July 28, 2014

Zero-day Flaws in Discovered in Various SCADA Systems

(LiveHacking.Com) - Security researcher, Luigi Auriemma, has revealed details of several zero-day vulnerabilities in various Supervisory Control and Data Acquisition (SCADA) products from several different vendors.

SCADA vulnerabilities have recently been of interest due to the creation of Stuxnet and its use to delay the proliferation of nuclear weapons. Combining traditional exploits with industrial control systems allows attackers to weaponize malicious code, something that previously wasn’t really possible.

The vulnerabilities are as following including links to the  advisories written by Luigi:

  • Multiple vulnerabilities in Cogent DataHub 7.1.1.63: adv - adv - adv - adv
  • Stack overflow in DAQFactory 5.85 build 1853 adv
  • Multiple vulnerabilities in Progea Movicon / PowerHMI 11.2.1085: adv - adv - adv
  • Directory traversal in Carel PlantVisor 2.4.4:  adv
  • Heap overflow in Rockwell RSLogix 19 (FactoryTalk RnaUtility.dll) adv
  • Multiple vulnerabilities in Measuresoft ScadaPro 4.0.0:  adv
  • Denial of Service in Beckhoff TwinCAT 2.11.0.2004:  adv

This is the second set of disclosures by this researcher this year. In March, he disclosed similar vulnerabilities in SCADA products from Siemens, Iconics, 7-Technologies and Datac. His disclosures prompted the US-Computer Emergency Response Team (US-CERT) to issue four alerts warning about the vulnerabilities.

Stuxnet: The Industrial Sabotage Mystery Deepens

Since its discovery a few months ago, the purpose and intention of the Stuxnet worm has remained shrouded in mystery. This Windows based worm is the first ever malware designed to attack industrial equipment.

Specifically it targets Siemens’ Supervisory Control And Data Acquisition (SCADA) software used to control and monitor industrial processes and has the ability to reprogram Siemens’ Simatic PLCs (programmable logic controllers).

[ad code=6 align=left]

PLCs contain code to control automated industrial systems in manufacturing plants or factories. Programmers use the Siemens’ software from a Windows PC to create code and then upload their code to the PLCs. The Stuxnet worm infects the PCs and then uploads its own code to the PLC.

Since the discovery of Stuxnet, conspiracy theories about its purposes have been rampant and these theories have included nation states, well funded hackers, Israeli spies and Iran’s nuclear program. But Symantec have just revealed (http://www.symantec.com/connect/blogs/stuxnet-breakthrough) that the Stuxnet virus only attacks systems with variable-frequency drives from two specific vendors: Vacon based in Finland and Fararo Paya based in Iran. This is sure to reignite the speculations about its target and origin.

What Stuxnet does is monitor the frequency of these drives and only attacks systems that run between 807Hz and 1210Hz which is very high and only used in particular industrial applications. Stuxnet then modifies the output frequency for a short time to 1410Hz and then to 2Hz and then to 1064Hz and thus effects the operation of the connected motors.

Stuxnet’s requirement for particular frequency converter drives and operating characteristics focuses the number of possible speculated targets to a limited set of possibilities.

If you work with PLCs and variable-frequency drives over 807Hz please contact Live Hacking as soon as possible as you might be able to shed some light on this increasingly mysterious malware.