Vulnerabilities / Threats
12/16/2011
11:04 AM
50%
50%

Security Researcher Details New SCADA Bugs

Supervisory control and data acquisition systems' programmable logic controllers could be remotely accessed and loaded with trojanized firmware.

The Department of Homeland Security (DHS) issued a security alert Monday for an Ethernet add-on for the Schneider Electric Quantum programmable logic controller (PLC). Such controllers can be used to help manage industrial processes inside everything from physical manufacturing plants and printing presses to prisons and power plants.

According to the DHS's Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), which released the alert Monday, the Schneider Electric Quantum Ethernet Module contains multiple, hardcoded credentials, which means that an attacker could use them to bypass the device's built-in authentication mechanism and access the module's functions.

The devices can be accessed remotely in three ways: via Telnet, the Windriver Debug port, or FTP. After accessing the device, an attacker would be able to view or alter the module's firmware, execute arbitrary code, or cause a denial of service. That's a concern since the Ethernet module is designed to allow the company's Quantum PLC to communicate with other systems and devices, via an Ethernet network. As a result, an attacker could theoretically access the Ethernet module, load "trojanized firmware," then use it to attack the PLC.

[ Insecure, Internet-connected industrial control systems are a national security threat. Learn why the Next DIY Stuxnet Attack Should Worry Utilities. ]

The vulnerability was spotted by supervisory control and data acquisition (SCADA) security researcher Ruben Santamarta, who detailed the related bugs Monday in a blog post. ICS-CERT said that Santamarta had notified it of the vulnerabilities prior to publishing details about them.

Santamarta also acknowledged that he was releasing information about the bugs when no patch yet exists. "I reported it to the ICS-CERT months ago, I would like to thank the ICS-CERT and the Schneider security team, they have taken these issues very seriously and are working on a patch. During the process they have been keeping me updated on every [decision]/progress. However, [some] time ago I decided to change my disclosure policy," said Santamarta.

Santamarta said the devices' firmware, which he reverse-engineered, was built using the VxWorks operating system, which may be the world's most popular embedded operating system. But VxWorks is often debugged using the Windriver Debug (WDB) agent, and as security researcher HD Moore discovered last year, when that agent is left enabled in devices that are in the field, anyone who's able to access the device could then read the device's memory or call its functions.

Furthermore, VxWorks itself is prone to a well-known password hashing vulnerability, which means that cracking administrator passwords in firmware built with the operating system is relatively easy to do. That's what Santamarta was able to accomplish.

To date, four Schneider Electric products, each of which may be running one of a number of different versions of firmware, have the vulnerabilities: Quantum (7 versions), Premium (8 versions), M340 (4 versions), and STB DIO (3 versions). According to ICS-CERT, Schneider Electric has so far developed fixes for only the most recent versions of firmware for the Quantum and M340, but they have yet to be released. The fixes have removed the modules' Telnet and Windriver services. Accordingly, said ICS-CERT, "organizations need to evaluate the impact of removing these services prior to applying this fix."

On a related note, ICS-CERT last week warned that thousands of industrial control systems are Internet-connected, yet not secured with firewalls or strong authentication. Furthermore, these systems can often be discovered by using free search tools, such as Shodan, that scour the Internet for devices that contain embedded Web servers.

Database access controls keep information out of the wrong hands. Limit who sees what to stop leaks--accidental and otherwise. Also in the new, all-digital Dark Reading supplement: Why user provisioning isn't as simple as it sounds. Download the supplement now. (Free registration required.)

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2009-5027
Published: 2014-12-26
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2010-2062. Reason: This candidate is a reservation duplicate of CVE-2010-2062. Notes: All CVE users should reference CVE-2010-2062 instead of this candidate. All references and descriptions in this candidate have been removed to pre...

CVE-2010-1441
Published: 2014-12-26
Multiple heap-based buffer overflows in VideoLAN VLC media player before 1.0.6 allow remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted byte stream to the (1) A/52, (2) DTS, or (3) MPEG Audio decoder.

CVE-2010-1442
Published: 2014-12-26
VideoLAN VLC media player before 1.0.6 allows remote attackers to cause a denial of service (invalid memory access and application crash) or possibly execute arbitrary code via a crafted byte stream to the (1) AVI, (2) ASF, or (3) Matroska (aka MKV) demuxer.

CVE-2010-1443
Published: 2014-12-26
The parse_track_node function in modules/demux/playlist/xspf.c in the XSPF playlist parser in VideoLAN VLC media player before 1.0.6 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via an empty location element in an XML Shareable Playlist Format...

CVE-2010-1444
Published: 2014-12-26
The ZIP archive decompressor in VideoLAN VLC media player before 1.0.6 allows remote attackers to cause a denial of service (invalid memory access and application crash) or possibly execute arbitrary code via a crafted archive.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.