[ISN] SCADA security bug exposes world's critical infrastructure

From: InfoSec News (alerts@private)
Date: Fri Jun 13 2008 - 00:02:30 PDT


By Dan Goodin in San Francisco
The Register
12th June 2008

Gasoline refineries, manufacturing plants and other industrial 
facilities that rely on computerized control systems could be vulnerable 
to a security flaw in a popular piece of software that in some cases 
allows attackers to remotely take control of critical operations and 

The vulnerability resides in CitectSCADA, a software product used to 
manage industrial control mechanisms known as SCADA, or Supervisory 
Control And Data Acquisition, systems. As a result, companies in the 
aerospace, food, manufacturing and petroleum industries that rely on 
Citect's SCADA products may be exposing critical operations to outsiders 
or disgruntled employees, according to Core Security, which discovered 
the bug.

Citect and Computer Emergency Response Teams (CERTs) in the US, 
Argentina and Australia are urging organizations [1] that rely on 
CitectSCADA to contact the manufacturer to receive a patch. In cases 
where installing a software update is impractical, organizations can 
implement workarounds.

In theory, the bug should be of little consequence, since there is 
general agreement that SCADA systems, remote terminal units and other 
critical industrial controls should never be exposed to the internet.

But "in the real world, in real scenarios, that's exactly what happens, 
because corporate data networks need to connect to SCADA systems to 
collect data that's relevant to running the business," said Ivan Arce, 
CTO of Core. "Those networks in turn may be connected to the internet."

Wireless access points also represent a weak link in the security chain, 
he said, by connecting to systems that are supposed to be off limits.

It's the second vulnerability Core has found in a SCADA system in as 
many months. In May, the security company warned of a flaw in monitoring 
software known as InTouch SuiteLink that put power plants at risk of 
being shut down by miscreants. Also last month, the organization that 
oversees the North American electrical grid took a drubbing [2] by US 
lawmakers concerned it isn't doing enough to prevent cyber attacks that 
could cripple the country.

The scrutiny comes as more and more operators try to cut costs and boost 
efficiency by using SCADA systems to operate equipment using the 
internet or telephone lines. The technology has its benefits, but it may 
also make the critical infrastructure vulnerable to cyber attacks by 
extortionists, disgruntled employees and terrorists.

The flaw in CitectSCADA is related to a lack of proper length-checking 
that can result in a stack-based buffer overflow. Attackers who send 
specially crafted data packets can execute malicious code over the 
vulnerable system, according to Core, maker of the Core Impact 
penetration testing product. ®

[1] http://www.kb.cert.org/vuls/id/476345 
[2] http://www.theregister.co.uk/2008/05/22/electrical_grid_vulnerable/

Attend Black Hat USA, August 2-7 in Las Vegas, 
the world's premier technical event for ICT security experts.
Featuring 40 hands-on training courses and 80 Briefings 
presentations with lots of new content and new tools.
Network with 4,000 delegates from 50 nations.  
Visit product displays by 30 top sponsors in 
a relaxed setting. http://www.blackhat.com

This archive was generated by hypermail 2.1.3 : Fri Jun 13 2008 - 00:15:37 PDT