Researcher claims to have found vulnerabilities in SCADA software
A security researcher claims that he found 23 vulnerabilities in industrial control software from several vendors after a different security company last week showcased vulnerabilities in applications from some of the same manufacturers, but chose not to report them.
The vulnerabilities were discovered by Aaron Portnoy, vice president of research at startup security firm Exodus Intelligence, and affect SCADA (supervisory control and data acquisition) software from Rockwell Automation, Schneider Electric, Indusoft, RealFlex and Eaton. This type of software is used to control industrial processes in critical infrastructure, manufacturing plants, and other industrial facilities.
Last week, ReVuln, a Malta-based vulnerability research firm, announced that it had found critical vulnerabilities in SCADA software from General Electric, Schneider Electric, Kaskad, Rockwell Automation, Eaton and Siemens. However, the security company said that it would not report the flaws to the affected vendors or the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) of the U.S. Department of Homeland Security.
ReVuln sells information about the vulnerabilities it finds to government agencies and other select private buyers through a subscription-based service.
“I decided to research SCADA software after reading the mentioned articles and thought that it was dangerous to force vendors to purchase the ReVuln feed in order to protect critical infrastructure,” Portnoy said Monday via email.
ReVuln’s subscription-based feed service is not available to software vendors, but the security firm offers vulnerability assessment services to software manufacturers, ReVuln’s co-founder Luigi Auriemma said Monday via email. Auriemma defended his company’s decision not to report vulnerabilities and said that this business model is used by other vulnerability research companies and brokers as well.
The practice of selling information about unreported vulnerabilities to private buyers is not new in the security research community. However, it’s only recently that some companies began advertising such services publicly. For example, French vulnerability research firm VUPEN was criticized by digital rights advocates after openly admitting that it sells exploits to NATO governments without reporting the vulnerabilities to vendors.
Portnoy presented his findings in a blog post published on Monday. They included seven remote code execution flaws, 14 denial of service issues and some other vulnerabilities that can allow attackers to download, upload and delete arbitrary files from systems running the vulnerable software.
“The most interesting thing about these bugs was how trivial they were to find,” Portnoy wrote in the blog post. “The first exploitable 0day [previously unknown vulnerability] took a mere 7 minutes to discover from the time the software was installed. For someone who has spent a lot of time auditing software used in the enterprise and consumer space, SCADA was absurdly simple in comparison.”
In fact, according to Portnoy, it was more difficult to obtain the software than it was to find flaws in it. “I used a different approach to retrieve software for the various SCADA vendors,” he said via email. “Some of them had trial software available to interested parties, others I had to dig up FTP credentials in some obscure document on their support portal. I did my best to ensure that I was auditing the latest version of the software I looked at.”
Portnoy hopes that his findings partially overlap with those of ReVuln, because unlike ReVuln, he plans to report the vulnerabilities to ICS-CERT, which will then coordinate the disclosure with the affected vendors.
He would like to see ICS-CERT create a repository of SCADA software accessible to researchers who practice responsible disclosure. Even a list of software that’s most important to audit would help, he said.
