Wonderware SuiteLink Denial of Service Vulnerability (part 2)
I couldn’t let the Wonderware Suitelink vulnerability go by without commenting on it, and even Jason commenting on it below won’t steal my thunder.
First, lets talk about the vulnerability from a technical perspective. It appears that this is a fairly classic example of the program allocating an amount of memory based on a request from the user, in the exploit case this normally comes in the form of a very large amount or a negative amount, and failing whether the allocation was successful before attempting to write to the requested memory.
In this the vulnerability doesn’t seem to be able to be used to run arbitrary code on the system, but being able to crash a system/service at will with a single unauthenticated network packet is still bad news. Lesson to learn is always check return values, it’s a lot like learning to check the expiration date on the milk carton before taking a big gulp.
The more interesting part of this vulnerability for me is the process that Core and Wonderware went through. Over the years I’ve read a lot of advisories, and the “Report Timeline” section of this one had me alternating between shaking my head in disbelief and laughing. Here is a gem to let you see what I mean:
2008-03-03: Core sends proof-of-concept code written in Python. 2008-03-05: Vendor asks for compiler tools required to use the PoC code. 2008-03-05: Core sends a link to http://www.python.org where a Python interpreter can be downloaded.
I’m not going to get into the politics of disclosure, as thats been argued enough that everyone knows how they feel and no one is going to change their mind, but the process that these two went through over the course of 3 months was a little ridiculous. I’m not sure if it was stalling, or just unfamiliarity with dealing with vulnerability information, but processes should be in place at any vendor that cares about better securing its products to take vulnerability reports seriously from day 1. There is an understandable amount of hesitation when dealing with companies that release vulnerability details, but from a clients perspective working with them as best you can and having a patch available when the advisory is released is much better than the alternative.
Author: Daniel Peck
Posted: May 6th, 2008 under SCADA Vendor, Vulnerability Disclosure.
Comments: 11
Comments
Comment from Matthew Franz
Time: May 6, 2008, 9:11 pm
I agree the python line was hilarious (they were probably getting out their MSDN discs and scratching their heads) but 3-4 months is actually commendable for a folks that are new in the game. It’s not bad for folks that are old hat, either. Really there is no incentive to define these processes or build out teams as long as there continue to be a trickle of finders.
Comment from Daniel Peck
Time: May 6, 2008, 9:57 pm
No doubt theres some truth to that, but 25% of the time seems to be complete inaction. I’m not advocating that every company have a full time security staff, but I think at least having a point of contact thats known internally to sort out the wheat from the chaff on these issues is important.
Disclosure policies at companies like Core often state that if the vendor doesn’t respond in 2 weeks they’ll release details publicly, and that has potential to put clients in a position of risk that they had no way of mitigating just because of a slow response. With such as slow trickle a simple acknowledgment doesn’t seem unreasonable.
Comment from Ralph Langner
Time: May 7, 2008, 8:33 am
Daniel, from what Wonderware tells us we should assume that they do have a full time security staff. They even offer risk assessments.
Check http://www.wonderware.com/support/security/
I also like this one:
Comment from amino world
Time: May 7, 2008, 9:19 am
this timeline is deplorable… there’s a lot of smart people working on both sides (researchers and suppliers) of the vulnerability disclosure issue. is this really the best that our industry can do?
“The greatest danger for most of us is not that our aim is too high
and we miss it, but that it is too low and we reach it.” Michelangelo
Comment from Matthew Franz
Time: May 7, 2008, 9:00 pm
Ralph,
I don’t buy it. That is a marketing or professional services organization (at best) but not an incident response team.
Where’s the security email for reporting vulns? Where is the PGP. Or did the page not render properly on Firefox?
Hey Amino,
While I appreciate the idealism, Having worked all sides of the table (finder, vendor, user) I don’t want a bug fix for a critical app, device, code out the door in less than a month. Because somebody cut some corners.
- mdf
Comment from Ralph Langner
Time: May 8, 2008, 1:53 am
Matt, I must admit that it crossed my mind that all those security folks might be part of the marketing department… 
Comment from cnioperator
Time: May 9, 2008, 6:28 am
So what do CORE hope to achieve in going public with these vuln’s?
From my perspectivre all I see is a shit storm that I could do without.
This is one area the IT guys need to appreciate that the SCADA world is different.
Comment from Ralph Langner
Time: May 10, 2008, 3:24 pm
CNI, in respect to Core I recommend to study Marcus Ranum, who coined the term “vulerability pimp”. (I like that term, even if I don’t subscribe to Marcus’ general policy for vulnerability disclosure.) I don’t know Core, but my strong guess is that they pulled this off for publicity purposes, as so many other security companies have done before. If they did it, we have to acknowledge success.
On the other hand, I think it is a fair assessment that Wonderware did surprise us on the negative side with how they reacted to the disclosure, especially when seen in context with THEIR publicity efforts in the security game.
Comment from pierce
Time: May 11, 2008, 9:16 am
Ralph, I’m casting doubt that publicity was a primary goal for disclosing this vulnerability. If CORE had access to the WonderWare suite, this can’t be the only bug they found, so releasing this one first and alone perplexes me.
The publicity is evident in the companies that buy vulnerabilities and pay higher prices for lower end bugs in control systems software than they do for enterprise software, just so they can turn around and release them to drum up some headlines.
Comment from Ivan Arce
Time: May 15, 2008, 9:24 pm
Hello,
I personally wouldn’t comment so lightly on other people’s work but if I did I would try not to use insulting terms such as “vulnerability pimp” or “firewall whore”. Then again every one is entitled to his/her own opinions and expressions 
Core has been finding bugs and reporting them to vendors for more than 13 years, in fact it has pioneered in that particular aspect of security research and done so long before the coinage of the term “responsible disclosure” in 2002. We don’t buy nor sell vulnerability information and we do not need to do marketing stunts with security bugs to support our business, we simply feel that if we found out about a security problem it is our responsibility to inform the potentially vulnerable so they become aware of their exposure and have the opportunity to do something about it. A few years ago after several rounds of public (and closed-group) debate on the topic of what constitutes responsible or irresponsible disclosure we decided to make the process much more transparent. Thus the detailed time line section in our advisories, to give the reader the opportunity to see the actual “internals” of the process and use his/her own judgment.
btw, cniop: we IT security guys do not live in an alternate universe, we live in the same world and I personally do not want to be blown to pieces one day just because somebody didn’t know that something running the SCADA world had to be fixed therefore i’ll try to do my best to inform those that can fix the problem.
Interestingly enough it seems that so far nobody picked up from the timeline the fact that the vendor had issued an technical alert more than 40 days before Core published the advisory…
Comment from Ralph Langner
Time: May 18, 2008, 1:46 pm
Ivan, the Ranum phrase was not meant as an insult, and I apologize if it can be interpreted as such. Vulnerability disclosure happens to span a large grey zone which is marked by the quoted pimps on one end and the Mother Theresas who only act for the greater good of humanity on the other end. Most cases seem to be somewhere in the middle, and it looks like we have to depend on our own personal judgement in every single case. Personally, I don’t have any objections against disclosures which act to generate publicity, just as with a company which sponsors t-shirts for the local soccer club. It’s only when criticality of a specific vulnerability is vastly exaggerated that things get smelly, but I don’t see that this is the case here. Again, no offense.
Write a comment