Core Security Technologies Discovers Critical Vulnerability in SCADA Software from Citect.Exposure Could Allow an Attacker to Access and Take Over Systems Being Run in the Aerospace, Food, Manufacturing, Oil and Gas Industries BOSTON -- Core Security Technologies, makers of CORE IMPACT, the world's most comprehensive enterprise security assurance testing software, today issued an advisory disclosing a vulnerability that could severely impact organizations relying on Citect's flagship industrial process control software, CitectSCADA. This discovery indicates that thousands of companies using Citect's SCADA (Supervisory Control And Data Acquisition) A process control application that collects data from sensors and machines on the shop floor or in remote locations and sends them to a central computer for management and control. systems could unknowingly be exposing critical industrial processes and assets that they otherwise sought to protect if they do not immediately move to apply the vendor-provided patch, or other suggested workarounds for the vulnerability issued by the software maker. According to according to prep. 1. As stated or indicated by; on the authority of: according to historians. 2. In keeping with: according to instructions. 3. CoreLabs, the research arm of Core Security that initially discovered the flaw and reported it to Citect, an attacker could potentially utilize the vulnerability to gain remote, unauthenticated access to a host system running CitectSCADA. If successfully exploited in this manner, the issue could allow an attacker to subsequently execute arbitrary code In computer security, arbitrary code is executable code introduced externally that runs despite the intent of the original programmer. The code is injected into a currently-running application or its memory space, thus making the application execute the code. on vulnerable systems to take control of operations dependent on the vulnerable software. Citect's official security update for the issue - which is available from the vendor upon request - offers customers the option of: * disabling open database connectivity See ODBC. (standard, database) Open DataBase Connectivity - (ODBC) A standard for accessing different database systems. There are interfaces for Visual Basic, Visual C++, SQL and the ODBC driver pack contains drivers for the Access, Paradox, dBase, Text, Excel and Btrieve (ODBC (Open DataBase Connectivity) A database programming interface from Microsoft that provides a common language for Windows applications to access databases on a network. ), or; * automatically discarding malformed mal·formed adj. Abnormally or faultily formed. ODBC packets of the type that CoreLab's research had indicated may be used to exploit the vulnerability. However, the vendor maintains that no SCADA, PLC, DCS (1) See also DSC. (2) Digital Cross-connect System) A network switching and grooming device used by telecom carriers. See digital cross-connect. , RTU (Remote Terminal Unit) A device that collects data from data acquisition equipment and sends them to the main system over a wired or wireless network. See SCADA. or Process Control networks should ever be exposed unprotected to the Internet. Rather, Citect advises that organizations operating such networks should either isolate the systems from the Internet entirely, or utilize technologies including firewalls to keep them protected from improper external communications. Despite the fact that nearly all SCADA software makers maintain a similar stance in terms of advising customers to keep the systems walled-off from the Internet, the Internet, the, international computer network linking together thousands of individual networks at military and government agencies, educational institutions, nonprofit organizations, industrial and financial corporations of all sizes, and commercial enterprises reality is that many organizations do have their process control networks accessible from wireless and wired corporate data networks that are in turn exposed to public networks such as the Internet, according to CoreLabs experts. "While it is known that SCADA software as a whole was not designed to be accessible over public networks and therefore should not be accessible outside of highly isolated Process Control Systems networks, the reality is that most organizations end up with their systems accessible through wireless and wired corporate networks, or even public networks," said Ivan Arce, CTO (Chief Technical Officer) The executive responsible for the technical direction of an organization. See CIO and salary survey. of Core Security Technologies. "As such, vulnerabilities of this nature can pose serious risks to any businesses using this technology and both the vendor and user organizations should be diligent and address them in a timely manner." Citect lists a broad range of customers for the affected technology, including organizations in the aerospace, food, manufacturing, oil and gas, and public utilities industries. In addition to working directly with the vendor to address the reported vulnerability, Core Security has been in close contact with the official U.S., Argentine and Australian Computer Emergency Response Teams (CERTs) to ensure that organizations running CitectSCADA are notified of the situation. Core Security is based in the U.S. and Argentina, and Citect is based in Australia. Vulnerability Details: The vulnerability found in CitectSCADA could allow a remote un-authenticated attacker to force an abnormal termination of the vulnerable software (Denial of Service A condition in which a system can no longer respond to normal requests. See denial of service attack. ) or to execute arbitrary code on vulnerable systems to gain complete control of the software. The CitectSCADA and CitectFacilities applications include ODBC server capabilities to provide remote SQL SQL in full Structured Query Language. Computer programming language used for retrieving records or parts of records in databases and performing various calculations before displaying the results. access to a relational database relational database Database in which all data are represented in tabular form. The description of a particular entity is provided by the set of its attribute values, stored as one row or record of the table, called a tuple. . For that purpose, an ODBC Server component is used to service requests from clients on TCP/IP TCP/IP in full Transmission Control Protocol/Internet Protocol Standard Internet communications protocols that allow digital computers to communicate over long distances. networks. Requests are serviced over a TCP (1) (Transmission Control Protocol) The reliable transport protocol within the TCP/IP protocol suite. TCP ensures that all data arrive accurately and 100% intact at the other end. high-port in which the application layer protocol reads an initial packet that specifies the length of data and then a second packet of data, of the same length is then read. Once the data is read from the network, it is then copied to an internal buffer of fixed size allocated in the stack without previously verifying that the buffer is big enough to store all the read data. The vulnerability is related to a lack of a proper length-checking on data read from the network. A specially crafted combination of length and data packets could be used to exploit the vulnerability allowing an un-authenticated attacker to execute arbitrary code on vulnerable systems. The bug is a texbook example of classic simple stack-based buffer overflow A common cause of malfunctioning software. If the amount of data written into a buffer exceeds the size of the buffer, the additional data will be written into adjacent areas, which could be buffers, constants, flags or variables. vulnerabilities of the 1990s that can be exploited by overwriting Overwriting An options strategy that involves the sale of call or put options on stocks that are believed to be overpriced or underpriced. The options are not expected to be exercised. Notes: Also referred to as overriding. the return address of the currently running thread. Fixes and Workarounds: User organizations should deploy the vendor patch, which is available upon request at http://www.citect.com/ or disable the vulnerable service (ODBC server) if it is not needed in their particular installation. In general, process control networks should be physically isolated from corporate or other publicly accessible data networks. An isolated network will limit the exposure of systems with network-facing vulnerabilities to only accidental disruption or potentially malicious users or systems within the process control network itself. However, if physical isolation of the process control network or patch deployment is not feasible, it is strongly recommended that strict access control mechanisms are enforced and monitored regularly to verify that only the absolute minimal set of required systems from both within and outside the process control network are allowed to connect to other systems within the process control network. For more information about an official fix and affected systems please contact the vendor directly and for additional information on this vulnerability please view the advisory here: www.coresecurity.com/?module=ContentMod&action=news&id=advisories About CoreLabs CoreLabs, the research center of Core Security Technologies, is charged with anticipating the future needs and requirements for information security technologies. Research is conducted in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing and cryptography. Results from these efforts include problem formalization for·mal·ize tr.v. for·mal·ized, for·mal·iz·ing, for·mal·iz·es 1. To give a definite form or shape to. 2. a. To make formal. b. , identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software Shared software is a different term used to describe free software and open source software, and possibly also software that is not formally covered by the definition of either, but that is in some other way shared rather than owned. tools for public use at: http://www.coresecurity.com/corelabs/. About Core Security Technologies Core Security Technologies develops strategic solutions that help security-conscious organizations worldwide develop and maintain a proactive process for securing their IT infrastructure. The company's flagship product, CORE IMPACT, is the most comprehensive product for performing enterprise security assurance testing. IMPACT evaluates servers, desktop systems, end users and web applications by identifying what resources are exposed. It enables organizations to determine if current security investments are detecting and preventing attacks. Core augments its leading technology solution with world-class security consulting services, including penetration testing and software security auditing. Based in Boston, MA and Buenos Aires, Argentina, Core Security Technologies can be reached at 617-399-6980 or on the Web at http://www.coresecurity.com. |
|
||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion