Forgot your password?
typodupeerror
Bug Security IT

ICS-CERT Warns of Serious Flaws In Tridium SCADA Software 34

Posted by timothy
from the their-security-problems-are-scadalous dept.
Trailrunner7 writes "The DHS and ICS-CERT are warning users of some popular Tridium Niagara AX industrial control system software about a series of major vulnerabilities in the applications that are remotely exploitable and could be used to take over vulnerable systems. The bugs, discovered by researchers Billy Rios and Terry McCorkle, are just the latest in a series of vulnerabilities found in the esoteric ICS software packages that control utilities and other critical systems. The string of bugs reported by Rios and McCorkle include a directory traversal issue that gives an attacker the ability to access files that should be restricted. The researchers also discovered that the Niagara software stores user credentials in an insecure manner. There are publicly available exploits for some of the vulnerabilities."
This discussion has been archived. No new comments can be posted.

ICS-CERT Warns of Serious Flaws In Tridium SCADA Software

Comments Filter:
  • by Anonymous Coward

    ...these aren't machines you're hooking to the Internet. Right?

    • Re: (Score:3, Funny)

      by Zlotnick (74376)

      Of course they aren't connected to the internet. They're connected to each other by unencrypted radio links.

      • by Sulphur (1548251)

        Of course they aren't connected to the internet. They're connected to each other by unencrypted radio links.

        They do have checksums on the packets so that someone's garage door opener doesn't open a valve.

        • by tibit (1762298)

          Yeah, but a bunch of modbus stuff going over a radio link isn't exactly hard to spoof, ya know.

        • by mcgrew (92797) *

          Why do I get images of Trinity blowing up a power station in that Matrix movie that sucked so bad?

    • by Alarash (746254)
      In the case of Stuxnet, the hackers aimed to infect all the computers in the Bushehr power plant. Eventually one got connected to a SCADA system and the main part of the virus kicked in (giving false readings while sending commands that'd break the system).
      • You fool!

        This is clearly Doc Ock back in action.

        Poor Spiderman is probably too busy formatting his computer after catching a rootkit off Bing. :(

    • Re: (Score:1, Informative)

      by wiredmikey (1824622)

      It's not really SCADA, it's different. SCADA is from Siemens, this is different and the Niagara Framework is used in places beyond big facilities such as power plants and factories. The Niagra framework reaches offices buildings, hospitals, airports and more.

      http://www.securityweek.com/niagara-vulnerabilities-put-office-buildings-airports-hospitals-risk [securityweek.com]

      That being said, this warning was originally issued back in July with ICS-CERT not really adding anything new in this warning.

      -M

      • by superflex (318432) on Thursday August 16, 2012 @07:17PM (#41018119) Homepage
        Sorry, what? It's not really SCADA? No, actually it's exactly SCADA.

        SCADA is a general-use acronym, Supervisory Control And Data Acquisition. It has been in common use in the industrial control system world for at least 20 years. It is not a term specific to Siemens or any other control systems vendor. And it is not incorrect to apply the acronym to application areas like building automation; there can be a fair amount of overlap in system architecture, devices, & communication protocols between building automation and industrial manafacturing automation.

        Source: 10 years experience as a industrial control systems engineer.

        • Re: (Score:3, Insightful)

          by some old guy (674482)

          Mod Superflex up = Informative.

          Every platform that I've ever worked with in 20+ years of industrial networking (yeah, I remember TISTAR over coax) has demonstrated it's own unique vulnerabilities that the vendors arrogantly ignore. The diligent engineer/integrator must, regardless of platform or deployment, be aware and take reasonable precautions.

          Automation as an industry shares the same classic security handicaps as the internet and telecom industries: Careless users, badly written code, and low-budget ma

    • by _0xd0ad (1974778) on Thursday August 16, 2012 @06:34PM (#41017687) Journal

      Actually, it's designed to be web-facing [tridium.com].

      Niagara^AX is a software framework and development environment that solves the challenges associated with building Internet-enabled products, device-to-enterprise applications and distributed Internet-enabled automation systems.

      Worse, this is a laughably simple exploit of the web-facing interface [threatpost.com]:

      By default, the Tridium Niagara AX software is not configured to deny access to restricted parent directories... An attacker could exploit this vulnerability by sending a specially crafted request to the Web server running on Port 80/TCP

      "The system insecurely stores user authentication credentials, which are susceptible to interception and retrieval. User authentication credentials are stored in the Niagara station configuration file, config.bog, which is located in the root of the station folder"

      In other words, it's about as simple as GET /../config.bog HTTP/1.1

  • Big Suprise (Score:4, Insightful)

    by Infin1niteX (950492) on Thursday August 16, 2012 @04:45PM (#41016465)
    All of these SCADA system were using security by obscurity or just no security at all for years. So we're going to keep seeing these alerts and warning for a while. Shoot we still see them with major desktop and server operating systems. If there is a reason to exploit a system, someone will figure out how to.
    • Not really. They're often designed around OPC which uses DCOM security. It is obsolete, but there is security. It simply gets disabled because DCOM is a disaster to work with. They're pushing OPC UA and OPC Xi now to fix this.

  • Errrm... SCADA is 'shit' in Greek.
    • by Anonymous Coward

      SCADA software and POS software has many similarities.

  • After All (Score:4, Insightful)

    by TheSpoom (715771) <slashdot@ u b e r m00.net> on Thursday August 16, 2012 @05:00PM (#41016671) Homepage Journal

    They would know.

  • by wiredmikey (1824622) on Thursday August 16, 2012 @05:25PM (#41016987) Homepage

    This alert is actually not very new and dates back to July. ICS-CERT re-releases things all the time in order to update small things and be sre people see an update, no matter how minor. Here is the original that came out in July:

    http://www.us-cert.gov/control_systems/pdf/ICS-ALERT-12-195-01.pdf [us-cert.gov] [us-cert.gov] -- It's pretty much identical from what I can see.

  • I like the descripton: "This system is stuck in the 90s. We didn't even bother looking at the ActiveX stuff."

    All I could think of was that Next Gen' episode where an old Klingon ship timewarps from the past:

    Picard: Data, is there any way we can see through their cloaking device?
    Data: Cloaking devices of the time were leaky in the gamma range.
    Picard: Good. Make it our ho.

  • 'Extract the zip file [niagara-central.com] to the "modules" directory of the Niagara AX installation on your PC or laptop. (Ex. C:\Niagara\Niagara-3.6.47\modules)`.

    Java running under Windows .. enough said ...
  • by ThatsNotPudding (1045640) on Friday August 17, 2012 @07:39AM (#41022099)
    Running on or exposing industrial software to the Internet in any way, shape, or form should be an automatic 20-year stay in PMITA prison. Stop putting the laziness of PHB ingrates ahead of common sense and safety.
  • Well, imagine what this Slashdot article and discussion thread would be like, if Tridium was China based, instead of operating out of Richmond, VA...

A penny saved is a penny to squander. -- Ambrose Bierce

Working...