Italian researcher Luigi Auriemma has released another set of vulnerability advisories and proof of concept exploit code for a variety of ICS products. He is finding overflows on the proprietary services the vendors are writing. You hear often in ICS, “don’t scan it because it will crash”. This is what he is finding, and he says it is not difficult.
this time the “time factor” was the keyword so I spent only some minutes on this stuff: find the inputs (activex/ports/files), check the protocol of the unknown services (like scadapro) and give them a very quick test.
This is not to diminish the finding. Sometimes hard evidence like he is presenting is what is needed rather than a generic warning. It is the same rationale why we are doing Project Basecamp even though “everyone knows that PLC’s have little or no security and are easily compromised”.
Luigi is doing a bit more than scanning. He has built up a toolset that he uses against all products, not just ICS. He also then does a bit more work to find where the crash occurred and write up some proof of concept code.
Here is the list of products with vulnerabilities in what we are calling Luigi II:
- Azeotech DAQFactory
- Beckhoff TwinCAT
- Cogent Datahub
- Measuresoft SCADAPro
- Progea Movicon
- Rockwell Automation RSLogix
Most of the products are free or low cost HMI or engineering workstation products. RSLogix is used to configure the RA line of Logix PLC’s which are widely deployed in the critical infrastructure. Beckhoff is the big EtherCAT vendor, a high performance ICS protocol used primarily in manufacturing and in Europe. The other vendors are smaller, add-on HMI, visualization and data transfer products that are used in either very small systems or as an addition/accessory to a larger system.