Gasoline refineries, manufacturing plants and other critical facilities that rely on computerized control systems just became more vulnerable to tampering or sabotage with the release of attack code that exploits a security flaw in a widely used piece of software.
The exploit code, published over the weekend as a module to the Metasploit penetration testing tool kit, attacks a vulnerability that resides in CitectSCADA, software used to manage industrial control mechanisms known as SCADA, or Supervisory Control And Data Acquisition, systems. In June, the manufacturer of the program, Australia-based Citect, and Computer Emergency Response Teams (CERTs) in the US, Argentina and Australia warned the flawed software could put companies in the aerospace, manufacturing and petroleum industries at risk from outsiders or disgruntled employees.
The exploit was created by Kevin Finisterre, the director of penetration testing at security firm Netragard. He said he decided to release the code following conflicting statements by Citect about the severity of the flaw. As a result, he said, organizations that use CitectSCADA were confused about whether they were truly vulnerable.
"In reality, I would be willing to wager a small fortune that most of the folks that received the Citect advisory were not inspired to take immediate action," Finisterre wrote in this paper published to the Milw0rm website. "In general, no one should be more knowledgeable about a software product than the vendor, so if the vendor pulls an Alfred E. Newman and says 'What, me worry?' you can rest assured the userbase will do the same."
At least partly responsible for the confusion is the theoretical reality that the bug should be of little consequence to organizations who take proper precautions with SCADA systems. A core tenet among system administrators of such systems is that remote terminal units and other critical industrial controls should never be exposed to the internet. In reality, however, there are frequently numerous ways unauthorized people can gain access to those controls.
Two of the more common means for gaining unauthorized control include wireless access points and internet-facing controls designed to save organizations money by allowing employees remote access, according to Core Security, which discovered the bug early this year.
To cut through the confusion, Finisterre provided a detailed description of the bug, which he described as a "classic stack-based buffer overflow." By default, a server component of CitectSCADA known as ODBC, or Open Database Connectivity, monitors TCP/IP networks for client requests. Attackers can gain control by modifying the size of the packets sent to the system.
The public exploit is just the latest chapter in a growing body of research revealing the risks of using SCADA systems. In May, Core warned of a flaw in monitoring software known as InTouch SuiteLink that put power plants at risk of being shut down. That same month, US lawmakers lambasted the organization that oversees the North American electrical grid. A UK government minister sounded a similar alarm in that country last month.
Given the increased reliance of SCADA systems - and the confusion that frequently surrounds security advisories - Finisterre said it's crucial white-hat penetration testers have a full chest of tools at their disposal for detecting and fixing vulnerabilities in the systems.
"If you outlaw SCADA exploits, only outlaws will have SCADA exploits," he wrote. "Spread information and inform both yourself and others." ®