Sergio Alvarez and Thierry Zoller of nruns gave an interesting presentation at Hack.lu 2007 on vulnerabilities in anti-virus software (hat tip: Pauldotcom podcast Episode 93, 1:21). One of the main problems is anti-virus software takes in just about every file format and attempts to parse and process it. If the software developer makes a mistake in this parsing it can lead to a vulnerability. In the podcast, Paul mentions how coding errors in Snort and Wireshark parsing have also led to vulnerabilities.
Adding to the problem is AV software is a large attack surface, running on unmanaged code that has been reused, ported and adapted for years, and often developed with extreme time pressure. You know how fast those new AV signatures come out.
Sergio submitted 80 anti-virus vulnerabilities last year to a variety of vendors with about 30 being fixed to date. Interestingly the first common problem they list in slide 21 is “Communication Protocols Security by Obscurity”. Sound familiar? They also show some back and forth with vendors that highlight the risk of leaving vulnerability fixing and disclosure to the vendors’ discretion, even security vendors.
Two SCADA security related points to this story.
1) Don’t rely solely on your security perimeter that by the way is increasingly trying to parse more protocols. Upon disclosing a vulnerability to a control system vendor we typically hear that this bad guy or traffic should never be allowed into the control system network to run the attack. Yes, the vendor is correct, but your firewalls with IDS/IPS and other technologies have vulnerabilities. Some have been found and many are waiting to be found. You need to be able to detect, delay and prevent attacks if an attacker or a worm has breached your perimeter.
2) Security needs to be an important part of the software development lifecycle from the start of code development. The only real fix, as discussed in the presentation and podcast, for many of these anti-virus vendors would be start over which is extremely expensive, but so is patching old code for an increasing number of vulnerabilities. There are so many parallels here to control system application code based. Buying a new SCADA or DCS application? Understand the basics of the security development lifecycle; require the vendors to provide their security development lifecycle processes; and demand to see evidence that they are implementing these processes. Unfortunately we may be in a situation where there is not a good answer from any of the respondents, which will only change through the asset owner pressure of the purchase decision.