SCADA Patch Validated

Friday, May 13, 2011 @ 01:05 PM gHale

7-Technologies developed a patch that resolves the reported vulnerabilities which could lead to a denial of service condition or worse. ICS-CERT validated the patch.

If initiated these vulnerabilities, including a proof-of-concept (PoC) exploit code, could lead to a denial of service condition. The product in question is the 7-Technologies Interactive Graphics SCADA System (IGSS).

In March, Italian security specialist Luigi Auriemma, who mainly focuses on detecting holes in games and media players, released a list of 34 vulnerabilities in SCADA products by Siemens Tecnomatix (FactoryLink), ICONICS (Genesis 32 and 64), 7-Technologies (IGSS) and DATAC (RealWin).

Auriemma’s list included potential security issues from remote file downloads and unauthorized file uploads to targeted attacks on services via integer, buffer and heap overflows.

In an effort to inform the industry, security specialists Eric Byres, chief technology officer at Byres Security and Joel Langill, chief security officer at SCADAhacker, wrote a series of white papers summarizing the vulnerabilities. Excerpts from this white paper focuses on the 7-Technologies Interactive Graphics SCADA System (IGSS) product vulnerabilities. The white paper provides guidance regarding possible mitigations and compensating controls operators of SCADA and ICS systems can take to protect critical operations.

The product affected, namely IGSS, is a SCADA system used in a wide range of industries, including water/wastewater, district heating, food & beverage, building automation, marine, oil & gas, metals & mining, traffic control, gas distribution, and electric utilities.

At a minimum, all but one of the disclosed vulnerabilities can forcefully crash a system server, causing a denial-of-service condition and loss of view. Of more serious concern to the SCADA and industrial control systems (ICS) community is the fact for two of these vulnerabilities, it is relatively simple to inject malicious code in the targeted host and then remotely execute commands to activate this payload.

Attacks using these vulnerabilities could be difficult to detect and prevent. All vulnerabilities expose the core communication application within the IGSS platform used to manage communication between various clients and services.

Eight vulnerabilities can exploit the IGSS platform, according to the white paper. Of the eight, seven can take advantage of the IGSSdataServer.exe application on TCP port 12401, while the remaining vulnerability exploits the dc.exe application on TCP port 12397. Both vulnerable applications are part of the IGSS application suite.

Five of the vulnerabilities identified with the IGSSdataServer.exe application exploit single or multiple stack (buffer) overflows. One exploits a directory traversal vulnerability, and the remaining vulnerability is a bug related to string formatting issues.

The single vulnerability in the dc.exe application allows execution of arbitrary applications within the file system.

It is possible to remotely exploit all except for the “string formatting” vulnerability. That can provide the attacker the potential to execute arbitrary malicious code on a targeted control system.

The disclosure of these vulnerabilities included sample data files that can combine with freely available hacking tools (such as netcat) for sending custom data packets on a network. These sample data files provide enough information so a moderately skilled attacker could create new files which leverage the vulnerabilities further. The most likely would be for an attacker to create malicious payloads he could execute remotely.

Typical malicious payloads range from simple remote shells, to information and credential stealing, to advanced call-back applications that can further compromise the target. An attacker can easily create most of these payloads with a framework such as Metasploit and then remotely inject it into the target control system using the disclosed vulnerabilities.

The publically available data files and sample command scripts provided with the disclosure make it easy to perform a variety of attacks on the target system. The “directory traversal” vulnerability coupled with the “arbitrary command execution” vulnerability represent the simplest attacks which can cause the greatest impact.

Most of the stack overflow vulnerabilities will cause the affected service to terminate prematurely and cause a denial-of-service condition. To inject and execute additional code using these vulnerabilities would require moderate to advanced skills needed to create the payload and incorporate into it the proof-of-concept (PoC) data files. Not all stack overflows have been confirmed to allow remote code execution.

What are the potential consequences to SCADA and control systems?

An attack successfully exploiting two of the disclosed vulnerabilities will allow the attacker to either execute malicious code or perform unauthorized actions. Either of these could completely compromise the integrity of the control system. At a minimum, applications can prematurely terminate resulting in a denial-of-service condition that could potentially impact the production environment under control of the SCADA system.

The only requirement for communication between the IGSS Data Server and an arbitrary client is an IP connection and access to a specific TCP/IP port. There is no authentication process in place on this connection, so a vulnerability in such a critical service could compromise the overall integrity of the system communications, leading to deeper system penetration and potential compromise of the underlying control system.

The following control and SCADA systems suffer from these vulnerabilities:
• IGSS Version 9
• IGSS Version 8
• IGSS Version 7

The vulnerabilities affect 7-Technologies IGSS SCADA HMI prior to Version, while Versions 7 and 8 are only vulnerable to exploits against the dc.exe application allowing remote execution of arbitrary code. The vendor does not support Version 7 and older. Sites using older, unsupported software should contact 7-Technologies Technical Support for information relating to system security.

Leave a Reply

You must be logged in to post a comment.