Breach: More SCADA System Holes

Wednesday, August 31, 2011 @ 03:08 PM gHale

SCADA system vulnerabilities continue to rock the manufacturing automation industry as two more alerts hit the street this week.

In one there is an authentication bypass vulnerability in Control Microsystems’ ClearSCADA application discovered by independent security researcher Jeremy Brown.

Compliance Does Not Mean Secure
ICS, SCADA Security Boot Camp
SCADA Hacking via Search Engines
Smart Grid Security a Top Priority

In another, there is a structured exception handler (SEH) overwrite vulnerability in Sunway Force Control SCADA Version 6.1

In the Control Microsystems case, the vulnerability for this system first came out June 22, but ICS-CERT delayed the release to allow users sufficient time to download and install the update. Control Microsystems created a new version that mitigates this vulnerability and ICS-CERT tested the new version to validate the company fixed the vulnerability.

The following ClearSCADA versions suffered from the vulnerability:
• ClearSCADA 2010 R1.0
• ClearSCADA 2009
• ClearSCADA 2007
• ClearSCADA 2005

The advisory applies to all versions of SCX (from Serck UK or Serck Aus) older than the following (these SCX versions contain ClearSCADA in the bundle):
• SCX Version 67 R4.5
• SCX Version 68 R3.9

The problem with this vulnerability is it allows an attacker access to diagnostic information without proper authentication.

Control Microsystems, a global supplier of SCADA hardware and software products, focuses its product line mainly in the water and wastewater automation, natural gas and crude oil production and pipeline automation, and substation automation and power areas.

ClearSCADA is an integrated SCADA host platform that includes a polling engine, real-time database, historian, web server, alarm processor, and a reporting package. The client applications function as the human-machine interface. While ClearSCADA works with Control Microsystems SCADAPack field devices, it has built-in drivers for most major third-party controllers. Serck UK and Serck AUS sell a bundle called SCX that includes ClearSCADA.

ClearSCADA provides a web interface for remote connections. When an exception occurs in the dbserver.exe file during the authentication process, ClearSCADA enters the “Safe Mode” of operation. This exposes its diagnostic functions to remote users without requiring a valid login. That opening could allow a remote attacker to view sensitive information and possibly modify functions of the server running on the affected host.

Control Microsystems corrected this vulnerability in its regular maintenance release.

Control Microsystems recommended the following to all users of ClearSCADA:
• Limit server and server network access to only trusted networks and users.
• Disable logons on ClearSCADA non-secure ports. This setting is under System Configuration ->WebX in the server configuration window.
• Install a WebX security certificate from a trusted authority.
• pgrade the ClearSCADA server to ClearSCADA 2010 R1.1 or newer. There will not be a patch for ClearSCADA 2009 and earlier.

Contact a regional sales manager or Control Microsystems representative for additional information. Users can also contact the factory directly at 1-888-267-2232.

Meanwhile, with Sunway Force Control SCADA Version 6.1, there is a structured exception handler (SEH) overwrite vulnerability.

Boundary errors that occur during various functions can cause heap-based or stack-based buffer overflows, which in turn may allow execution of arbitrary code.

ICS-CERT is coordinating with the vendor to validate and mitigate this vulnerability. Additional information will release as it becomes available.

Beijing-based Sunway Force Control Technology Co. provides SCADA HMI applications for a variety of industries such as petroleum, petrochemical, defense, railways, coal, energy, pharmaceutical, telecommunications, water, and manufacturing. Sunway’s products are mainly in China, but according to the company’s website, they also have their software in Europe, the Americas, Asia, and Africa.

Leave a Reply

You must be logged in to post a comment.