Metasploit and SCADA exploits: dawn of a new era?

Metasploit and SCADA exploits: dawn of a new era?

Summary: On 18 October, 2010 a significant event occurred concerning threats to SCADA (supervisory control and data acquisition) environments. Let's think through the ramifications.

SHARE:

Guest editorial by Shawn Merdinger

On 18 October, 2010 a significant event occurred concerning threats to SCADA (supervisory control and data acquisition) environments.

That event is the addition of a zero-day exploit for the RealFlex RealWin SCADA software product into the Metasploit repository.  Here are some striking facts about this event:

  1. This was a zero-day vulnerability that unfortunately was not reported publicly, to a organization like ICS-CERT or CERT/CC, or (afaik) to the RealFlex vendor.
  2. This exploit was not added to the public Exploit-DB site until 27 October, 2011.
  3. The existence of this exploit was not acknowledged with a ICS-CERT advisory until 1 November, 2010.
  4. This is the first SCADA exploit added to Metasploit.

So what are the lessons learned and takeaways from this seminal event?

(Click image for full size screenshot of the exploit in Metasploit Pro)

First, the SCADA community can expect to see an explosion of vulnerabilities and accompanying exploits against SCADA devices in the near future.

Personally, I expect we will see in the next 12 months at least a doubling of the known 16 SCADA vulnerabilities documented in NIST’s National Vulnerability Database.

Second, the diverse information sources that SCADA vulnerabilities may appear must be vigilantly monitored by numerous organizations and security researchers.

Afaik, the first widely-disseminated information on the RealFlex RealWinbuffer overflow occurred on 1 November, when I sent the information to the SCADASEC mailing list.

Third, people should recognize that the recent Stuxnet threat has cast a light on SCADA security issues.  Put bluntly, there is blood in the water.

Quite a few people, companies and other organizations are currently investigating SCADA product security, buying equipment and conducting security testing for a number of differing interests and objectives.

I expect SCADA security issues will be the shiny hot topic on the 2011 security and hacker conference circuit, both in the US and abroad.

Fourth, understand that because of the current broken business model, security researchers are often frustrated by software vendors’ action, or inaction, when it comes to reporting vulnerabilities.

Often, there is no security point-of-contact at the vendor.  Even worse, the technical support who are contacted by the security researcher often do not understand the technical and security implications of the issue reported.

And it is worth mentioning that a vendor acknowledging a product security issue is then“on the hook” — so there is incentive for the vendor to dismiss the vulnerability report.

Even in the case of specialty SCADA security shops reporting vulnerabilites to the vendor, we are seeing documented cases of “vendor spin” furthering the bad blood between vendors and ethical research.

All of these factors lead to frustrated security researchers, some of whom will simply expose the vulnerability and exploit to the world, rather than take a disclosure path through a CERT.

Fifth, folks should recognize that attack frameworks like Metasploit enable a never-before-seen level of integration of these kinds of targeted critical infrastructure-relate exploits into a powerful tool.

For a kinetic metaphor, Metasploit is akin to a.50 caliber sniper rifle, and a zero-day SCADA vulnerability is equivalent to a .50 caliber depleted uranium round for that rifle.

As a SCADA end user, what are you to do?

I recommend the following, at a minimum:  push your vendors to have a product security POC and process, monitor resources like SCADASEC, keep current with tools like Metasploit, receive vulnerability notifications from appropriate CERT organizations like ICS-CERT.

* Shawn Merdinger is a network security analyst at University of Florida Health Science Center.

UPDATE:

  • This vulnerability and exploit was first published on September 26, 2008.
  • DigitalBond has an IDS signature published in September 2008 for this exploit.

Topics: Software, Enterprise Software, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

5 comments
Log in or register to join the discussion
  • Additional Updates to this post

    This vulnerability "DATAC RealWin SCADA 1.06 Buffer Overflow Exploit" and the vulnerability in September, 2008 "DATAC RealWin SCADA Software PreaAuth" do _seem_ to differ. Further verification is needed.

    A good point however is questioning what the vendor has learned...
    shawnmer
    • Well, there were a lot of problems here. First, it was Windows based, a big

      no-no for anything that must be secure and reliable. Second, they did not have any business connecting them to the internet, except through VPNs with very restricted access. Third, since SCADA code is very low volume software, the are not the armies of people that are working on projects like Linux to find bugs and vulnerabilities. Finally, being closed source allows them to hide all of the sloppy, insecure, code.
      DonnieBoy
      • RE: Metasploit and SCADA exploits: dawn of a new era?

        @DonnieBoy - So a vulnerability in a third party product is Microsoft's fault because it runs on Windows? Your constant anti-MS barage is extremely annoying and quite frankly boring. Also, you're twisting things to make Windows seem like the only OS that has security holes.

        Given that I keep track of updates for Windows, Linux and OS X for my family's computers and ALL of them have security updates, seems to me that the only truly SECURE computer is one that's turned off.

        Or did you conveniently forget that fact?
        PollyProteus
  • Author Updates and Clarification

    Author update here.<br><br>Some folks have helpfully pointed out some issues to me about this blog post. If you are interested in the specifics, please see the SCADASEC mailing list archives here:<br><br><a href="http://news.infracritical.com/pipermail/scadasec/2010-November/thread.html#start" target="_blank" rel="nofollow">http://news.infracritical.com/pipermail/scadasec/2010-November/thread.html#start</a><br><br>Cheers,<br>--scm
    shawnmer
  • RE: Metasploit and SCADA exploits: dawn of a new era?

    None of the SCADA systems I have designed, or worked on have ever been internet connected, they are on their own private intranet, or dedicated land lines or radio links.

    In that situation the radio links are the weakest point, you cannot 'hack' these systems from the internet.
    You have to gain physical access, and it does not necessary involve the "supervisory" aspect, the common way to hack these systems is to 'become' a node, and take over a PLC (programmable logic controller), Citect, is one of if not the biggest supervisory software vandor and they take security very seriously.

    But you dont need to 'hack' the supervisor software, you can poke around the DNP and SyMAX protocols, and just use that to gain access to the system, (by becomeing or taking over a node).

    But if you do not have physical access, you will not have internet access to the system.. So you script kiddies,, bad luck..

    Expect jail time, for hacking SCADA systems, and if you are lucky manslaughter or murder charges..
    Aussie_Troll