|
|
|
|
|
|
| Search | ||||||||||||
| Vulnerabilities Alerts | ||||||||||||
|
||||||||||||
| IT Directory | ||||||||||||
|
||||||||||||
 | |
|
2010-07-26 16:07:33 | |
| Siemens SCADA systems are vulnerable, should have been easily protected. | |
|
While the worm has first been detected almost two weeks ago, more news of Stuxnet have made the headlines late last week. Precisions on the scope of the malware have surfaced. But more importantly, it has been found that the worm is exploiting a serious, yet beginner level security flaw of the SCADA WinCC software. A password has been known to be hard-coded into the products for over two years.
Initial reports said that Stuxnet was using a vulnerability in the way Windows handles .lnk files, so that merely viewing the contents of an infected removable storage device (such as a USB drive) could result in the malware installing itself on the target computer. There were also claims that it would then search for SCADA systems. It turns out that if Stuxnet reaches a computer running SCADA WinCC software, it uses a vulnerability of the application to access sensible information. According to Chris Wysopal of Veracode, "this effects only those running Siemens WinCC which the attack is targeted for. Siemens software has a critical severity vulnerability that is also easy to exploit: a hard coded password. Once hard coded passwords are discovered it is trivial for the attacker to access systems using that password, in this case a database." Use of hard-coded credentials (CWE-798) is number 11 on the SANS Top 25 Most Dangerous Software Errors. It is indeed very serious as if the attackers know where the password is stored (or how to find it), it is easy to write malware accordingly. In this case, Stuxnet is clearly a targeted attack and not generic malware that simply exploits an operating system vulnerability. This suggests that hackers knew about the vulnerability and exactly how to exploit it before even launching the attack, but exactly how the attackers got access to such inside intelligence is unknown. In fact, it has been revealed that the hard-coded password vulnerability had been known for at least two years at Siemens, yet nothing had been done to remediate to the issue. "Security through obscurity" is generally considered on a level akin to no security at all, so Siemens staying silent and inactive on this subject is not very responsible on their part. According to sources, SCADA systems are usually meant to be used isolated from the Internet, so are sort of immune from the threat propagated through the net. However, viruses and malware have existed long before the Internet was widely deployed so there is no reason why they could not be transmitted through other means, as we are seing here. An insecure application is always insecure, wether it is connected to the Internet or not. Fortunately, if we believe Siemens's Web site there are only two known infections worldwide as of today, the first threat purportedly having been "quickly eliminated". No details have been posted about the second infection, although Siemens precised that "a production plant has so far not been affected." The general advice as well as Siemens's is of course not to use removable storage device to transfer data to and from SCADA systems to avoid infection. Customers are also invited to update antivirus software and to use Sophos's tool for detecting and removing rootkits. | |
Reference 2: http://www.veracode.com/blog/2010/07/deadly-combo-zero-day-application-vulnerability-os-vulnerability-attacker-win/
Reference 3: http://viaroot.com/vulnerabilities/view.php?id=127
Reference 4: http://support.automation.siemens.com/WW/llisapi.dll?func=cslib.csinfo&lang=en&objid=43876783&caller=view
No comment on this post.