Tuesday, November 8, 2011

ICS-CERT Updates Duqu and Adds CitectSCADA Advisory

This afternoon the DHS Industrial Control System Cyber Emergency Response Team (ICS-CERT) published a Joint Security Awareness Report with US CERT providing their most up to date information on Duqu. ICS-CERT also published a new advisory for a new vulnerability found in the CitectSCADA system.


The Joint Security Awareness Report (JSAR) provides a summary of data currently known about Duqu. It is not as detailed as the Symantec report (v 1.3) but it does provide some additional information from other researchers that did not make it into the Symantec report. It also provides links to each of the major reports on the W32.Duqu Trojan. There is a better source of links on the SCADAhacker web site.

There is one bit of information that is not included in this discussion and that is the possibility that the ‘Stars’ infection reported in Iran is a version of Duqu. Of course there is more than a little controversy surrounding that claim; it does come from the Iranians of course. That may be why it is not addressed in the JSAR.


A Taiwanese researcher reported a buffer overflow vulnerability in the CitectSCADA. Oops, it was actually reported in the Mitsubishi MX4 SCADA Batch Server. Well, actualy the MX4 turns out to be a version of the CitectSCADA. Actually it turns out that it is even more complicated than that; ICS-CERT reports that the “buffer overflow vulnerability resides in a third-party component” in the two systems. Such are the complexities of industrial control systems.

Unexpectedly, this vulnerability is not remotely exploitable, but a low-skilled attacker, given physical access to the system, could exploit the vulnerability to execute arbitrary code. There is no known publicly-available exploit for this vulnerability. Schneider Electric, the vendor for CitectSCADA, recommends removal of the vulnerable component and has instructions available for users to do this. Mitsubishi Electric Europe, the vendor for the MX4, will coordinate between their customers and Schneider to effectively mitigate this vulnerability in their systems.

I wonder why the alert doesn’t mention the ‘offending’ component name. It would seem that there is a possibility that this same component could be used by other manufacturers as well.

No comments:

/* Use this with templates/template-twocol.html */