Italian researcher Luigi Auriemma has released another set of vulnerability advisories and proof of concept exploit code for a variety of ICS products. He is finding overflows on the proprietary services the vendors are writing. You hear often in ICS, “don’t scan it because it will crash”. This is what he is finding, and he says it is not difficult.
this time the “time factor” was the keyword so I spent only some minutes on this stuff: find the inputs (activex/ports/files), check the protocol of the unknown services (like scadapro) and give them a very quick test.
This is not to diminish the finding. Sometimes hard evidence like he is presenting is what is needed rather than a generic warning. It is the same rationale why we are doing Project Basecamp even though “everyone knows that PLC’s have little or no security and are easily compromised”.
Luigi is doing a bit more than scanning. He has built up a toolset that he uses against all products, not just ICS. He also then does a bit more work to find where the crash occurred and write up some proof of concept code.
Here is the list of products with vulnerabilities in what we are calling Luigi II:
- Azeotech DAQFactory
- Beckhoff TwinCAT
- Cogent Datahub
- Measuresoft SCADAPro
- Progea Movicon
- Rockwell Automation RSLogix
Most of the products are free or low cost HMI or engineering workstation products. RSLogix is used to configure the RA line of Logix PLC’s which are widely deployed in the critical infrastructure. Beckhoff is the big EtherCAT vendor, a high performance ICS protocol used primarily in manufacturing and in Europe. The other vendors are smaller, add-on HMI, visualization and data transfer products that are used in either very small systems or as an addition/accessory to a larger system.
ICS-CERT has bulletins out for all the Luigi II advisories, but at this point they are just relaying the information. That may be all that is warranted for this type of vulnerability. ICS-CERT time might be better spent writing a useful and effective bulletin that is still lacking for the Beresford vulns, or even Stuxnet. Focusing their expertise on the vulns most likely to impact the US critical infrastructure. Finally, no mention of Luigi Auriemma per ICS-CERT policy of only recognizing researchers who coordinate disclosure through them.
Image by FeatheredTar