One of the unfortunate facts about security is that if you can find one vulnerability, you can usually find lots more. Vulnerabilities are not just bad luck – they are caused by a poor Software Security Assurance (SSA) process (or a complete lack of one). Next in line for blame are experienced professionals who do little in terms of security assessments prior to commissioning systems in actual production facilities.
So what about the four SCADA / HMI products that have Luigi Auriemma’s 34 Zero-day vulnerabilities? Would any of those have additional vulnerabilities, just waiting to be exposed to the world? After all, Luigi claims to have spent only two days per product. That isn’t much time – what if someone else started looking harder. So we decided to give it a shot.
Additional Vulnerabilities are Easy to Find
Sure enough, Eric and I began working on one of the flawed HMI packages last night. Within 5 minutes during my first scan, I found that it is susceptible to directory traversal attacks. In other words, the HMI software is allowing unrestricted access to most of the file system, including critical password files. Once someone has compromised these files, additional remote attacks are trivial.
Unlike Luigi, I filed a report with the ICS-CERT a few hours ago, copying the vendor. CERT immediately followed up with my submittal, assigned it an ICS-VU tracking identifier, and requested some additional data from my research to review with the vendor.
Responsible Disclosure is Key
We believe that responsible disclosure is important. All ICS/SCADA vendors need time to fix their products and get their patches distributed to the end user community. All SCADA/ICS end users need time to deploy those patches. Otherwise we just let the bad guys have a multi-week jump on the companies running critical control systems. Unless you are a terrorist, that is very bad.
But the point of this blog is that even with responsible disclosure, the bad guys now know where to go to look for SCADA security holes. The talented ones don’t need the specific exploits – they just need to get their hands on any of the four SCADA products. Actually, they probably just need to get their hands on any SCADA HMI product – the number of vendors with clear records is getting smaller by the day.
We repeat what Eric said at the end of his recent blog article: ICS Community, now is the time to step up and work together to secure our critical systems.
This article was written in collaboration with Eric Byres.