Over 30 flaws have been reported in software used in critical infrastructure systems.
The flaws exist in software by Siemens, Iconics, 7-Technologies, and Datac, Italian researcher Luigi Auriemma said in a posting to the Bugtraq mailing list on Monday. Auriemma has published proof-of-concept code for many of the unpatched flaws.
"In technical terms the Scada software is just the same as any other software used everyday, so with inputs (in this case they are servers so the input is the TCP/IP network) and vulnerabilities: stack and heap overflows, integer overflows, arbitrary commands execution, format strings, double and arbitrary memory frees, memory corruptions, directory traversals, design problems and various other bugs," said the researcher.
Auriemma told ZDNet UK on Tuesday: "The vulnerabilities took not much time to be found. I spent from some hours to a maximum of two days for each vendor. The vendors have not been contacted because public disclosure is already a big favour that the researchers do for the software companies completely for free."
The reported flaws in Siemens Tecnomatix FactoryLink include vulnerabilities that could be used by a hacker to break into systems, according to Auriemma. Siemens Tecnomatix FactoryLink is being phased out of operation by Siemens, and will be fully supported until October 2012.
Iconics managing director Clive Walton told ZDNet UK he had software engineers looking at the reported flaws in Iconics Genesis32 and Genesis64 software, but from an early analysis the vulnerabilities did not look serious.
"Our initial response is it's an extremely low risk," said Walton. "The [proof-of-concept code] fails and crashes."
Datac chief executive Cyril Kerr told ZDNet UK the reported flaws in software called RealWin did not affect Datac's flagship product, RealFlex 6.
"We were notified about this vulnerability just this morning in fact," said Kerr. "We have passed this information to engineering, who are currently looking at the problem. The reported vulnerabilities concern the demo version of our RealWin software."
Siemens and 7-Technologies had not responded to a request for comment at the time of writing.
Update, 23-3-11: Auriemma responded to Walton's statement:
"All the vulnerabilities in [the Iconics] product allow code execution, but the code I provided is only a way to check that they exist — not a weaponised toolkit to become administrator on a remote machine."