Critical Infrastructure Security, Vulnerability Management

Researcher again discloses multiple SCADA flaws

An Italian researcher has discovered and released details of at least a dozen vulnerabilities affecting industrial control systems, which operate critical infrastructure facilitates, such as power plants and oil refineries.

Luigi Auriemma last week disclosed the previously unknown flaws, along with proof-of-concept (PoC) exploit code, prompting the U.S. Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) to issue advisories.

The flaws affect various supervisory control and data acquisition (SCADA) systems, including AzeoTech DAQFactory, Beckhoff TwinCAT, Carel PlantVisor, Cogent DataHub, Measuresoft ScadaPro, Progea Movicon and Rockwell RSLogix. Such systems are used to manage operations at facilities across a range of industries, including energy, water, wastewater, oil-and-gas, manufacturing and finance, according to the ICS-CERT advisories.

The bugs could allow an attacker to execute code, download files from a remote machine or cause a denial-of-service, Auriemma told in an email interview Monday.

Auriemma made headlines in March for disclosing dozens of zero-day SCADA flaws. The affected software in the latest batch are “smaller or less known” than those previously disclosed, he said.

But he admitted: “I'm not in the SCADA sector so what looks ‘small' to me, in reality, can be bigger than what I think."

Rockwell is the most well-known vendor affected in the latest group of flaws, he said. The issue appears to exist in multiple Rockwell products, but may be difficult to exploit, he said.

“A denial-of-service is sure, while the code execution is in doubt,” Auriemma said of the Rockwell issue.

That company has released an advisory about the flaw, and promised a fix within 14 days, according to ICS-CERT.

The most severe issue, affecting Measuresoft ScadaPro 4.0.0, has been corrected, but could have allowed a hacker to gain control of a remote system, Auriemma said. Measuresoft on Thursday released ScadaPro 4.0.1, which corrects the issue.

The company downplayed the severity of the flaw, however, noting it was tested “out of normal context” and expressed concern over the way it was disclosed.  

“Ethical hacking ensures that the person being attacked is aware of the attack, which was not the case in this instance,” the company said.

The flaws were not difficult to find, Auriemma said.

“I did everything as fast as possible, dedicating only some minutes to each one of them," said.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.