Industrial Control Systems: security holes galore
It seems that Stuxnet has given many security experts an interest in the potential holes in industrial control and SCADA (Supervisory Control and Data Acquisition) systems. Security specialist Luigi Auriemma, previously mainly known for detecting holes in games and media players, has released a list of 35 vulnerabilities in SCADA products by Siemens Tecnomatix (FactoryLink), Iconics (Genesis 32 and 64), 7-Technologies (IGSS) and DATAC (RealWin).
The expert's list includes the whole spectrum of potential security issues from remote file downloads and unauthorised file uploads to targeted attacks on services via integer, buffer and heap overflows. Some of the holes can probably also be exploited to inject and execute arbitrary code. The Stuxnet worm also exploited holes in WinCC, the successor to FactoryLink, to remotely infiltrate systems and manipulate the connected controls.
Auriemma has released proof-of-concepts for most of the vulnerabilities. The expert says that no fixes have been released for any of the holes, although it appears that the holes hadn't even been reported to the manufacturers.
To make matters worse, vendor GLEG Ltd last week made available the "Agora+SCADA" exploit pack for the Immunity Canvas exploit framework. The pack contains 23 modules for attacking systems by various manufacturers – including nine zero-day exploits. GLEG has previously been known for its VulnDisco exploit pack.
SCADA system security issues are particularly sensitive because controls are being networked to an ever-increasing degree while the systems include hardly any protective features against potential attacks, are usually quite old, and have rarely been updated. Some SCADA systems appear to be accessible via the internet, which makes them easy targets for attackers. The ICS-CERT had pointed out this problem last November. The CERT had observed that users were entering certain search terms for tracking down vulnerable systems on the special Shodan search engine.