Vulnerabilities Found in Industrial Control Systems from Different Vendors
According to an alert published by US-CERT’s control system security team, 36 remote attack vulnerabilities were found this week. Several SCADA products of Siemens, Iconics, 7-Technologies and RealFlex Technologies, as well as human-computer interaction products of BroadWin are affected. Currently, the proof-of-concept code has been publicized, but affected vendors haven’t yet released security patches, so industrial facilities using these products might be attacked.
The affected SCADA systems are widely used in several industry fields such as petroleum, chemistry, electricity, water, gas, and food processing. They play an important role in data acquisition, supervision, process control, signal alarm, parameter adjustment, etc. Attacks on SCADA products can be traced back to July 2010, when Stuxnet exploited the WinCC vulnerability of Siemens to attack Iran’s uranium enrichment equipment and delayed Iran’s nuclear development. This time, however, with so many vulnerabilities, there is potential for great damage.
- Siemens Tecnomatix FactoryLink (version number ≤ 126.96.36.1993): 6 vulnerabilities were found including stack overflow, any file download, directory examining, and denial of service. They are embedded in services such as CSService (which listens on port 7580), vrn.exe (which listens on port 7579), connsrv and datasrv.
- Iconics Genesis32 (version number ≤ 9.21) and Genesis64 (version number ≤10.51): 13 vulnerabilities were found including integer overflow, any memory release, and uninitialized memory release. They are embedded in GenBroker (which listens on port 38080), and the corresponding executable files are GenBroker.exe and GenBroker64.exe (version 9.00.00.11059).
- 7-Technologies (7T) IGSS (Interactive Graphical SCADA System): there are 8 vulnerabilities including directory traversal, stack overflow, formalized string, and arbitrary command execution. They are embedded in IGSSdataServer (which listens on port 12401) and dc.exe (which listens on port 12397). The corresponding executable files are IGSSdataServer.exe and dc.exe (version ≤ 9.21.201.01).
- RealFlex Technologies DATAC RealWin (version ≤ 2.1，Build 188.8.131.52): there are 8 vulnerabilities including stack overflow and integer overflow. They are embedded in several functions that listen on port 910.
- BroadWin WebAccess: there is an RPC vulnerability in the service that listens on TCP port 4592.
Security Suggestions from Antiy Labs
- Don’t connect your industrial control system equipment to the Internet
- The control system equipment and the intranet should be protected by a firewall, and isolated within the work network
- Use a VPN to remotely access the control system equipment
- Pay attention to the latest security updates from operating system vendors and control system vendors, and repair the vulnerabilities in a timely fashion
- Audit your control system equipment and network to establish effective security measures
Related Links: http://www.us-cert.gov/control_systems/
Detailed Information about the Vulnerabilities: http://seclists.org/bugtraq/2011/Mar/187