SCADA Vulnerabilities for 7-Technologies

Monday, March 28, 2011 @ 04:03 PM gHale

Vulnerabilities, including a proof-of-concept (PoC) exploit code, are out in the industry for the 7-Technologies Interactive Graphics SCADA System (IGSS) which could lead to a denial of service condition or worse.

Italian security specialist Luigi Auriemma, who mainly focuses on detecting holes in games and media players, released a list of 34 vulnerabilities last week in SCADA products by Siemens Tecnomatix (FactoryLink), ICONICS (Genesis 32 and 64), 7-Technologies (IGSS) and DATAC (RealWin).

Auriemma’s list includes potential security issues from remote file downloads and unauthorized file uploads to targeted attacks on services via integer, buffer and heap overflows.

In an effort to inform the industry, security specialists Eric Byres, chief technology officer at Byres Security and Joel Langill, chief security officer at SCADAhacker, are writing a series of white papers summarizing the vulnerabilities. This white paper focuses on the 7-Technologies Interactive Graphics SCADA System (IGSS) product vulnerabilities. The white paper provides guidance regarding possible mitigations and compensating controls operators of SCADA and ICS systems can take to protect critical operations.

The products affected, namely IGSS, is a SCADA system used in a wide range of industries, including water/wastewater, district heating, food & beverage, building automation, marine, oil & gas, metals & mining, traffic control, gas distribution, and electric utilities.

At a minimum, all but one of the disclosed vulnerabilities can forcefully crash a system server, causing a denial-of-service condition and loss of view. Of more serious concern to the SCADA and industrial control systems (ICS) community is the fact for two of these vulnerabilities, it is relatively simple to inject malicious code in the targeted host and then remotely execute commands to activate this payload.

Attacks using these vulnerabilities could be difficult to detect and prevent. All vulnerabilities expose the core communication application within the IGSS platform used to manage communication between various clients and services.

While we are currently unaware of any malware or cyber attacks taking advantage of these security issues, there is a risk that criminals or political groups may attempt to exploit them for either financial or ideological gain, according to the white paper.

Eight vulnerabilities can exploit the IGSS platform. Of the eight, seven can take advantage of the IGSSdataServer.exe application on TCP port 12401, while the remaining vulnerability exploits the dc.exe application on TCP port 12397. Both vulnerable applications are part of the IGSS application suite.

Five of the vulnerabilities identified with the IGSSdataServer.exe application exploit single or multiple stack (buffer) overflows. One exploits a directory traversal vulnerability, and the remaining vulnerability is a bug related to string formatting issues.

The single vulnerability in the dc.exe application allows execution of arbitrary applications within the file system.

It is possible to remotely exploit all except for the “string formatting” vulnerability. That can provide the attacker the potential to execute arbitrary malicious code on a targeted control system.

The disclosure of these vulnerabilities included sample data files that can combine with freely available hacking tools (such as netcat) for sending custom data packets on a network. These sample data files provide enough information so a moderately skilled attacker could create new files which leverage the vulnerabilities further. The most likely would be for an attacker to create malicious payloads he could execute remotely.

Typical malicious payloads range from simple remote shells, to information and credential stealing, to advanced call-back applications that can further compromise the target. An attacker can easily create most of these payloads with a framework such as Metasploit and then remotely inject it into the target control system using the disclosed vulnerabilities.

The publically available data files and sample command scripts provided with the disclosure make it easy to perform a variety of attacks on the target system. The “directory traversal” vulnerability coupled with the “arbitrary command execution” vulnerability represent the simplest attacks which can cause the greatest impact.

Most of the stack overflow vulnerabilities will cause the affected service to terminate prematurely and cause a denial-of-service condition. To inject and execute additional code using these vulnerabilities would require moderate to advanced skills needed to create the payload and incorporate into it the proof-of-concept (PoC) data files. Not all stack overflows have been confirmed to allow remote code execution.

What are the potential consequences to SCADA and control systems?

An attack successfully exploiting two of the disclosed vulnerabilities will allow the attacker to either execute malicious code or perform unauthorized actions. Either of these could completely compromise the integrity of the control system. At a minimum, applications can prematurely terminate resulting in a denial-of-service condition that could potentially impact the production environment under control of the SCADA system.

The only requirement for communication between the IGSS Data Server and an arbitrary client is an IP connection and access to a specific TCP/IP port. There is no authentication process in place on this connection, so a vulnerability in such a critical service could compromise the overall integrity of the system communications, leading to deeper system penetration and potential compromise of the underlying control system.

The following control and SCADA systems suffer from these vulnerabilities:
• IGSS Version 9
• IGSS Version 8
• IGSS Version 7

7-Technologies confirmed all eight vulnerabilities affect Version 9, while Versions 7 and 8 are only vulnerable to exploits against the dc.exe application allowing remote execution of arbitrary code. The vendor does not support Version 7 and older. Sites using older, unsupported software should contact 7-Technologies Technical Support for information relating to system security.

On March 25, 7-Technologies said a patch for these vulnerabilities was available for registered IGSS end users.

A general Version 8 and 9 update is available on their website under the “Download” section (). 7-Technologies considers previous versions of the IGSS software “unsupported” and did not provide any updates.

ICS-CERT issued an advisory last week and is working with 7-Technologies.

Compensating controls are actions that will not correct the underlying issue, but will help block known attack vectors for systems where no patch is available or if the user has not yet installed the patch. The following are six potential compensating controls for IGSS systems:
• Installation of Industrial Firewalls to Protect Server
• Minimize Network Exposure of Vulnerable Systems
• Install an Intrusion Detection System
• Regularly Check System Log Files
• Regularly Check Security Perimeter Device Log Files
• Monitor Vendor Support Site for Applicable Patches

For more details and information, click here to download the white paper.