SCADA Firms Suffer Vulnerabilities

Tuesday, September 13, 2011 @ 03:09 PM gHale

What are the chances two companies named Scadatec facing ICS-CERT vulnerabilities in the same time frame? That has just happened as Reno, NV-based ScadaTEC is facing vulnerability issues with its SCADAPhone, ModbusTagServer, while UK-based Scadatec Limited is facing issues with its Procyon products.

Thanks for the diligent effort by Joel Langill, chief technology officer at SCADAhacker, to point out the differences in the companies.

For ScadaTEC’s SCADAPhone and ModbusTagServer there is a publicly released report that includes exploit code targeting a buffer overflow vulnerability in the two products, according to an ICS-CERT advisory. Niether ICS-CERT or ScadaTEC has confirmed the vulnerability.

One Flip Means Victims for Hackers
SCADA Security Alert: Mobile Workers
Breach: More SCADA System Holes
ICS, SCADA Security Boot Camp

This vulnerability relies on the operator opening a specially crafted file with the application, according to the report. Currently, the exploit code allows an attacker the ability to bind a shell. Simple modifications of this exploit code could result in additional impacts to systems running affected versions of the products.

ICS-CERT is coordinating with the vendor to identify mitigations.

SCADAPhone is a notification application that alerts owners and operators of their SCADA system conditions and can also write values to the SCADA System, said ScadaTEC.

Meanwhile, ModbusTagServer is an OPC server that communicates directly with field devices and makes data available to OPC clients, ScadaTEC said.

Both products mainly see use in the water sector but also in critical manufacturing and chemical sector applications in the United States and Australia.

As for UK-based Scadatec’s Procyon human-machine interface/supervisory control and data acquisition (HMI/SCADA) product, ICS-CERT originally issued an advisory August 4, but delayed the release to allow users sufficient time to download and install the update.

Knud Højgaard of the nSense Vulnerability Coordination Team found the vulnerability, which could allow an attacker to establish a connection to the Telnet daemon, bypassing proper authentication, and exploit a buffer overflow that could lead to a denial of service (DoS) or remote code execution.

ICS-CERT has been working with nSense and ScadaTEC to validate this vulnerability. ScadaTEC created a new version (V1.14) of the Procyon product that fully resolves this issue. nSense confirmed Procyon Version V1.14 successfully resolves this vulnerability.

So, any company running the product before Version 1.14 could suffer from the vulnerability.

Procyon is an HMI product used in a variety of industrial applications. Procyon has known deployments in the UK, Philippines, Thailand, and Singapore. The total deployment of Procyon is not available because of distribution through third-party agents worldwide.

Procyon is more widely distributed in manufacturing and transportation applications with a lesser presence in the laboratory, water, and chemical applications.

Højgaard’s report said the Procyon Telnet service listening on Port 23/TCP is vulnerable to a buffer overflow that could allow a DoS or possibly lead to arbitrary code execution. This vulnerability is remotely exploitable.

In order to exploit this vulnerability, an attacker would need to send a specially crafted packet to Port 23/TCP that could cause a buffer overflow, resulting in an arbitrary code execution.

Scadatec created a new version of the software available at this website. Scadatec Limited requests users that need this new version to access this website, use the “Contact” tab to reach the “Contact Us” window, fill out and submit the form. This will alert ScadaTEC to send the requester the required password to download this new version.

After downloading the new version, Scadatec Limited recommends the following actions:
• Review the instructions in the Readme file.
• Uninstall any existing version of the software.
• Install the new version and run as normal.

Leave a Reply

You must be logged in to post a comment.