Breaking Down Firm’s SCADA Vulnerabilities

Friday, March 25, 2011 @ 07:03 PM gHale

Vulnerabilities, including a proof-of-concept (PoC) exploit code, are out in the industry for ICONICS’ GENESIS32 and GENESIS 64, and while some of the vulnerabilities may appear trivial, in the hands of an experienced hacker it could lead to serious repercussions.

Earlier this week Italian security specialist Luigi Auriemma, who mainly focuses on detecting holes in games and media players, released a list of 34 vulnerabilities in SCADA products by Siemens Tecnomatix (FactoryLink), ICONICS (Genesis 32 and 64), 7-Technologies (IGSS) and DATAC (RealWin).

Auriemma’s list includes the spectrum of potential security issues from remote file downloads and unauthorized file uploads to targeted attacks on services via integer, buffer and heap overflows.

In an effort to inform the industry, security specialists Eric Byres, chief technology officer at Byres Security and Joel Langill, chief security officer at SCADAhacker, are writing a series of white papers summarizing the vulnerabilities. This white paper focuses on the ICONICS vulnerabilities. It provides guidance regarding possible mitigations and compensating controls operators of SCADA and ICS systems can take to protect critical operations.

In this case the products affected, namely ICONICS’ GENESIS32 and GENESIS 64 are OPC Web-based human-machine interface (HMI)/Supervisory Control and Data Acquisition (SCADA) systems. They work in critical control applications including oil and gas pipelines, military building management systems, airport terminal systems, and power generation plants.

A hacker can use these vulnerabilities to forcefully crash system servers causing a denial-of-service condition. What makes these vulnerabilities difficult to detect and prevent is they expose the core communication application within the GENESIS platform used to manage and transmit messages between various clients and services.

For ICONICS, the 13 vulnerabilities disclosed exploit the GenBroker.exe application on TCP port 38080 within the ICONICS GENESIS 32- (version 9.21 or earlier) and 64-bit (version 10.51 or earlier) platforms, according to the white paper. Of the 13 vulnerabilities disclosed, 12 of them exploit remote integer (buffer) overflows, while one (1) exploits a memory corruption vulnerability.

You can remotely exploit all 13 vulnerabilities using the vulnerable port TCP/38080. This port is nearly always open on the affected GENESIS machines, as it provides access to a core application used to manage communications between clients and servers, the white paper said.

With this knowledge it is possible for an attacker to further experiment, and with moderate expertise, create a malicious payload. Possible payloads range from simple remote shells, to information and credential stealing, to advanced call-back applications that can further compromise the target control system.

The publically available proof-of-concept code available with the disclosure makes it easy to cause the affected service to terminate prematurely, resulting in a denial-of-service condition and loss of view in the control system, according to the white paper. To execute arbitrary code on the affected servers would require the moderate to advanced skills to create the payload and incorporate it into the PoC code.

There are those in the industry that are aware of the issues associated with using the Distributed Component Object Model (DCOM). ICONICS addresses DCOM issues through the GenBroker application. This is the core component that manages communication into and out of the GENESIS server, and has been developed to offer users options for improving and simplifying communication between hosts within the control system architecture.

By using the GenBroker, users can communicate directly with other OPC devices either using the traditional DCOM method (as might be the case within a local network environment), or by using GenBroker via TCP/IP and SOAP/XML channels, according to the white paper. With GenBroker, it is even possible to allow communication over wide area networks, including the Internet.

This added flexibility to allow wide area communications is one reason why a vulnerability in such a critical service could compromise the overall integrity of the system communications, leading to deeper system penetration and potential compromise.

ICS-CERT issued an advisory this week and is working with ICONICS.

ICONICS is working on addressing these vulnerabilities and will provide a patch as soon as it is available. An announcement will be posted on the company’s home page.

Compensating controls are actions that will not correct the underlying issue, but will help block known attack vectors for systems where no patch is available. The follow are six suggested compensating controls:
• Move GenBroker Communication to a Non-Default Port
• Installation of Industrial Firewalls to Protect Server
• Minimize Exposure of Vulnerable Systems to External Networks
• Regularly Check System Log Files
• Regularly Check Security Perimeter Device Log Files
• Monitor Vendor Support Site for Applicable Patches

For more details and information, click here to download the white paper.