Digital Bond

For Secure & Robust ICS

  • Home
  • Consulting
  • S4x19
  • Dale Peterson
  • Hire Dale To Speak
  • Contact Us

Italian Researcher Publishes 34 ICS Vulnerabilities

March 21, 2011 by Dale G Peterson 1 Comment

Luigi Auriema Auriemma, an Italian researcher from Milan, set a new record today publishing 34 ICS vulnerabilities all at once. In his words from bugtraq, the vulnerabilities include “stack and heap overflows, integer overflows, arbitrary commands execution, format strings, double and arbitrary memory frees, memory corruptions, directory traversals, design problems and various other bugs.” All classic errors in server software applications.

I looked at about 1/3 of the vulnerabilities and they are well documented and include code and commands to exploit the vulnerability. The example below is a link to his code and the exploit command for a Siemens FactoryLink vulnerability.

http://aluigi.org/poc/factorylink_3.zip
  nc SERVER 7579 < factorylink_3.dat

Luigi’s documentation also includes a section on “Fix” and this is filled with “No Fix”. So if you have these products there is exploit code in the wild that will compromise your systems.

The systems come from four different vendors:

  • Siemens Tecnomatix FactoryLink 8.0.1.1473 (6 Vulnerabilities) – FactoryLink is an older HMI/ EWS product that has an end of sale date announced of October 2012. Ironically the page says, “If you would like to inquire about migrating to the Siemens flagship HMI/SCADA product WinCC.” — that is the WinCC of Stuxnet fame. I did not see a free download on a Siemens related site, but it was available elsewhere on the Internet.
  • Iconics GENESIS32 9.21 and GENESIS64 10.51 (13 Vulnerabilities) – Two versions of a HMI product from Iconics. These products are widely deployed in small to medium ICS, and often are used to update the operator environment without upgrading the realtime servers and other backend products. The vulnerable products are available for free download from the vendors site for evaluation.
  • 7-Technologies IGSS 9.00.00.11059 (8 Vulnerabilities) – 7-T is a Danish company, and both the company and products are new to us. It appears to be another HMI or visualization product. There is actually a free version of this product so it is also available for download.
  • DATAC RealWin 2.1 (Build 6.1.10.10) (7 Vulnerabilities) – First, DATAC may want to change the headline on the linked page from its current “Secure SCADA Software”. This is not the first vulnerability found in RealWin by Luigi, and it does not appear to be that difficult to find vulnerabilities in this product family. Today he released six stack overflow vulnerabilities and one integer overflow vulnerabilities. RealWin is another HMI with a free demo download.

Ideally ICS vendors would be implementing an effective Security Development Lifecycle that would catch the common programming errors that lead to vulnerabilities. This includes taking advantage of development tools, integrating fuzz testing into the development process, and adding in-house and 3rd part security assessments before release.

Realistically though, there is a huge amount of legacy code out there with latent vulnerabilities waiting for smart guys like Luigi to find. Vendors that are making their software available for download have to expect that someone in the security research community, and probably some bad guys, will download the product just to find vulnerabilties and build exploits. We mentioned this in previous blog entries, but hopefully 34 vulnerabilities will prove the point.

ICS vendors, do you have products available for free download? Have they undergone any security testing? If not, prepare for the very likely experience of 0days.

Image by Viajar24h.com

 

Filed Under: Siemens, Vulnerabilities, Vulnerability Disclosure Tagged With: 7-T, DATAC, Iconics, Luigi Auriema, Siemens, Vulnerability Disclosure

Comments

  1. PJ Coyle says

    March 21, 2011 at 19:45

    Is anyone keeping track of how long it takes ICS-CERT to publish alerts on these vulnerabilities?

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Subscribe to the S4 Events YouTube Channel

S4x19 Is Open For Registration

Jan 14 – 17 in Miami Beach

Follow S4 Events on Facebook

Tools & Talks

DNS Squatting and You

DNS Squatting and You

February 24, 2016 By Reid W 3 Comments

Basecamp for Serial Converters

Basecamp for Serial Converters

October 30, 2015 By Reid W 3 Comments

escar Asia

escar Asia

September 9, 2015 By Dale Peterson 1 Comment

Unsolicited Response Podcast: Cyber Insurance

Unsolicited Response Podcast: Cyber Insurance

August 27, 2015 By Dale Peterson 3 Comments

S4 Events Newsletter

Subscribe to our newsletter on leading / bleeding edge ICS cyber security information and S4 Events.

* indicates required
Email Format

Dale's Tweets

About Us

Digital Bond was founded in 1998 and performed our first control system security assessment in the year 2000. Over the last sixteen years we have helped many asset owners and vendors improve the security and reliability of their ICS, and our S4 events are an opportunity for technical experts and thought leaders to connect and move the ICS community forward.

Recent Comments

  • Chris on Attacking CANBus – Part 1
  • Chris on Koyo/Automation Direct Vulnerabilities
  • Brandon Workentin on The ICS Security Stories We Tell And Love
  • Joe Weiss on Insanely Crowded ICS Anomaly Detection Market
  • Stuart Bailey on Unsolicited Response Podcast Is Back … With John Matherly of Shodan

Search….

Follow @digitalbond

Copyright © 2019 Digital Bond. - All Rights Reserved ·