Luigi Auriema Auriemma, an Italian researcher from Milan, set a new record today publishing 34 ICS vulnerabilities all at once. In his words from bugtraq, the vulnerabilities include “stack and heap overflows, integer overflows, arbitrary commands execution, format strings, double and arbitrary memory frees, memory corruptions, directory traversals, design problems and various other bugs.” All classic errors in server software applications.

I looked at about 1/3 of the vulnerabilities and they are well documented and include code and commands to exploit the vulnerability. The example below is a link to his code and the exploit command for a Siemens FactoryLink vulnerability.

http://aluigi.org/poc/factorylink_3.zip
  nc SERVER 7579 < factorylink_3.dat

Luigi’s documentation also includes a section on “Fix” and this is filled with “No Fix”. So if you have these products there is exploit code in the wild that will compromise your systems.

The systems come from four different vendors:

• Siemens Tecnomatix FactoryLink 8.0.1.1473 (6 Vulnerabilities) – FactoryLink is an older HMI/ EWS product that has an end of sale date announced of October 2012. Ironically the page says, “If you would like to inquire about migrating to the Siemens flagship HMI/SCADA product WinCC.” — that is the WinCC of Stuxnet fame. I did not see a free download on a Siemens related site, but it was available elsewhere on the Internet.
• Iconics GENESIS32 9.21 and GENESIS64 10.51 (13 Vulnerabilities) – Two versions of a HMI product from Iconics. These products are widely deployed in small to medium ICS, and often are used to update the operator environment without upgrading the realtime servers and other backend products. The vulnerable products are available for free download from the vendors site for evaluation.
• 7-Technologies IGSS 9.00.00.11059 (8 Vulnerabilities) – 7-T is a Danish company, and both the company and products are new to us. It appears to be another HMI or visualization product. There is actually a free version of this product so it is also available for download.
• DATAC RealWin 2.1 (Build 6.1.10.10) (7 Vulnerabilities) – First, DATAC may want to change the headline on the linked page from its current “Secure SCADA Software”. This is not the first vulnerability found in RealWin by Luigi, and it does not appear to be that difficult to find vulnerabilities in this product family. Today he released six stack overflow vulnerabilities and one integer overflow vulnerabilities. RealWin is another HMI with a free demo download.

Ideally ICS vendors would be implementing an effective Security Development Lifecycle that would catch the common programming errors that lead to vulnerabilities. This includes taking advantage of development tools, integrating fuzz testing into the development process, and adding in-house and 3rd part security assessments before release.

Realistically though, there is a huge amount of legacy code out there with latent vulnerabilities waiting for smart guys like Luigi to find. Vendors that are making their software available for download have to expect that someone in the security research community, and probably some bad guys, will download the product just to find vulnerabilties and build exploits. We mentioned this in previous blog entries, but hopefully 34 vulnerabilities will prove the point.

ICS vendors, do you have products available for free download? Have they undergone any security testing? If not, prepare for the very likely experience of 0days.

Image by Viajar24h.com