Posts Tagged ‘HMI’
Wednesday, November 20, 2013 @ 06:11 PM gHale
Catapult Software created an update that fixes the improper input validation in its DNP3 Driver software, according to a report on ICS-CERT.
Adam Crain of Automatak and independent researcher Chris Sistrunk, who found the vulnerability, tested the updated software to validate that it resolves the vulnerability.
This driver sees use with General Electric (GE) Intelligent Platform’s Proficy iFIX and CIMPLICITY products.
The following Catapult Software product suffers from the remotely exploitable issue:
• Catapult Software DNP driver (“DNP”): Version 7.20.56
• Proficy human-machine interface/supervisory control and data acquisition (HMI/SCADA) – iFIX or CIMPLICITY servers with the vulnerable I/O Driver installed (this includes iFIX or CIMPLICITY installations that are part of Proficy Process Systems).
The use of this driver can cause the human-machine interface (HMI) to go into a denial-of-service (DoS) condition by sending a specially crafted transmission control protocol (TCP) packet from the outstation on an IP-based network. If the device connects via a serial connection, the same attack can occur with physical access to the outstation. The device must shut down and then restarted to recover from the DoS.
New Zealand-based Catapult Software specializes in SCADA/HMI software development. The affected product, DNP 3.0 driver, sees use with GE Intelligent Platforms’ iFIX and CIMPLICITY products, which are Web-based SCADA/HMI systems. According to Catapult Software, the driver and SCADA systems deploy across several sectors, including oil and gas, water and wastewater, and electric utilities.
As this vulnerability affects Internet Protocol-connected and Serial-connected devices, there are two CVSS scores.
The Catapult Software DNP3 driver, used in the GE iFIX and CIMPLICITY products, does not validate input correctly. An attacker could cause the software to go into an infinite loop by sending a specifically crafted TCP packet, causing the process to crash.
CVE-2013-2811 is the number assigned to this vulnerability, which has a CVSS v2 base score of 7.1.
The Catapult Software DNP3 driver, used in the GE iFIX and CIMPLICITY products, does not validate input correctly. An attacker could cause the software to go into an infinite loop, causing the process to crash. The system must restart manually to clear the condition.
The following scoring is for serial-connected devices: CVE- 2013-2823 is the number assigned to this vulnerability, which has a CVSS v2 base score of 4.7.
No known public exploits specifically target this vulnerability and an attacker with a moderate skill would be able to exploit this vulnerability.
An updated driver is available from Catapult Software. Installing Version 7.20.60 (GE IP 7.20k) of the DNP driver or newer will address this issue. The driver is available for download by registering for support.
In addition, the driver update is also available from GE.
The researchers suggest blocking DNP3 traffic from traversing onto business or corporate networks through the use of an IPS or firewall with DNP3-specific rule sets to add an additional layer of protection.
Thursday, October 10, 2013 @ 04:10 PM gHale
Invensys created an update that mitigates the improper input validation vulnerability in the Wonderware InTouch human-machine interface (HMI), according to a report on ICS-CERT.
Independent researchers Timur Yunusov, Alexey Osipov, and Ilya Karpov of the Positive Technologies Research Team discovered the vulnerability in the Wonderware InTouch application. The Positive Technologies Research Team tested the update to validate that it resolves the vulnerability.
The following Invensys Wonderware products suffer from the version: InTouch HMI 2012 R2 and all previous versions.
Successful exploitation of this vulnerability could allow an attacker to affect the confidentiality and availability of the Invensys Wonderware InTouch.
Invensys is a global technology company that works with industrial, commercial, rail operators, and appliance operators, while operating in over 180 countries. Invensys develops software, systems, and equipment that enable users to monitor, automate, and control their processes.
The Invensys Wonderware InTouch HMI works across several sectors including critical manufacturing, energy, food and agriculture, chemical, and water and wastewater.
Wonderware InTouch HMI allows access to local resources (files and internal resources) via unsafe parsing of XML external entities. By using specially crafted XML files, an attacker can cause Wonderware InTouch HMI to send the contents of local or remote resources to the attacker’s server or cause a denial of service of the system.
CVE-2012-4709is the number assigned to this vulnerability, which has a CVSS v2 base score of 6.3.
This vulnerability is not remotely exploitable and needs user interaction for any kind of exploit. The exploit triggers when a local user runs the vulnerable application and loads the malformed XML files.
No known public exploits specifically target this vulnerability and an attacker with a low skill would be able to exploit this vulnerability.
Instructions and a link to the application update are on the Invensys download page.
Any machine running InTouch 2012 R2 or earlier versions suffers from the issue, according to Invensys. Users should install the update using instructions provided in the ReadMe file for the product and component installed. Invensys recommends users:
1. Read the installation instructions provided with the patch.
2. Shut down any of the affected software products.
3. Install the update.
4. Restart the software.
Friday, August 2, 2013 @ 03:08 PM gHale
By Gregory Hale
One of the many things Stuxnet taught the manufacturing automation world was operators cannot always believe what they see. That same axiom came true Thursday at Black Hat as researchers showed how easy it was to force a process out of control.
If you look at most standard DCS or SCADA networks, you can see the same type of basic design, but security still seems to be lacking, said Brian Meixell and Eric Forner, both researchers at Houston-based security provider Cimation during their session at the Black Hat conference in Las Vegas entitled, “Out of control: Demonstrating SCADA device exploitation.”
“Most firewalls are usually in place because a standard has told people to put them in, but they end up having an ‘anything can pass through.’ So there is no security there,” Meixell said.
That ends up being a very vital aspect as the two researchers were then able to demonstrate how they could work their way through a SCADA system without too much of a problem. “You don’t even have to go through the enterprise, you can just get to the system by going through a cell phone connection (in some cases),” Forner said.
But the way in to any system is through IP addresses found on the Internet, the researchers said.
One of the problems, Forner said, was the industry’s reliance on incredibly old Modbus/TCP protocol.
Modbus is an ancient protocol, you never know what you are actually driving,” Forner said.
They could talk about the problem all day, but the researchers showed the proof was in the pudding as they conducted a demonstration where a process was bringing water into a tank. There was a level transmitter that would shut the system down when the fluid reached a certain level, but when they issued a few commands to get into the system, the essentially owned the process.
When that happened all indicators showed the operator the tank was not at an overflow level and is actually decreasing, but in reality the tank ended up overflowing. They were able to override the safety interlock and take down the process.
“That could be oil or gas or some chemical leaking out of that tank,” Forner said.
“Because the operator saw something other than reality, when he goes to correct the problem, he may do something worse,” Meixell said.
“The operator is just doing what the PLC is telling him,” Forner said.
As an extra added bonus, after overflowing the tank, the researchers then took command of the HMI in the system and downloaded a game of solitaire.
These were not magic tricks to take over a system, it was two guys that knew about some of the ins and outs of a SCADA system making some solid basic moves.
That was an enlightening demo that showed just how fragile a system could be if the right layers of protection are not in play. Seeing is believing.
Wednesday, July 3, 2013 @ 09:07 AM gHale
Editor’s Note: This is an excerpt from the Practical SCADA Security blog at Tofino Security.
By Heather MacKenzie
When engineers look at security, a topic they should know about is Deep Packet Inspection (DPI) and why offshore oil and gas networks need to use it if they want to be secure.
Let me give some context. You know the critical systems managing production and safety on offshore platforms are largely based on legacy SCADA and Industrial Control System (ICS) products and protocols. Many of these products are decades old and were never designed with security in mind.
People like Dale Petersen and his Basecamp team have made an industry out of showing just how vulnerable these devices really are. Unfortunately these same systems are now connected to external systems using Ethernet and TCP/IP. That has been great for efficiency, but it exposes mission critical production systems to malware.
Given the 20-year lifecycle common for industrial systems, it will be many years before more secure SCADA and ICS devices and protocols are in widespread use. This leaves the thousands of legacy platform control systems open to attack from even the most inexperienced hacker, who can then disable or destroy most industrial controllers.
Problem: No Granularity
The difficulty with legacy SCADA/ICS protocols is they have no granularity. To the average security device, a data read message looks exactly like a firmware update message.
Thus if you allow data read messages from an HMI to a PLC to pass through a traditional firewall, you are also allowing programming messages to pass through. This is a serious security issue.
You are faced with an impossible choice — keep the messages flowing that make the system run, but expose it to attacks, or block everything out. Since shutting systems down is not an option, accepting high risk has been the course taken by many. In a post-Macondo (Deepwater Horizon) world, this is not acceptable.
What can an engineer do? There is a solution.
Deep Packet Inspection
The solution is to find a firewall that can dig deep into industrial protocols to understand the purpose of a message. This is beyond the capability of IT firewalls and is called Deep Packet Inspection.
Here’s how it works: After applying traditional firewall rules, the DPI firewall inspects the content of messages and applies more detailed rules. For example, it determines if a message is a read or a write message and then drops all write messages.
In addition, good DPI firewalls can also “sanity check” traffic for strangely formatted messages or unusual behaviors (such as 10,000 reply messages in response to a single request message). These sorts of abnormal messages can indicate traffic created by a hacker trying to crash a PLC and users need to block them.
DPI in Need Now
Tofino’s Eric Byres said five years ago DPI would have been a “nice-to-have” capability. However, today’s generation of worms and advanced threats make it a “must-have” technology if you want a secure SCADA or ICS system.
The reason is that today’s malware designers and attackers know firewalls and intrusion detection systems will spot the use of an unusual protocol instantly. They know if the protocols on a network are normally HTTP (i.e. web browsing), Modbus and MS-SQL (i.e. database queries) then the sudden appearance of a new protocol like FTP will put the smart system administrator on his or her guard.
Thus worm designers work to stay under the radar by hiding their network traffic inside protocols that are already common on the network they are attacking. For example, many worms now hide their outbound communications in what appear to be normal HTTP messages.
Even if you suspected something was wrong, you would be stuck if all you had was a normal firewall. The simple blocking of all Modbus traffic would impact production. Without deep packet inspection, (i.e. tools to inspect the contents of messages and block suspicious traffic), your hands would end up tied.
DPI technology is a very powerful tool in the security tool box. It allows the engineer to block the bad stuff, yet avoid needless impact on the control system. Without it, the designers of modern worms clearly have the upper hand.
Certainly DPI is not a silver bullet for security – no technology is.
Heather MacKenzie is with Tofino Security, a Belden company. Click here to read the full version of the Practical SCADA Security blog.
Wednesday, April 3, 2013 @ 12:04 PM gHale
Two reports regarding vulnerabilities for Clorius Controls and for Mitsubishi released this week to the public without mitigations from the suppliers, which means users need to remain extra vigilant, according to reports with ICS-CERT.
The first release was for a remotely exploitable vulnerability affecting the Clorius Controls ICS SCADA product that allows for an information disclosure that can lead to a loss of confidentiality.
The vulnerability found the device hosts a web service that reveals fingerprint information. This report released without coordination with either the vendor or ICS-CERT.
ICS-CERT attempted to notify the affected vendor of the report to confirm the vulnerability and identify mitigations. ICS-CERT issued an alert to provide early notice of the report and identify baseline mitigations for reducing risks to these and other cyber security attacks.
Meanwhile, another report released without coordination for a remotely exploitable heap-based buffer overflow vulnerability with proof-of-concept (PoC) exploit code affecting Mitsubishi MX, a supervisory control and data acquisition/human-machine interface (SCADA/HMI) product. The vulnerability could lead to remote code execution.
According to this report, the vulnerability is exploitable when an attacker provides specially crafted input. ICS-CERT notified the vendor and has asked the vendor to confirm the vulnerability and identify mitigations.
According to the Mitsubishi Automation Web site, MX links Mitsubishi PLCs with PCs running Microsoft Windows via serial, Ethernet, or other connections.
Click here for more details on this report.
Friday, March 8, 2013 @ 05:03 PM gHale
Indusoft created a fix that mitigates a directory traversal vulnerability in Indusoft Studio and Advantech Studio applications, according to a report on ICS-CERT.
Indusoft originally produced this product that ended up rebranded to Advantech Studio (both products share the vulnerability).
This remotely exploitable vulnerability — discovered by independent researcher Nin3 who released proof-of-concept (PoC) exploit code without coordination with ICS-CERT, the vendor, or any other coordinating entity known to ICS-CERT – has publicly available attacks targeting this vulnerability.
The following product versions suffer from the issue:
• Advantech Studio V7.0 and previous
• Indusoft Studio V7.0 and previous
Successful exploitation of this vulnerability could allow an attacker to download arbitrary files from the target system.
Indusoft designed and maintains Advantech Studio, which is a collection of automation tools that includes components required to develop human-machine interfaces (HMIs) and supervisory control and data acquisition (SCADA) system applications that run on various Windows platforms.
According to Advantech, Advantech Studio currently sees use at nearly 2,000 installations worldwide. Advantech Studio is in a variety of applications including energy, building automation, water and wastewater management, and manufacturing.
InduSoft products often integrate in as third-party components in other vendors’ products. Indusoft is a U.S.-based company that sells through distributors worldwide.
Advantech Studio contains a flaw in the CreateFileW function of the sub_401A90 routine in the NTWebServer.exe file. The issue occurs when handling an absolute path request, which may allow a remote attacker to gain access to arbitrary files.
CVE-2013-1627 is the number assigned to this vulnerability, which has a CVSS v2 base score of 7.8.
An attacker with a low skill would be able to exploit this vulnerability.
Indusoft created a hotfix for this vulnerability. In order to install the hotfix, customers should send a request to email@example.com. Indusoft will send the installation files and assist the customer through the installation process.
Monday, January 21, 2013 @ 01:01 PM gHale
Schneider Electric issued a patch for a buffer overflow vulnerability in its Interactive Graphical SCADA System (IGSS) application, according to a report on ICS-CERT.
All versions of the IGSS application suffer from the remotely exploitable vulnerability which Aaron Portnoy, researcher at Exodus Intelligence who found the problem, validated as resolving the issue.
An attacker could exploit of this vulnerability resulting in a buffer overflow that could possibly allow an attacker to execute code under administrator credentials. IGSS sees use in the renewable energy, process control, monitoring and control, motor controls, lighting controls, electrical distribution, and security system sectors.
Schneider Electric is a US-based company that has offices in 190 countries.
IGSS is a desktop application used to integrate industrial control system (ICS) components from diverse vendors using diverse sets of protocols and integrate their configuration and monitoring functions using IGSS as a single supervisory or human-machine interface (HMI) system.
Vulnerability classifications end up classified by Common Weakness Enumerations (CWE). This stack-based buffer overflow comes in as a CWE-121.
In addition, IGSS communicates with a broad range of ICS devices using a broad range of protocols over two network ports, Ports (12397 and 12399)/TCP by default. This exploit has found that out-of-protocol communication over Port 12397/TCP can cause a buffer overflow condition. Although this overflow can cause the application to crash, an attacker can also apply techniques to take advantage of the buffer overflow and likely execute malicious code with administrator privileges.
CVE-2013-0657 is the number assigned to this vulnerability, which has a CVSS v2 base score of 10.0.
At present, there are no exploits specifically target this vulnerability. An attacker with a moderate skill would be able to exploit this vulnerability.
Schneider issued two patches for versions V9 and V10 of the IGSS software to address this vulnerability. These patches are available from the Schneider Electric Web site.
Users of this software with older versions should upgrade their software or employ other mitigation methods. At a minimum, this port should have a filter to only allow access from the specific IP addresses for the devices controlled or monitored.
Monday, December 31, 2012 @ 11:12 AM gHale
There are mitigation details available for a vulnerability that impacts the i-GEN opLYNX Central software, which could lead to a partial leakage of information and access to system settings, according to a report on ICS-CERT.
The mitigations work through an authentication bypass vulnerability in i-GEN Solutions opLYNX Central application.
Independent researcher Anthony Cicalla, who found the remotely exploitable vulnerability, tested the new version to validate it resolves the vulnerability. This vulnerability impacts the energy sector, mainly in Canada.
All opLYNX versions from 2.01.8 and prior suffer from the issue.
Exploitation of this vulnerability could allow access to configuration settings and other information in the opLYNX Central application.
i-GEN Solutions Corp. is a Canada-based company that provides human-machine interface (HMI), supervisory control and data acquisition (SCADA), and plant historian software to oil and gas, pipelines, chemicals, utilities, and waste water management facilities around the world.
The affected product, opLYNX Central, is a Web-based application, which i-GEN Solutions said mainly sees deployment in the energy sector in Canada.
An attacker with a low skill would be able to exploit this vulnerability with publicly available tools.
i-GEN Solutions released a new version, opLYNX 2.01.9, that resolves this vulnerability. The new version ends up automatically applied upon login.