Free Newsletter
Register for our Free Newsletters
Access Control
Deutsche Zone (German Zone)
Education, Training and Professional Services
Government Programmes
Guarding, Equipment and Enforcement
Industrial Computing Security
IT Security
Physical Security
View All
Other Carouselweb publications
Carousel Web
Defense File
New Materials
Pro Health Zone
Pro Manufacturing Zone
Pro Security Zone
Web Lec

CitectSCADA patch to be urgently applied

Core Security Technologies : 12 June, 2008  (Technical Article)
Enterprise security experts Core Security Technologies advises all CitectSCADA users to apply the latest patch immediately to prevent their process control and industrial networks from being left open to compromise
Core Security Technologies, makers of Core Impact, the world's most comprehensive enterprise security assurance testing software, has issued an advisory disclosing a vulnerability that could severely impact organisations relying on Citect's flagship industrial process control software, CitectSCADA. This discovery indicates that thousands of companies using Citect's SCADA systems could unknowingly be exposing critical industrial processes and assets that they otherwise sought to protect if they do not immediately move to apply the vendor-provided patch, or other suggested workarounds for the vulnerability issued by the software maker.

According to CoreLabs, the research arm of Core Security that initially discovered the flaw and reported it to Citect, an attacker could potentially utilize the vulnerability to gain remote, unauthenticated access to a host system running CitectSCADA. If successfully exploited in this manner, the issue could allow an attacker to subsequently execute arbitrary code on vulnerable systems to take control of operations dependent on the vulnerable software.

Citect's official security update for the issue - which is available from the vendor upon request - offers customers the option of disabling open database connectivity (ODBC) or automatically discarding malformed ODBC packets of the type that CoreLab's research had indicated may be used to exploit the vulnerability.

However, the vendor maintains that no SCADA, PLC, DCS, RTU or Process Control networks should ever be exposed unprotected to the Internet. Rather, Citect advises that organizations operating such networks should either isolate the systems from the Internet entirely, or utilize technologies including firewalls to keep them protected from improper external communications.

Despite the fact that nearly all SCADA software makers maintain a similar stance in terms of advising customers to keep the systems walled-off from the Internet, the reality is that many organizations do have their process control networks accessible from wireless and wired corporate data networks that are in turn exposed to public networks such as the Internet, according to CoreLabs experts.

"While it is known that SCADA software as a whole was not designed to be accessible over public networks and therefore should not be accessible outside of highly isolated Process Control Systems networks, the reality is that most organizations end up with their systems accessible through wireless and wired corporate networks, or even public networks," said Iván Arce, CTO Core Security Technologies. "As such, vulnerabilities of this nature can pose serious risks to any businesses using this technology and both the vendor and user organizations should be diligent and address them in a timely manner."

Citect lists a broad range of customers for the affected technology, including organizations in the aerospace, food, manufacturing, oil and gas, and public utilities industries. In addition to working directly with the vendor to address the reported vulnerability, Core has been in close contact with the official US, Argentine and Australian Computer Emergency Response Teams (CERTs) to ensure that organisations running CitectSCADA are notified of the situation. Core Security is based in the US and Argentina, and Citect is based in Australia.

The vulnerability found in CitectSCADA could allow a remote un-authenticated attacker to force an abnormal termination of the vulnerable software (Denial of Service) or to execute arbitrary code on vulnerable systems to gain complete control of the software.

The CitectSCADA and CitectFacilities applications include ODBC server capabilities to provide remote SQL access to a relational database. For that purpose, an ODBC Server component is used to service requests from clients on TCP/IP networks. Requests are serviced over a TCP high-port in which the application layer protocol reads an initial packet that specifies the length of data and then a second packet of data, of the same lenght is then read. Once the data is read from the network, it is then copied to an internal buffer of fixed size allocated in the stack without previously verifying that the buffer is big enough to store all the read data.

The vulnerability is related to a lack of a proper length-checking on data read from the network. A specially crafted combination of length and data packets could be used to exploit the vulnerability allowing an un-authenticated attacker to execute arbitrary code on vulnerable systems.

The bug is a texbook example of classic simple stack-based buffer overflow vulnerabilities of the 1990s that can be exploited by overwriting the return address of the currently running thread.

User organizations should deploy the vendor patch, which is available upon request at the Citect web site or disable the vulnerable service (ODBC server) if it is not needed in their particular installation.

In general, process control networks should be physically isolated from corporate or other publicly accessible data networks. An isolated network will limit the exposure of systems with network-facing vulnerabilities to only accidental disruption or potentially malicious users or systems within the process control network itself.

However, if physical isolation of the process control network or patch deployment is not feasible, it is strongly recommended that strict access control mechanisms are enforced and monitored regularly to verify that only the absolute minimal set of required systems from both within and outside the process control network are allowed to connect to other systems within the process control network.

For more information about an official fix and affected systems please contact the vendor directly and for additional information on this vulnerability please view the advisory on the Core Security Technologies web site.
Bookmark and Share
Home I Editor's Blog I News by Zone I News by Date I News by Category I Special Reports I Directory I Events I Advertise I Submit Your News I About Us I Guides
   © 2012
Netgains Logo