Security Researcher Details New SCADA BugsSupervisory control and data acquisition systems' programmable logic controllers could be remotely accessed and loaded with trojanized firmware.
The Department of Homeland Security (DHS) issued a security alert Monday for an Ethernet add-on for the Schneider Electric Quantum programmable logic controller (PLC). Such controllers can be used to help manage industrial processes inside everything from physical manufacturing plants and printing presses to prisons and power plants.
According to the DHS's Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), which released the alert Monday, the Schneider Electric Quantum Ethernet Module contains multiple, hardcoded credentials, which means that an attacker could use them to bypass the device's built-in authentication mechanism and access the module's functions.
The devices can be accessed remotely in three ways: via Telnet, the Windriver Debug port, or FTP. After accessing the device, an attacker would be able to view or alter the module's firmware, execute arbitrary code, or cause a denial of service. That's a concern since the Ethernet module is designed to allow the company's Quantum PLC to communicate with other systems and devices, via an Ethernet network. As a result, an attacker could theoretically access the Ethernet module, load "trojanized firmware," then use it to attack the PLC.
[ Insecure, Internet-connected industrial control systems are a national security threat. Learn why the Next DIY Stuxnet Attack Should Worry Utilities. ]
The vulnerability was spotted by supervisory control and data acquisition (SCADA) security researcher Ruben Santamarta, who detailed the related bugs Monday in a blog post. ICS-CERT said that Santamarta had notified it of the vulnerabilities prior to publishing details about them.
Santamarta also acknowledged that he was releasing information about the bugs when no patch yet exists. "I reported it to the ICS-CERT months ago, I would like to thank the ICS-CERT and the Schneider security team, they have taken these issues very seriously and are working on a patch. During the process they have been keeping me updated on every [decision]/progress. However, [some] time ago I decided to change my disclosure policy," said Santamarta.
Santamarta said the devices' firmware, which he reverse-engineered, was built using the VxWorks operating system, which may be the world's most popular embedded operating system. But VxWorks is often debugged using the Windriver Debug (WDB) agent, and as security researcher HD Moore discovered last year, when that agent is left enabled in devices that are in the field, anyone who's able to access the device could then read the device's memory or call its functions.
Furthermore, VxWorks itself is prone to a well-known password hashing vulnerability, which means that cracking administrator passwords in firmware built with the operating system is relatively easy to do. That's what Santamarta was able to accomplish.
To date, four Schneider Electric products, each of which may be running one of a number of different versions of firmware, have the vulnerabilities: Quantum (7 versions), Premium (8 versions), M340 (4 versions), and STB DIO (3 versions). According to ICS-CERT, Schneider Electric has so far developed fixes for only the most recent versions of firmware for the Quantum and M340, but they have yet to be released. The fixes have removed the modules' Telnet and Windriver services. Accordingly, said ICS-CERT, "organizations need to evaluate the impact of removing these services prior to applying this fix."
On a related note, ICS-CERT last week warned that thousands of industrial control systems are Internet-connected, yet not secured with firewalls or strong authentication. Furthermore, these systems can often be discovered by using free search tools, such as Shodan, that scour the Internet for devices that contain embedded Web servers.
Database access controls keep information out of the wrong hands. Limit who sees what to stop leaks--accidental and otherwise. Also in the new, all-digital Dark Reading supplement: Why user provisioning isn't as simple as it sounds. Download the supplement now. (Free registration required.)