As there has been a furor of emails on various lists regarding the recent Citect vulnerability Metasploit modules I thought a little discussion of the risk of Non-Disclosure might prove valuable.
Disclosure and the development of such a modules do increase exposure. An unpatched, unmitigated, and exposed system now becomes ripe for exploitation by script kiddies, which does increase exposure and risk. But what is the risk of an undisclosed vulnerability?
Does a vulnerability that has not been disclosed not exist? Does the risk suddenly spring into existence because it is published/dissemenated? Of course not. It was there and hidden, and possibly known by someone.
My experience in performing and exposure to the results of software and protocol reviews employed by SCADA and Digital Control systems leads me firmly to the conclusion that these systems are rife with vulnerabilities of the most basic type, namely simple buffer overflows. In my opinion there exist one or more such simple exploits in every product used in our industry, though much has been done to reduce this in the newest and soon to be released products.
The IT side of software development went through these type of growing pains 10 years ago as the knowledge of finding these type of bugs disseminated across the globe. The publication of these flaws does increase exposure and in turn risk, but the disclosure also drives mitigation.
When first contacted about said stack overflow flaw (according to the publicly available timelines) the vendor basically responded with “Meh, we are not going to do anything about it.” It was only as their awareness of the ramifications of the flaw grew, that they took action to mitigate. And they were very slow in doing so. Yes the publication of such a vulnerability does possibly create PR and financial backlash for the vendor, but it does not create the flaw, it already existed and therefore is inherent risk.
To get a better picture of what I am speaking of consider the following video entitled “Did You Know” that I first saw at the DOE CST conference of 2007 (Provided in wmv and mov format). Pay particular attention to the segments that touch on the populations and potential of China and India. China proved in this round of olympics that when you have a population of over 1 billion people, statistically speaking, you have a lot of exceptional people, in any field to choose from (this includes people who make good hackers). The video notes that the 25% of people in China with the highest IQs exceeds the number of total population in North America eg the United States, Canada and Mexico combined and in the vernacular of school teachers, that the number of “honor” type students in China’s educational system exceeds the total number of children in North America.
To think that only one researcher or research group has found a specific 0 day exploit for a control system is to ignore the odds. To think that there are not groups in other nation states sitting upon 0 days is, in the phrasing I have oft used “shear insanity.” The vulnerabilities are remedial at best and very simple to find. The majority of such simple bugs were weeded out of the IT side of things years ago but are still prevelant in the majority of the products that we use to control “Critical Infrastructure.” And as it is critical the risk is that much higher. The recent leak of the firmware vulnerability is a case in point. Everyone with exposure to these systems knew that this was a risk, and no one was surprised by the contents of the briefing.
It seems to me and I think history supports the assertion, that vendors will only move to mitigate when facing immanent disclosure. Hence disclosure drives mitigation. Disclosure does not increase risk as much as non-disclosure, because at least through disclosure awareness is gained and mitigation becomes available.
This is why in hacking circles the undisclosed 0 day is so coveted. There are no mitigations impeding the use of a 0 day exploit. It is the golden key. Due to the ease of finding the flaws in control system software how many “research groups” with good or bad intentions are sitting upon 0 day exploits against critical infrastructure? And if you think the answer is 0 then you live in a different world……