Researcher finds 20-plus flaws in SCADA software
Moves to indentify and report SCADA software vulnerabilities kept secret and sold by another security firm
IDG News Service - A security researcher claims that he found 23 vulnerabilities in industrial control software from several vendors after a different security company last week showcased vulnerabilities in applications from some of the same manufacturers, but chose not to report them.
The vulnerabilities were discovered by Aaron Portnoy, vice president of research at startup security firm Exodus Intelligence, and affect SCADA (supervisory control and data acquisition) software from Rockwell Automation, Schneider Electric, Indusoft, RealFlex and Eaton. This type of software is used to control industrial processes in critical infrastructure, manufacturing plants, and other industrial facilities.
Last week, ReVuln, a Malta-based vulnerability research firm, announced that it had found critical vulnerabilities in SCADA software from General Electric, Schneider Electric, Kaskad, Rockwell Automation, Eaton and Siemens. However, the security company said that it would not report the flaws to the affected vendors or the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) of the U.S. Department of Homeland Security.
ReVuln sells information about the vulnerabilities it finds to government agencies and other select private buyers through a subscription-based service.
"I decided to research SCADA software after reading the mentioned articles and thought that it was dangerous to force vendors to purchase the ReVuln feed in order to protect critical infrastructure," Portnoy said Monday via email.
ReVuln's subscription-based feed service is not available to software vendors, but the security firm offers vulnerability assessment services to software manufacturers, ReVuln's co-founder Luigi Auriemma said Monday via email. Auriemma defended his company's decision not to report vulnerabilities and said that this business model is used by other vulnerability research companies and brokers as well.
The practice of selling information about unreported vulnerabilities to private buyers is not new in the security research community. However, it's only recently that some companies began advertising such services publicly. For example, French vulnerability research firm VUPEN was criticized by digital rights advocates after openly admitting that it sells exploits to NATO governments without reporting the vulnerabilities to vendors.
Portnoy presented his findings in a blog post published on Monday. They included seven remote code execution flaws, 14 denial of service issues and some other vulnerabilities that can allow attackers to download, upload and delete arbitrary files from systems running the vulnerable software.
"The most interesting thing about these bugs was how trivial they were to find," Portnoy wrote in the blog post. "The first exploitable 0day [previously unknown vulnerability] took a mere 7 minutes to discover from the time the software was installed. For someone who has spent a lot of time auditing software used in the enterprise and consumer space, SCADA was absurdly simple in comparison."
- Deep Security +VMware vSphere with Operations Management Most midsize organizations are highly virtualized on VMware, and while this has produced significant savings, it also has created new challenges when it...
- 3 Questions to Ask Your DNS Host about Lowering DDoS Risks Neustar has had wide-ranging conversations with clients wanting to know how they can optimize protection as DDoS attacks increase in frequency and size.
- The Danger Deepens: 2014 Neustar Annual DDoS Attacks and Impact Report This report compares DDoS findings from 2013 to 2012, based on a survey of 440 North American companies, including 139 businesses delivering technology...
- DDoS Infographic: How Are Attacks Evolving? For the third consecutive year, Neustar surveyed businesses across major industries to track the evolution of DDoS attacks. Are they more frequent? Larger?...
- How to Use Crowd-Sourced Threat Intelligence to Stop Malware in its Tracks Threat sharing networks have been around for a long time, however they have typically been "invitation-only", available to only large companies, or those...
- An Incident Response Playbook: From Monitoring to Operations As cyber-attacks grow more sophisticated, many organizations are investing more into incident detection and response capabilities. In this webcast, learn how to develop... All Malware and Vulnerabilities White Papers | Webcasts