The Department of Homeland Security (DHS) issued a security alert Monday for an Ethernet add-on for the Schneider Electric Quantum programmable logic controller (PLC). Such controllers can be used to help manage industrial processes inside everything from physical manufacturing plants and printing presses to prisons and power plants.

According to the DHS's Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), which released the alert Monday, the Schneider Electric Quantum Ethernet Module contains multiple, hardcoded credentials, which means that an attacker could use them to bypass the device's built-in authentication mechanism and access the module's functions.

The devices can be accessed remotely in three ways: via Telnet, the Windriver Debug port, or FTP. After accessing the device, an attacker would be able to view or alter the module's firmware, execute arbitrary code, or cause a denial of service. That's a concern since the Ethernet module is designed to allow the company's Quantum PLC to communicate with other systems and devices, via an Ethernet network. As a result, an attacker could theoretically access the Ethernet module, load "trojanized firmware," then use it to attack the PLC.

[ Insecure, Internet-connected industrial control systems are a national security threat. Learn why the Next DIY Stuxnet Attack Should Worry Utilities. ]

The vulnerability was spotted by supervisory control and data acquisition (SCADA) security researcher Ruben Santamarta, who detailed the related bugs Monday in a blog post. ICS-CERT said that Santamarta had notified it of the vulnerabilities prior to publishing details about them.

Santamarta also acknowledged that he was releasing information about the bugs when no patch yet exists. "I reported it to the ICS-CERT months ago, I would like to thank the ICS-CERT and the Schneider security team, they have taken these issues very seriously and are working on a patch. During the process they have been keeping me updated on every [decision]/progress. However, [some] time ago I decided to change my disclosure policy," said Santamarta.

Santamarta said the devices' firmware, which he reverse-engineered, was built using the VxWorks operating system, which may be the world's most popular embedded operating system. But VxWorks is often debugged using the Windriver Debug (WDB) agent, and as security researcher HD Moore discovered last year, when that agent is left enabled in devices that are in the field, anyone who's able to access the device could then read the device's memory or call its functions.

Furthermore, VxWorks itself is prone to a well-known password hashing vulnerability, which means that cracking administrator passwords in firmware built with the operating system is relatively easy to do. That's what Santamarta was able to accomplish.

To date, four Schneider Electric products, each of which may be running one of a number of different versions of firmware, have the vulnerabilities: Quantum (7 versions), Premium (8 versions), M340 (4 versions), and STB DIO (3 versions). According to ICS-CERT, Schneider Electric has so far developed fixes for only the most recent versions of firmware for the Quantum and M340, but they have yet to be released. The fixes have removed the modules' Telnet and Windriver services. Accordingly, said ICS-CERT, "organizations need to evaluate the impact of removing these services prior to applying this fix."

On a related note, ICS-CERT last week warned that thousands of industrial control systems are Internet-connected, yet not secured with firewalls or strong authentication. Furthermore, these systems can often be discovered by using free search tools, such as Shodan, that scour the Internet for devices that contain embedded Web servers.

Database access controls keep information out of the wrong hands. Limit who sees what to stop leaks--accidental and otherwise. Also in the new, all-digital Dark Reading supplement: Why user provisioning isn't as simple as it sounds. Download the supplement now. (Free registration required.)

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-9676
Published: 2015-02-27
The seg_write_packet function in libavformat/segment.c in ffmpeg 2.1.4 and earlier does not free the correct memory location, which allows remote attackers to cause a denial of service ("invalid memory handler") and possibly execute arbitrary code via a crafted video that triggers a use after free.

CVE-2014-9682
Published: 2015-02-27
The dns-sync module before 0.1.1 for node.js allows context-dependent attackers to execute arbitrary commands via shell metacharacters in the first argument to the resolve API function.

CVE-2015-0655
Published: 2015-02-27
Cross-site scripting (XSS) vulnerability in Unified Web Interaction Manager in Cisco Unified Web and E-Mail Interaction Manager allows remote attackers to inject arbitrary web script or HTML via vectors related to a POST request, aka Bug ID CSCus74184.

CVE-2015-0884
Published: 2015-02-27
Unquoted Windows search path vulnerability in Toshiba Bluetooth Stack for Windows before 9.10.32(T) and Service Station before 2.2.14 allows local users to gain privileges via a Trojan horse application with a name composed of an initial substring of a path that contains a space character.

CVE-2015-0885
Published: 2015-02-27
checkpw 1.02 and earlier allows remote attackers to cause a denial of service (infinite loop) via a -- (dash dash) in a username.

Dark Reading Radio
Archived Dark Reading Radio
How can security professionals better engage with their peers, both in person and online? In this Dark Reading Radio show, we will talk to leaders at some of the security industry’s professional organizations about how security pros can get more involved – with their colleagues in the same industry, with their peers in other industries, and with the IT security community as a whole.