DHS ICS-CERT Issues Multiple Alerts

Yesterday evening the folks at the DHS Industrial Control System Cyber Emergency Response Team (ICS-CERT) took the unusual move of publishing four separate control system vulnerability alerts. Of potentially more interest, they took this action because a single security researcher, Luigi Auriemma, published 34-separate exploits for 0-day vulnerabilities in those four systems. Oh, yes, the other important piece of information, Luigi is not a SCADA expert, ‘just’ a prolific writer of 0-day exploits.

The four covered systems are:

Siemens Tecnomatix FactoryLink – 6 exploits
Iconics GENESIS32 and GENESIS64 – 13 exploits
7-Technologies IGSS – 8 exploits
DATAC RealWin – 7 exploits

ICS-CERT was very prompt in issuing these four alerts. The exploits were published yesterday and less than 12 hours later the alerts were posted on their web site. Of course the fact that the cyber security community was actively discussing Luigi’s feat on-line probably made it easier to get the bureaucratic approval necessary to publish the alerts in a timely manner.

Underlying Issue

Luigi described the vulnerabilities this way:

“In technical terms the SCADA software is just the same as any other software used everyday, so with inputs (in this case they are servers so the input is the TCP/IP network) and vulnerabilities: stack and heap overflows, integer overflows, arbitrary commands execution, format strings, double and arbitrary memory frees, memory corruptions, directory traversals, design problems and various other bugs.”

This just goes to show that the same problems that the general software development community has been dealing with for years probably exist in the ICS software. As more security researchers (both ‘good’ and ‘bad’) turn their attention to control systems, it seems inevitable that more 0-day vulnerabilities, probably many more, are going to be found.

That this problem exists is not a new idea. Dale Peterson over at DigitalBond.com put it this way yesterday:

“Realistically though, there is a huge amount of legacy code out there with latent vulnerabilities waiting for smart guys like Luigi to find. Vendors that are making their software available for download have to expect that someone in the security research community, and probably some bad guys, will download the product just to find vulnerabilties and build exploits. We mentioned this in previous blog entries, but hopefully 34 vulnerabilities will prove the point.”

For the user community this means that, if Stuxnet was not enough of a warning, Luigi pointed out yesterday how easy it would be for even a moderately talented hacker (Please, I am not saying Luigi is just ‘moderately talented’, that is obviously not true) to attack a system. With the exploits published yesterday, owners of systems that contain these programs don’t even have the minimal comfort level that their systems would require a moderate skill level to attack. The basic hacker now has tools available to be able to access those systems.

Mitigation

How long will it take to get patches for these vulnerabilities? We’ll have to wait and see. Remember, though, the software development cycle started yesterday. Don’t hold your breath; it takes time to fix these things.

In the meantime ICS-CERT provides this generic guidance in their alerts:

“Control system devices should not directly face the Internet.1Locate control system networks and devices behind firewalls, and isolate them from the business network. If remote access is required, employ secure methods such as Virtual Private Networks (VPNs).”