Page 1 of 2
The spotlight is once again shining on critical infrastructure security, this time due to the disclosure of nearly three dozen software vulnerabilities impacting a number of vendors.
Monday, security researcher Luigi Auriemma released proof-of-concept code for a spate of vulnerabilities affecting SCADA (supervisory control and data acquisition) software from Siemens, Iconics, DATAC Control International and 7-Technologies. In response, experts with US-CERTs Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) have issued four separate advisories warning companies of the discoveries as well as a fifth warning about another issue discovered separately.
SCADA software is used by companies to control and monitor processes at industrial plants and has been a source of particular interest for security researchers during the past several months due to the discovery of the infamous Stuxnet worm last year. According to Auriemma, the disclosure was necessary. The vulnerabilities, he explained, were part of an experiment that also included checking how much the security industry and ICS-CERT were interested in SCADA security.
Unfortunately there was absolutely no interest for these vulnerabilities and the only choice remained the good old full-disclosureICS-CERT has the power to do a lot for the communication and the partnership between the researchers and the vendors but it simply says that the researcher must do everything by himself...And all this for having his name credited on their advisories, the researcher told CRN in an e-mail. It sounds [like] a joke to me and I have already said it to ICS directly and repeated [it] when they have contacted me after my release of two days ago.
The vulnerabilities in his findings ran the gamut from memory corruption to integer and stack overflow bugs.
Specifically, the flaws impacted Siemens Tecnomatix FactoryLink 8.0.1.1473, Iconics GENESIS32 9.21 and GENESIS64 10.51, 7-Technologies IGSS 9.00.00.11059 and DATAC RealWin 2.1 (Build 6.1.10.10) from DATAC.
Siemens, Iconics and 7-Technologies did not respond to CRNs request to comment before deadline regarding when patches would be available. However, DATAC Control International CEO Cyril Kerr told CRN the companys engineering team is looking into the problem, but that the issue concerns the demo version of the RealWin software (version 2.1.10) and older.
The downloadable version of RealWin is primarily used as a sales promotion tool, he explained.
RealWin is not our primary product, Kerr wrote in an e-mail. RealFlex 6 which uses the real-time operating system QNX is our flagship SCADA product used in mission critical applicationsThe demo version of RealWin is used to allow potential customers download from our site a copy of the RealWin SCADA software but without any drivers. Therefore, the demo version cannot be used in a real application.
We do have RealWin running on stand-alone applications like machine control where it is not connected to the internet nor would ever be in such applications, Kerr added. Where our customers connect to the net, we promote the use our flagship product RealFlex 6 which is extremely secure.
