Researcher finds 20-plus flaws in SCADA software
Moves to indentify and report SCADA software vulnerabilities kept secret and sold by another security firm
IDG News Service - A security researcher claims that he found 23 vulnerabilities in industrial control software from several vendors after a different security company last week showcased vulnerabilities in applications from some of the same manufacturers, but chose not to report them.
The vulnerabilities were discovered by Aaron Portnoy, vice president of research at startup security firm Exodus Intelligence, and affect SCADA (supervisory control and data acquisition) software from Rockwell Automation, Schneider Electric, Indusoft, RealFlex and Eaton. This type of software is used to control industrial processes in critical infrastructure, manufacturing plants, and other industrial facilities.
Last week, ReVuln, a Malta-based vulnerability research firm, announced that it had found critical vulnerabilities in SCADA software from General Electric, Schneider Electric, Kaskad, Rockwell Automation, Eaton and Siemens. However, the security company said that it would not report the flaws to the affected vendors or the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) of the U.S. Department of Homeland Security.
ReVuln sells information about the vulnerabilities it finds to government agencies and other select private buyers through a subscription-based service.
"I decided to research SCADA software after reading the mentioned articles and thought that it was dangerous to force vendors to purchase the ReVuln feed in order to protect critical infrastructure," Portnoy said Monday via email.
ReVuln's subscription-based feed service is not available to software vendors, but the security firm offers vulnerability assessment services to software manufacturers, ReVuln's co-founder Luigi Auriemma said Monday via email. Auriemma defended his company's decision not to report vulnerabilities and said that this business model is used by other vulnerability research companies and brokers as well.
The practice of selling information about unreported vulnerabilities to private buyers is not new in the security research community. However, it's only recently that some companies began advertising such services publicly. For example, French vulnerability research firm VUPEN was criticized by digital rights advocates after openly admitting that it sells exploits to NATO governments without reporting the vulnerabilities to vendors.
Portnoy presented his findings in a blog post published on Monday. They included seven remote code execution flaws, 14 denial of service issues and some other vulnerabilities that can allow attackers to download, upload and delete arbitrary files from systems running the vulnerable software.
"The most interesting thing about these bugs was how trivial they were to find," Portnoy wrote in the blog post. "The first exploitable 0day [previously unknown vulnerability] took a mere 7 minutes to discover from the time the software was installed. For someone who has spent a lot of time auditing software used in the enterprise and consumer space, SCADA was absurdly simple in comparison."
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts