Meanwhile, today the ICS CERT--which handles industrial control system security issues--issued yet another SCADA alert (PDF) for a newly discovered vulnerability in the BroadWin WebAccess system, which was disclosed by another researcher, Ruben Santamarta.
The SCADA bug wave began on Monday when researcher Luigi Auriemma released PoCs for the bugs he found, which include stack and heap overflows, integer overflows, arbitrary commands execution, format strings, double and arbitrary memory frees, memory corruptions, directory traversals, and design flaws. Many of the vulnerabilities could allow an attacker to remotely execute malicious code on these systems, which support processes in oil and gas, chemical, food and beverage, and building automation, for instance.
"This was an experiment I started for curiosity and to [gauge] the interest of the security companies that pay for vulnerabilities and ICS-CERT," Auriemma says. "Unfortunately, there was absolutely no interest for these bugs that otherwise would have been handled though the so-called responsible disclosure by the same companies, and so the only option remained the public full disclosure."
HD Moore, creator of Metasploit and chief security officer with Rapid7, says what's especially striking about Auriemma's disclosure is that he covered four different SCADA vendors, and all of the products appear to contain similar vulnerabilities -- stack overflows, denial-of-service, and directory traversal, for example.
"This [covers] every stupid vulnerability out there in one day. It's amazing because it's not just one class of vulns: It's every class of vulnerability," Moore says.
Auriemma's disclosure prompted the ICS-CERT to issue four alerts covering six vulnerabilities in Siemens' Tecnomatix FactoryLink, 13 vulnerabilities in Iconics' Genesis, eight vulnerabilities in 7-Technologies IGSS, and seven vulnerabilities in RealFlex's RealWin.
SCADA products are typically notoriously riddled with vulnerabilities, and many SCADA vendors are slow to patch. But the Stuxnet worm and subsequent research on how the attack was targeting Iraq's nuclear plant operations has put SCADA and process-control systems in the spotlight.
"I have seen [rising] interest in SCADA after Stuxnet. Probably some years ago a post like mine would have been passed almost in silence," Auriemma says.
Even so, he says worries about SCADA security have been overblown, and he's not concerned that his disclosure will lead to abuse, mainly because most SCADA systems operate on private networks and don't have Internet access. That would require an attacker to first get past that obstacle, he says, and SCADA systems require specific know-how.
Stuxnet's USB-based vector, however, demonstrated how those obstacles are not insurmountable.
Auriemma says he had discovered vulnerabilities in three other SCADA products prior to this project, and that he owns other code-execution bugs for additional SCADA products that he has not yet disclosed.
Meantime, while researcher Santamarta has released exploit code for the BroadWin bug, ICS-CERT said BroadWin has been unable to confirm the vulnerability. "ICS-CERT is continuing to work with BroadWin to develop a solution to effectively mitigate this reported vulnerability," the alert said.
Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.