theDocumentId => 1131042 Thousands of Vulnerabilities Detected In FAA's Air ...

Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

5/8/2009
01:19 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Thousands of Vulnerabilities Detected In FAA's Air Traffic Control Apps

Government audit of 70 Federal Aviation Administration Web-based applications finds flaws that could put air traffic, itself, at risk

A government audit (PDF) has pinpointed more than 3,800 vulnerabilities -- 763 of which are high-risk -- in the Federal Aviation Administration's Web-based air traffic control system applications, including some that could potentially put air travel at risk.

The U.S. Department of Transportation report, with the help of auditors from KPMG, determined that the ATC's Web-based applications aren't secured from attacks or unauthorized access, and that the FAA hasn't set up the necessary intrusion-detection functions to catch security incidents at ATC locations.

And the FAA's Air Traffic Organization, which heads up ATC operations, received more than 800 security incident alerts in fiscal 2008, but still had not fixed 17 percent of the flaws that caused them, "including critical incidents in which hackers may have taken over control of ATO computers," the report says.

The auditors tested 70 of the FAA's ATC Web applications, including ones that provide information to the general public, as well as to pilots and controllers, and some internal apps. Of the vulnerabilities they discovered, nearly 2,600 were considered low-risk threats, such as unprotected folders of sensitive data and weak passwords.

While the number of serious flaws in the FAA's apps appears to be staggering, Jeremiah Grossman, CTO of WhiteHat Security, says the rate is actually in line with the average number of bugs his security firm finds in most Web applications. "Our average is about seven per Website," Grossman says.

The vulnerabilities in the FAA's Web applications could allow an attacker to access information stored on the Web servers, and unauthorized internal FAA users could also access back-end air traffic control servers. "In addition, these vulnerabilities could allow attackers to compromise FAA user computers by injecting malicious code onto the computers," the report said.

Auditors were able to hack their way through the Web apps to get to data on the Web application and ATC servers, including the FAA's Traffic Flow Management Infrastructure system, Juneau Aviation Weather System, and the Albuquerque Air Traffic Control Tower. They also were able to gain entry into an ATC system that monitors power, according to the report.

Another vulnerability in the FAA's Traffic Flow Management Infrastructure leaves related applications open to malware injection.

The FAA's Web applications were improperly configured to prevent unauthorized access and had not been patched to fix known vulnerabilities from software vendors, the report says.

Auditors recommended that the FAA improve its patch management strategy, expand intrusion detection tools to all ATC facilities, and speed up remediation of application flaws. The good news from the audit is that no attacks have actually hit the operational air traffic control system -- just the back-end, support applications. "However, it is important to understand that attacks can spread from the mission-support network to the operational network -- where real-time surveillance, communications, and flight information is processed to separate aircraft -- because of network connections," the report says.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message. Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-37578
PUBLISHED: 2021-07-29
Apache jUDDI uses several classes related to Java's Remote Method Invocation (RMI) which (as an extension to UDDI) provides an alternate transport for accessing UDDI services. RMI uses the default Java serialization mechanism to pass parameters in RMI invocations. A remote attacker can send a malic...
CVE-2021-23416
PUBLISHED: 2021-07-28
This affects all versions of package curly-bracket-parser. When used as a template library, it does not properly sanitize the user input.
CVE-2021-23417
PUBLISHED: 2021-07-28
All versions of package deepmergefn are vulnerable to Prototype Pollution via deepMerge function.
CVE-2021-23415
PUBLISHED: 2021-07-28
This affects the package elFinder.AspNet before 1.1.1. The user-controlled file name is not properly sanitized before it is used to create a file system path.
CVE-2020-4974
PUBLISHED: 2021-07-28
IBM Jazz Foundation products are vulnerable to server side request forgery (SSRF). This may allow an authenticated attacker to send unauthorized requests from the system, potentially leading to network enumeration or facilitating other attacks. IBM X-Force ID: 192434.