June 15, 2020

Security researchers find zero-day vulnerabilities in SCADA systems made by General Electric, Schneider, Siemens and others

(LiveHacking.Com) – Security vulnerability research (and profiteering – see below) company ReVuln has released a video showing a collection of zero-day vulnerabilities in SCADA systems by big name companies such as General Electric, Schneider Electric, Kaskad, ABB/Rockwell, Eaton and Siemens. The profiteering angle is that the company has chosen to sell the vulnerabilities to governments and other paying customers instead of disclosing them to the relevant manufacturers.

In the video ReVuln demonstrated nine “zero-day” SCADA (supervisory control and data acquisition) software vulnerabilities which are all server-side and remotely exploitable. However all product names and version were hidden in the video so it is impossible to tell exactly what products are affected.

Since the vulnerabilities are remotely exploitable, attackers can execute arbitrary code, download files, execute commands, open remote shells or hijack sessions on any system running vulnerable SCADA software. This was confirmed by ReVuln co-founder and security researcher Luigi Auriemma in an email to Computer World: “[Attackers] can take control of the machine with the maximum privileges (SYSTEM on Windows) granted by the affected service. They can install rootkits and other types of malware or obtain sensitive data (like passwords used on other computers of the same network) and obviously they can control the whole infrastructure.”

A surprising number of SCADA systems are connected to the Internet and are improperly protected. Luigi pointed out that Shodan (a search engine that can be used to discover Internet-accessible industrial control systems) yields “tons of interesting results” about systems that can be exploited remotely using ReVuln’s research.

Even though ReVuln has been contacted by the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), which is part of the U.S. Department of Homeland Security, it won’t reveal the weaknesses. “ICS-CERT has just contacted us some minutes ago requesting more details but we don’t release information,” Auriemma said. Rather the company sees the vulnerabilities as part of their portfolio for their customers.

“The vulnerabilities included in our Zero-day feed remain undisclosed by ReVuln unless either the vulnerability is discovered and reported by a third party or the vendor publicly or privately patches the issue,” says ReVuln on their website. It also mentions that it offers “consulting services for improving and testing the security of ICS and industrial systems.”