Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

3/26/2018
10:30 AM
Ang Cui
Ang Cui
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

The Overlooked Problem of 'N-Day' Vulnerabilities

N-days -- or known vulnerabilities -- are a goldmine for attackers of industrial control systems. It's time for a new defense strategy.

Security Researcher Joseph Pantoga contributed to this article.

Zero-day attacks tend to steal the spotlight when it comes to cybersecurity threats, but it is actually the known vulnerability — the "N-day" — that poses a much larger problem for many organizations and particularly those in the industrial sectors.

Whereas zero-days are a class of vulnerability that is unknown to a software developer or hardware manufacturer, an N-day is a flaw that is already publicly known but may or may not have a security patch available. There are countless known vulnerabilities in existence today, and many large commercial and governmental entities will find they have significant exposure within their broad network footprints.

However, the problem is far more acute for organizations that rely on industrial control systems (ICS) such as the energy, manufacturing, and infrastructure sectors. This is because ICS equipment can be extremely difficult to update and patch. To make matters worse, ICS firmware is often developed with insufficient built-in security controls, and product manufacturers can be slow to fix newly discovered vulnerabilities and threats.

For more than a year, our team analyzed unpatched N-day vulnerabilities in the firmware of widely used ICS devices in order to gain a better understanding of the problem. Some of these findings were recently presented at the S4x18 security conference in Miami. We found that N-days are extremely common in the ICS environment. Nearly all the operators who read this article are likely to have numerous N-days in their systems.

N-Days vs. Zero-Days
N-day vulnerabilities are a goldmine for attackers because the hard work has already been done. In certain cases, active exploits may already exist and be readily available from public disclosure documents. Compare this with zero-days, which are time-consuming and expensive to find and exploit — the reason why their use is declining among criminal groups.        .

While N-days pose a threat to any large network, industrial users are at an especially high risk because of specific circumstances unique to those environments:

  1. Systems must always be available. 
  2. No standardization. For example, in an ICS, as opposed to a standard computing environment, patching is often a manual proprietary process that requires unique software and knowledge for each vendor. 
  3. Patches rarely propagate between vendors that use shared code. This highlights an example we outlined at S4, where a vulnerability was reported to a vendor in the telecom sector, was patched by the software vendor (Intel/Windriver), but patches were not applied by a number of  other large vendors in ICS. 
  4. Extended lifetime. Systems are typically deployed in the field for over a decade and well past their support period. Vendors who desire to sell new products are disincentivized to routinely patch and support older products with security updates, even if they are still commonly found in the field.

Real-World Cases Illustrate the Risks
The industry has already seen a number of attacks on industrial targets that have exploited N-day vulnerabilities in ICS devices and protocols. Some examples include: 

  • CrashOverride or Industroyer: This malware was used in a December 2016 attack that disrupted operations at a Ukrainian electrical transmission substation. It exploited the known CVE-2015-5374 Denial of Service condition to the Siemens SIPROTEC relays.
  • TRITON or HatMan: Discovered in 2017, the ICS malware targets Schneider Electric's Triconex Safety Instrumented System (SIS) controllers' emergency shutdown capability.
  • BlackEnergy: This malware contained exploits for specific types of HMI applications, including Siemens SIMATIC, GE CIMPLICITY, and Advantech WebAccess. 

High-Risk Vulnerabilities
Many of the N-days we discovered in ICS firmware are critical in nature and could allow a hacker to gain remote access and total control over parts of an industrial operator's network or facility. These N-days could allow attackers to replicate the effects of CrashOverride, TRITON, BlackEnergy, or even Stuxnet much more easily, and at a much wider scale.

For example, in our research into the VxWorks 5.5.1 vulnerability (discussed above), we found that every major manufacturer had a product that remains unpatched against this N-day. In no case was this vulnerability listed for the individual ICS products, so vendors may not even know these vulnerabilities exist. The vulnerabilities can be exploited for such malicious purposes as manipulating settings and controls, physically damaging or destroying equipment, disrupting key operations, and stealing sensitive information.

Due to the large number of vulnerabilities we discovered and the long lead time on ICS patching (as well as the low patch penetration rate), we decided not to disclose individual vulnerabilities against named devices for fear of arming attackers while device operators would be unable to respond.

Patching Is Not the Answer
ICS N-days are not an easy problem to fix. Solutions are limited by technical complications and a slow-to-act supply chain. Nonetheless, there is a lot the industry can do to address the problem.

To start, the current reactive approach of patching known vulnerabilities is no longer tenable. Every component of the ICS environment should have strong security baked into the software, firmware, and hardware from the very start in order to lower the overall risk of N-days and other problems, and to mitigate or prevent damage from their exploitation.

The best solutions will combine intrusion detection and mitigation techniques to protect against known and unknown attacks without relying on continuous updates. By and large, these features do not exist, so it is incumbent upon manufacturers to develop or source this technology as quickly as possible.

Related Content:

Interop ITX 2018

Join Dark Reading LIVE for two cybersecurity summits at Interop ITX. Learn from the industry’s most knowledgeable IT security experts. Check out the security track hereUse Promo Code DR200 to register and save $200.

Dr. Ang Cui is the founder and CEO of Red Balloon Security in New York City, and a PI on DARPA LADS, as well as various other government agency funded research efforts. Dr. Cui is the inventor of Symbiote, a firmware defense technology for embedded devices, and FRAK, a ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
US Turning Up the Heat on North Korea's Cyber Threat Operations
Jai Vijayan, Contributing Writer,  9/16/2019
MITRE Releases 2019 List of Top 25 Software Weaknesses
Kelly Sheridan, Staff Editor, Dark Reading,  9/17/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: "He's too shy to invite me out face to face!"
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-16649
PUBLISHED: 2019-09-21
On Supermicro H11, H12, M11, X9, X10, and X11 products, a combination of encryption and authentication problems in the virtual media service allows capture of BMC credentials and data transferred over virtual media devices. Attackers can use captured credentials to connect virtual USB devices to the...
CVE-2019-16650
PUBLISHED: 2019-09-21
On Supermicro X10 and X11 products, a client's access privileges may be transferred to a different client that later has the same socket file descriptor number. In opportunistic circumstances, an attacker can simply connect to the virtual media service, and then connect virtual USB devices to the se...
CVE-2019-15138
PUBLISHED: 2019-09-20
The html-pdf package 2.2.0 for Node.js has an arbitrary file read vulnerability via an HTML file that uses XMLHttpRequest to access a file:/// URL.
CVE-2019-6145
PUBLISHED: 2019-09-20
Forcepoint VPN Client for Windows versions lower than 6.6.1 have an unquoted search path vulnerability. This enables local privilege escalation to SYSTEM user. By default, only local administrators can write executables to the vulnerable directories. Forcepoint thanks Peleg Hadar of SafeBreach Labs ...
CVE-2019-6649
PUBLISHED: 2019-09-20
F5 BIG-IP 15.0.0, 14.1.0-14.1.0.6, 14.0.0-14.0.0.5, 13.0.0-13.1.1.5, 12.1.0-12.1.4.1, 11.6.0-11.6.4, and 11.5.1-11.5.9 and Enterprise Manager 3.1.1 may expose sensitive information and allow the system configuration to be modified when using non-default ConfigSync settings.