Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

3/26/2018
10:30 AM
Ang Cui
Ang Cui
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

The Overlooked Problem of 'N-Day' Vulnerabilities

N-days -- or known vulnerabilities -- are a goldmine for attackers of industrial control systems. It's time for a new defense strategy.

Security Researcher Joseph Pantoga contributed to this article.

Zero-day attacks tend to steal the spotlight when it comes to cybersecurity threats, but it is actually the known vulnerability — the "N-day" — that poses a much larger problem for many organizations and particularly those in the industrial sectors.

Whereas zero-days are a class of vulnerability that is unknown to a software developer or hardware manufacturer, an N-day is a flaw that is already publicly known but may or may not have a security patch available. There are countless known vulnerabilities in existence today, and many large commercial and governmental entities will find they have significant exposure within their broad network footprints.

However, the problem is far more acute for organizations that rely on industrial control systems (ICS) such as the energy, manufacturing, and infrastructure sectors. This is because ICS equipment can be extremely difficult to update and patch. To make matters worse, ICS firmware is often developed with insufficient built-in security controls, and product manufacturers can be slow to fix newly discovered vulnerabilities and threats.

For more than a year, our team analyzed unpatched N-day vulnerabilities in the firmware of widely used ICS devices in order to gain a better understanding of the problem. Some of these findings were recently presented at the S4x18 security conference in Miami. We found that N-days are extremely common in the ICS environment. Nearly all the operators who read this article are likely to have numerous N-days in their systems.

N-Days vs. Zero-Days
N-day vulnerabilities are a goldmine for attackers because the hard work has already been done. In certain cases, active exploits may already exist and be readily available from public disclosure documents. Compare this with zero-days, which are time-consuming and expensive to find and exploit — the reason why their use is declining among criminal groups.        .

While N-days pose a threat to any large network, industrial users are at an especially high risk because of specific circumstances unique to those environments:

  1. Systems must always be available. 
  2. No standardization. For example, in an ICS, as opposed to a standard computing environment, patching is often a manual proprietary process that requires unique software and knowledge for each vendor. 
  3. Patches rarely propagate between vendors that use shared code. This highlights an example we outlined at S4, where a vulnerability was reported to a vendor in the telecom sector, was patched by the software vendor (Intel/Windriver), but patches were not applied by a number of  other large vendors in ICS. 
  4. Extended lifetime. Systems are typically deployed in the field for over a decade and well past their support period. Vendors who desire to sell new products are disincentivized to routinely patch and support older products with security updates, even if they are still commonly found in the field.

Real-World Cases Illustrate the Risks
The industry has already seen a number of attacks on industrial targets that have exploited N-day vulnerabilities in ICS devices and protocols. Some examples include: 

  • CrashOverride or Industroyer: This malware was used in a December 2016 attack that disrupted operations at a Ukrainian electrical transmission substation. It exploited the known CVE-2015-5374 Denial of Service condition to the Siemens SIPROTEC relays.
  • TRITON or HatMan: Discovered in 2017, the ICS malware targets Schneider Electric's Triconex Safety Instrumented System (SIS) controllers' emergency shutdown capability.
  • BlackEnergy: This malware contained exploits for specific types of HMI applications, including Siemens SIMATIC, GE CIMPLICITY, and Advantech WebAccess. 

High-Risk Vulnerabilities
Many of the N-days we discovered in ICS firmware are critical in nature and could allow a hacker to gain remote access and total control over parts of an industrial operator's network or facility. These N-days could allow attackers to replicate the effects of CrashOverride, TRITON, BlackEnergy, or even Stuxnet much more easily, and at a much wider scale.

For example, in our research into the VxWorks 5.5.1 vulnerability (discussed above), we found that every major manufacturer had a product that remains unpatched against this N-day. In no case was this vulnerability listed for the individual ICS products, so vendors may not even know these vulnerabilities exist. The vulnerabilities can be exploited for such malicious purposes as manipulating settings and controls, physically damaging or destroying equipment, disrupting key operations, and stealing sensitive information.

Due to the large number of vulnerabilities we discovered and the long lead time on ICS patching (as well as the low patch penetration rate), we decided not to disclose individual vulnerabilities against named devices for fear of arming attackers while device operators would be unable to respond.

Patching Is Not the Answer
ICS N-days are not an easy problem to fix. Solutions are limited by technical complications and a slow-to-act supply chain. Nonetheless, there is a lot the industry can do to address the problem.

To start, the current reactive approach of patching known vulnerabilities is no longer tenable. Every component of the ICS environment should have strong security baked into the software, firmware, and hardware from the very start in order to lower the overall risk of N-days and other problems, and to mitigate or prevent damage from their exploitation.

The best solutions will combine intrusion detection and mitigation techniques to protect against known and unknown attacks without relying on continuous updates. By and large, these features do not exist, so it is incumbent upon manufacturers to develop or source this technology as quickly as possible.

Related Content:

Interop ITX 2018

Join Dark Reading LIVE for two cybersecurity summits at Interop ITX. Learn from the industry’s most knowledgeable IT security experts. Check out the security track hereUse Promo Code DR200 to register and save $200.

Dr. Ang Cui is the founder and CEO of Red Balloon Security in New York City, and a PI on DARPA LADS, as well as various other government agency funded research efforts. Dr. Cui is the inventor of Symbiote, a firmware defense technology for embedded devices, and FRAK, a ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Navigating Security in the Cloud
Diya Jolly, Chief Product Officer, Okta,  12/4/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: "The security team seem to be taking SiegeWare seriously" 
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-1114
PUBLISHED: 2019-12-05
A Cross-Site Scripting (XSS) vulnerability exists in LDAP Account Manager (LAM) Pro 3.6 in the filter parameter to cmd.php in an export and exporter_id action. and the filteruid parameter to list.php.
CVE-2012-1115
PUBLISHED: 2019-12-05
A Cross-Site Scripting (XSS) vulnerability exists in LDAP Account Manager (LAM) Pro 3.6 in the export, add_value_form, and dn parameters to cmd.php.
CVE-2012-1592
PUBLISHED: 2019-12-05
A local code execution issue exists in Apache Struts2 when processing malformed XSLT files, which could let a malicious user upload and execute arbitrary files.
CVE-2019-16770
PUBLISHED: 2019-12-05
A poorly-behaved client could use keepalive requests to monopolize Puma's reactor and create a denial of service attack. If more keepalive connections to Puma are opened than there are threads available, additional connections will wait permanently if the attacker sends requests frequently enough.
CVE-2019-19609
PUBLISHED: 2019-12-05
The Strapi framework before 3.0.0-beta.17.8 is vulnerable to Remote Code Execution in the Install and Uninstall Plugin components of the Admin panel, because it does not sanitize the plugin name, and attackers can inject arbitrary shell commands to be executed by the execa function.