Russian Firm Dumps SCADA Zero-Day Exploits into the Wild

By Fahmida Y. Rashid  |  Posted 2011-03-22

Russian Firm Dumps SCADA Zero-Day Exploits into the Wild

Researchers released attack code exploiting dozens of vulnerabilities in software used to control hardware at nuclear plants, gas refineries and other heavy industries, raising the specter of yet another Stuxnet-style attack.

Serious vulnerabilities currently exist in programs sold by Siemens, Iconics, 7-Technologie, Datac and Control Microsystems, according to a researcher who released the exploits on a security mailing list on March 21. Attackers would be able to remotely execute code on computers connected to the Internet and running supervisory control and data acquisition software (SCADA) from these vendors.

"Ever since Stuxnet, the industry as a whole has taken security a lot more seriously," Eric Knapp, director of critical infrastructure markets at NitroSecurity, told eWEEK. Things are being done "across the board" to secure SCADA and improve security, he said.

The latest dump of attack codes exploiting SCADA vulnerabilities were done in an "interesting way," Knapp said. Gleg, a Moscow-based security firm, had collected known SCADA vulnerabilities into a single exploit pack and put it up for sale on its Website on March 15.

Knapp was reluctant to speculate on the Russian research firm's motives for releasing the exploits in this way. The release was done "in a not so friendly manner," he said, noting the "white hat, good guy way" is to contact the vendor directly with the vulnerability and give the company a chance to fix the problem before it becomes a problem. Instead, Gleg's package put them in the wild where anyone could get them, he said.

Even with the exploits in the wild, the chance of someone downloading the attack code, pinging networks and finding a SCADA system to target is "pretty low," according to Knapp. Anyone can obtain the exploit now, but not everyone has access to SCADA systems, he said.

As a general rule, computers running SCADA software are not just hooked up online, but are usually part of a secured and protected network, according to Knapp. Stuxnet, one of the most sophisticated pieces of malware ever engineered, didn't spread via the Internet, but rather by using USB devices. Getting access to the physical system was the decisive factor, Knapp said.

The Agora SCADA+ Pack contained 22 modules exploiting 11 zero-day bugs and older vulnerabilities that remained unpatched, according to Gleg's Website, which has been intermittently unavailable. The package also allegedly contains analysis of the "weak points" such as hard-coded passwords and problems with smart chips, according to the site. Pricing is unknown at this time.

Researcher Scrambles to Put Exploits in Safe Hands


Knapp has not yet had the chance to validate Gleg's package because the site appears to be under a denial-of-service attack, he said.

Independent researcher Luigi Auriemma discovered other code-execution vulnerabilities and released them to the security community via the Bugtraq mailing list on March 21 so the "good guys can now do the work we need to do to fix this," Knapp said.

While Gleg effectively put the exploits in the wild, Auriemma ensured that the right people see the information, said Knapp.

SCADA software has the same kind of software vulnerabilities and design problems that can be found in any other program, including stack and heap overflows, integer overflows and other bugs, said Auriemma. SCADA bugs can allow arbitrary commands execution, directory traversals and memory corruptions, he said.

Auriemma listed at least 34 vulnerabilities in SCADA programs that control and monitor hardware sensors and mechanisms located in industrial environments like gas pipelines, airports and other critical fields. Most of the bugs allow attackers to executive code, access sensitive data stored in configuration files and disrupt equipment using the software, Auriemma said. 

One of the exploits allowed the attacker to launch a denial-of-service attack against a Siemens Technomatix FactoryLink system. In the "best case scenario," a DoS attack against a SCADA system would just shut off visibility, Knapp said. SCADA's primary function is to collect information about what is happening in an automated environment, including data from pumps, temperature gauges and sensors, he said. A DoS may mean the processes will continue functioning, but there will be no information coming in about what's happening.

The "worst case" would be shutting down the entire process so that nothing can function, Knapp said. A DoS attack on SCADA can stop the assembly lines at a manufacturing plant, and prevent electricity from being routed to needed areas and practically any other activity in a large industrial environment, he said.

Auriemma identified multiple flaws in the following products: Siemens Technomatix FactoryLink, Iconics Genesis32 and Genesis64, 7-Technologies Interactive Graphical SCADA System, and Datac RealWin systems.

While vendors have been working hard at fixing and securing their software, this vulnerability dump should be a "wake up call to the industry if they haven't already been woken up by Stuxnet already," Knapp said.


Rocket Fuel