Vulnerabilities / Threats

3/26/2018
10:30 AM
Ang Cui
Ang Cui
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

The Overlooked Problem of 'N-Day' Vulnerabilities

N-days -- or known vulnerabilities -- are a goldmine for attackers of industrial control systems. It's time for a new defense strategy.

Security Researcher Joseph Pantoga contributed to this article.

Zero-day attacks tend to steal the spotlight when it comes to cybersecurity threats, but it is actually the known vulnerability — the "N-day" — that poses a much larger problem for many organizations and particularly those in the industrial sectors.

Whereas zero-days are a class of vulnerability that is unknown to a software developer or hardware manufacturer, an N-day is a flaw that is already publicly known but may or may not have a security patch available. There are countless known vulnerabilities in existence today, and many large commercial and governmental entities will find they have significant exposure within their broad network footprints.

However, the problem is far more acute for organizations that rely on industrial control systems (ICS) such as the energy, manufacturing, and infrastructure sectors. This is because ICS equipment can be extremely difficult to update and patch. To make matters worse, ICS firmware is often developed with insufficient built-in security controls, and product manufacturers can be slow to fix newly discovered vulnerabilities and threats.

For more than a year, our team analyzed unpatched N-day vulnerabilities in the firmware of widely used ICS devices in order to gain a better understanding of the problem. Some of these findings were recently presented at the S4x18 security conference in Miami. We found that N-days are extremely common in the ICS environment. Nearly all the operators who read this article are likely to have numerous N-days in their systems.

N-Days vs. Zero-Days
N-day vulnerabilities are a goldmine for attackers because the hard work has already been done. In certain cases, active exploits may already exist and be readily available from public disclosure documents. Compare this with zero-days, which are time-consuming and expensive to find and exploit — the reason why their use is declining among criminal groups.        .

While N-days pose a threat to any large network, industrial users are at an especially high risk because of specific circumstances unique to those environments:

  1. Systems must always be available. 
  2. No standardization. For example, in an ICS, as opposed to a standard computing environment, patching is often a manual proprietary process that requires unique software and knowledge for each vendor. 
  3. Patches rarely propagate between vendors that use shared code. This highlights an example we outlined at S4, where a vulnerability was reported to a vendor in the telecom sector, was patched by the software vendor (Intel/Windriver), but patches were not applied by a number of  other large vendors in ICS. 
  4. Extended lifetime. Systems are typically deployed in the field for over a decade and well past their support period. Vendors who desire to sell new products are disincentivized to routinely patch and support older products with security updates, even if they are still commonly found in the field.

Real-World Cases Illustrate the Risks
The industry has already seen a number of attacks on industrial targets that have exploited N-day vulnerabilities in ICS devices and protocols. Some examples include: 

  • CrashOverride or Industroyer: This malware was used in a December 2016 attack that disrupted operations at a Ukrainian electrical transmission substation. It exploited the known CVE-2015-5374 Denial of Service condition to the Siemens SIPROTEC relays.
  • TRITON or HatMan: Discovered in 2017, the ICS malware targets Schneider Electric's Triconex Safety Instrumented System (SIS) controllers' emergency shutdown capability.
  • BlackEnergy: This malware contained exploits for specific types of HMI applications, including Siemens SIMATIC, GE CIMPLICITY, and Advantech WebAccess. 

High-Risk Vulnerabilities
Many of the N-days we discovered in ICS firmware are critical in nature and could allow a hacker to gain remote access and total control over parts of an industrial operator's network or facility. These N-days could allow attackers to replicate the effects of CrashOverride, TRITON, BlackEnergy, or even Stuxnet much more easily, and at a much wider scale.

For example, in our research into the VxWorks 5.5.1 vulnerability (discussed above), we found that every major manufacturer had a product that remains unpatched against this N-day. In no case was this vulnerability listed for the individual ICS products, so vendors may not even know these vulnerabilities exist. The vulnerabilities can be exploited for such malicious purposes as manipulating settings and controls, physically damaging or destroying equipment, disrupting key operations, and stealing sensitive information.

Due to the large number of vulnerabilities we discovered and the long lead time on ICS patching (as well as the low patch penetration rate), we decided not to disclose individual vulnerabilities against named devices for fear of arming attackers while device operators would be unable to respond.

Patching Is Not the Answer
ICS N-days are not an easy problem to fix. Solutions are limited by technical complications and a slow-to-act supply chain. Nonetheless, there is a lot the industry can do to address the problem.

To start, the current reactive approach of patching known vulnerabilities is no longer tenable. Every component of the ICS environment should have strong security baked into the software, firmware, and hardware from the very start in order to lower the overall risk of N-days and other problems, and to mitigate or prevent damage from their exploitation.

The best solutions will combine intrusion detection and mitigation techniques to protect against known and unknown attacks without relying on continuous updates. By and large, these features do not exist, so it is incumbent upon manufacturers to develop or source this technology as quickly as possible.

Related Content:

Interop ITX 2018

Join Dark Reading LIVE for two cybersecurity summits at Interop ITX. Learn from the industry’s most knowledgeable IT security experts. Check out the security track hereUse Promo Code DR200 to register and save $200.

Dr. Ang Cui is the founder and CEO of Red Balloon Security in New York City, and a PI on DARPA LADS, as well as various other government agency funded research efforts. Dr. Cui is the inventor of Symbiote, a firmware defense technology for embedded devices, and FRAK, a ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
New Cold Boot Attack Gives Hackers the Keys to PCs, Macs
Kelly Sheridan, Staff Editor, Dark Reading,  9/13/2018
Yahoo Class-Action Suits Set for Settlement
Dark Reading Staff 9/17/2018
RDP Ports Prove Hot Commodities on the Dark Web
Kelly Sheridan, Staff Editor, Dark Reading,  9/17/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: When they asked me to do a pen test, I wasn't thinking of this!
Current Issue
Flash Poll
How Data Breaches Affect the Enterprise
How Data Breaches Affect the Enterprise
This report, offers new data on the frequency of data breaches, the losses they cause, and the steps that organizations are taking to prevent them in the future. Read the report today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-17182
PUBLISHED: 2018-09-19
An issue was discovered in the Linux kernel through 4.18.8. The vmacache_flush_all function in mm/vmacache.c mishandles sequence number overflows. An attacker can trigger a use-after-free (and possibly gain privileges) via certain thread creation, map, unmap, invalidation, and dereference operations...
CVE-2018-17144
PUBLISHED: 2018-09-19
Bitcoin Core 0.14.x before 0.14.3, 0.15.x before 0.15.2, and 0.16.x before 0.16.3 and Bitcoin Knots 0.14.x through 0.16.x before 0.16.3 allow a remote denial of service (application crash) exploitable by miners via duplicate input. An attacker can make bitcoind or Bitcoin-Qt crash.
CVE-2017-3912
PUBLISHED: 2018-09-18
Bypassing password security vulnerability in McAfee Application and Change Control (MACC) 7.0.1 and 6.2.0 allows authenticated users to perform arbitrary command execution via a command-line utility.
CVE-2018-6690
PUBLISHED: 2018-09-18
Accessing, modifying, or executing executable files vulnerability in Microsoft Windows client in McAfee Application and Change Control (MACC) 8.0.0 Hotfix 4 and earlier allows authenticated users to execute arbitrary code via file transfer from external system.
CVE-2018-6693
PUBLISHED: 2018-09-18
An unprivileged user can delete arbitrary files on a Linux system running ENSLTP 10.5.1, 10.5.0, and 10.2.3 Hotfix 1246778 and earlier. By exploiting a time of check to time of use (TOCTOU) race condition during a specific scanning sequence, the unprivileged user is able to perform a privilege escal...