Attack Vector: Buffer Overflows Top Threat

Tuesday, May 31, 2011 @ 12:05 PM gHale

Vulnerable software remains a consistent fear among manufacturers today. What manufacturers once thought was a tight, secure package running on a control system has now converted into low hanging fruit for would be attackers.

A look at common industrial control system (ICS) software/product security weaknesses shows buffer overflows are the most common type of vulnerability identified in ICS products today, according to a new report just released by the U.S. Department of Homeland Security’s Control Systems Security Program (CSSP).

DHS’ CSSP performs cyber security vendor assessments, ICS-CERT operations, and asset owner cyber security evaluations with the Cyber Security Evaluation Tool (CSET) evaluations for industrial control systems (ICS) to reduce risk and improve security.

In 2009, a report titled “Common Cyber Security Vulnerabilities Observed in DHS Industrial Control Systems Assessments” compiled common vulnerabilities identified during 15 security assessments of new ICS products and production ICS installations from 2004 through 2008. Three additional ICS product assessments took place in 2009 and 2010. This newer, 2010 version is an update to the 2009 version.

The following are example buffer overflow vulnerabilities discovered in ICS products:

  • Stack-based buffer overflows allowed remote code execution on ICS hosts
  • Heap-based buffer overflows allowed remote code execution on ICS hosts
  • A buffer overflow was found in a historian application
  • Username and password buffer overflows in Web Human-Machine Interface (HMI) Web server
  • Stack-based buffer overflow in ICS Web service
  • Stack-based buffer overflow in ICS Web HMI
  • Buffer overflow in ICS Web client
  • Exploitable stack overflow in OLE for Process Control (OPC) server
  • Heap-based buffer overflow in OPC server
  • Stack-based buffer overflow in OPC client
  • Stack-based buffer overflow caused by the use of the “strcpy” function
  • Buffer overflow vulnerability identified in a PLC application
  • Multiple buffer overflows identified in network packet parsing application
  • Buffer overflows in application that accepts command line and process control arguments over the network
  • Heap corruption on communications server
  • Multiple stack-based buffer overflows in communications interface.

After understanding the types of buffer vulnerabilities that exists, the following are some recommendations: All code should validate input data. All programmers should undergo training in secure coding practices, and all code should undergo review and testing for input functions that could be susceptible to buffer overflow attacks. All input should undergo validation, not just those proven to cause buffer overflows. Input should undergo validation for length, and an input value should not be the basis on determining the buffer size.

Length validation becomes especially important in the C and C++ programming languages, which contain string and memory function calls that can be insecure.

Even if a user never directly inputs values, it does not mean data will always undergo correct formatting, and hardware or operating system protections are always sufficient. Most buffer overflows identified in CSSP assessments were in the server applications that process ICS protocol traffic. In most cases, values input from network traffic suffered some type of interception and then there was alteration in transit. Therefore, a user should implement network data bounds and integrity checking.

Perform a code review of all ICS applications responsible for handling network traffic. A user can not trust network traffic; therefore, a user needs to implement better security and sanity checks need so fuzzing attempts will not cause crashes or a denial of service (DoS).

Leave a Reply

You must be logged in to post a comment.