At Least Pretend You Care:!

!Writing ICS

Vulnerability Analysis!

Sean McBride!S4 2014!

Will you be my BFF?!

We need Analysts – Badly!

Disclaimer!

• Conducted analysis of nearly 900 public ICS-specific vulnerabilities!– Constantly updating analytical approach and

template!• Examples are only representative of issues!•  If you don’t get named, it doesn’t mean you

don’t need to improve!!

What we are dealing with!

Vulnerabilities

Discovered Vulns

Disclosed

Public

CI total counts by Quarter!

By Repository!

Leading Vendors!

Vendor! Vulns! Patches! Patch %! Exploits!

Siemens! 99! 73! 73%! 16!

Rockwell! 49! 27! 55%! 5!

Schneider! 44! 20! 45%! 11!

ICONICS! 30! 25! 83%! 17!

RuggedCom! 25! 24! 96%! 2!

GE IP! 25! 18! 72%! 4!Based on empirical evidence.

To whom are you telling what, when, why?!

Disclosed

Owner/Operators - ICS engineers - ICS compliance personnel - ICS security analysts - IT security analysts

Engineer/Integration firms - Integrators - Support/maintenance

Media - Reporters - Bloggers

Security Industry - Intelligence firms - ISACs - Gov agencies

Potential Adversaries - Activists/hactivists - Malicious insiders - Nation states

Focus Public

Golden Question!

• How could that vulnerability affect the controlled process?!

• We can’t get that answer "without:!– Analytical expertise "

(IT, Infosec & ICS fields)!– Accurate, reliable, "

consistent "communications!

Example 1! Sep. 2013!

Schneider Electric was notified and is responding to a vulnerability in the MiCOM S1 Studio Software product. This software utility is used to configure and maintain electronic protective relays.!!Schneider Electric has released a new version of MiCOM S1 Studio SW, V4.0.1, to address some of these vulnerabilities.!

Example 1!(same advisory)!

During install, Read/Write access by any user is permitted to MiCOM S1 Studio executables in the Program Files directory. This condition persists after installation. As a result of this access, the configuration files and the Windows service used by the program can be manipulated or modified by any user with local computer access.!!Schneider Electric has released a new version of MiCOM S1 Studio SW, V4.0.1, to address some of these vulnerabilities. The installation routine of MiCOM 1 Studio V4.0.1 provides digital signature to all files related to the use of MiCOM S1 Studio: Digital signature indicates [to] operating systems and user that the libraries/executables are from Schneider Electric (Trusted source).!

Example 2!Apr. 2013!

537599 - FactoryTalk Diagnostics and RSLinx Enterprise Software Vulnerability!!Rockwell Automation was notified through ICS-CERT that Carsten Eiram from the security firm, Risk Based Security identified vulnerabilities that affect a software component of the FactoryTalk Service Platform (RNADiagnostics.dll) and two software components of RSLinx Enterprise software (LogReceiver.exe and Logger.dll).!!!

Example 2 !(Same advisory)!

•  A specially crafted packet sent to TCP port 5241 will result in"a crash of the RsvcHost.exe service.  A successful attack will result in the following:!

–  Denial of Service (DoS) condition that prevents subsequent processing of connections on UDP port 4445.!

–  Crash condition that disrupts further execution of the RNADiagnostics.dll  or RNADiagReceiver.exe diagnostic service.!

•  When successfully exploited, the vulnerability will cause the thread receiving data to exit, resulting in the service silently ignoring further incoming requests.  A successful attack will result in two respective conditions:!

–  Denial of Service (DoS) condition that prevents subsequent processing of connections on UDP port 4444.!

–  Crash condition that disrupts further execution of the LogReceiver.exe!!

•  ICSA-13-095-02, issued April 5, 2013: !– CVE-2012-4695!– CVE-2012-4713!– CVE-2012-4714!– CVE-2012-4715!

!

INTEGER OVERFLOW–NEGATIVE INTEGER (CVE-2012-4713)!The FactoryTalk Services Platform (RNADiagnostics.dll) does not validate input correctly and cannot allocate a negative integer. By sending a negative integer input to the service over Port 4445/UDP…!INTEGER OVERFLOW–OVERSIZED INTEGER (CVE-2012-4714) …!IMPROPER EXCEPTION HANDLING (CVE-2012-4695)…!OUT-OF-BOUNDS READ (CVE-2013-2805)…!INTEGER OVERFLOW (CVE-2013-2807)…!INTEGER OVERFLOW (CVE-2013-2806)…!!

• What about CVE-2012-4715??!• Apparently it was a repeat of CVE-2012-4695!• How did that happen?!!

More Analysis!

• Reveals more problems!

Lessons !

• Don’t be tricky – customer relationships are about TRUST!

• As much as possible: 1 advisory for 1 vulnerability!

• Each vulnerability needs a unique identifier!• Specify what patch corresponds to what vuln!

– One patch can still fix many vulns!!

kudos!

Bug finders!

!!!!!•  Limited experience with deployed ICS!• Downloaded free software/got access to this

device…!• Did XYZ to it… It crashed…!

Researcher! Number disclosed!Luigi Auriemma*! 130!GLEG*! 47!Positive Technologies! 36!Rios & McCorkle! 34!Kuang-Chun Hung! 28!* own-terms disclosure

Example 3!

From Luigi Auriemma (2010)!"RealWin is a SCADA server package for medium / small applications."!The service of the server running on port 912 is vulnerable to a stack based buffer-overflow caused by the usage of sprintf() for building a particular string with the data supplied by the attacker!!

Example 4!

From Blake, posted to Exploit DB (September 2013)!<title>Mitsubishi MC-WorkX Suite Insecure ActiveX Control (IcoLaunch)</title> <p>This proof of concept will launch an arbritrary executable when the Login Client button is clicked. An attacker could use this to have the victim launch malicious code from a remote share.!

Lessons !

•  Researchers don’t offer much ICS context!–  Working with Critical Intelligence or ICS-CERT, or

other analytical organization might provide this !–  Working with experienced ICS professionals can

provide this!•  Researchers can give great technical detail!

–  Tech detail may be stripped from coordinated disclosures!

–  Critical Intelligence calls/emails researchers all the time for more info!

!

Example 5!

!!•  Four vulns disclosed by Arthur Gervais at S4 2013!•  ICS-CERT (March) update: “Two of the vulnerabilities initially

reported have been determined not to be valid”!•  By whom? Not Arthur!!

Buy or Borrow?!

•  ICS-CERT!–  3 of 6 “missions” deal with vulnerabilities!– Alerts/advisories from 91 vendors!–  82 vendors do not write their own!!

Good on them!

•  Handled 100s of vuln disclosures!•  Provide some context!•  Reliance on CWE!•  Responsive to inquiries !•  Moved to a Web format instead of PDF – way easier!!!

Timing!

• HSIN!–  ICS-CERT compartment!– US citizen ICS "

owner/operators "with “need to know”!

– Early notice on certain "advisories!

Example 6!

Example 7!

January 2014 Advisory!Affected Products!-------------------!The following [Vendor] versions are affected:!• All versions released prior to December 1, 2013, !• [Vendor Product Number] (Firmware from 2010), and !• [Vendor Product Number] (Latest Firmware).!!!

Example 8!

ICSA-13-219-01 (August 2013)!The RTAC master device can be sent into an infinite loop by sending a specially crafted TCP packet from the master station on an IP-based network!!CVE-2013-2792: IP-based version!CVE-2013-2798: Serial version!!Missing ICS understanding…!

Lessons!

• Give a balanced voice between researcher/vendor!

• Rethink ICS-CERT HSIN compartment!• Error on the side of too much detail rather

than too little (not asking for poc/exploit)!• Have someone proof read/sanity check!!

Summary!

1.  At least pretend you care!!2.  Who you gonna tell what, when and why?!3.  Create, validate, use a template!4.  Hire someone who knows and cares about

security (and ICS) and make them responsible!5.  Conduct analysis!!6.  Proof read/sanity check!

Will you be my BFF?!

Image Credits!

•  Slide 1: PikiWiki Israel 10402 Environment of Israel.JPG; דניאל אורי ; Creative Commons Attribution 2.5 Generic license; http://commons.wikimedia.org/wiki/File:PikiWiki_Israel_10402_Environment_of_Israel.JPG!

•  Slide 11: Panning; Murdoch, George G.; http://commons.wikimedia.org/wiki/File:Panning2.jpg!

•  Slide 29: One Canada Square, Canary Wharf; Garry Knight; Creative Commons Attribution-Share Alike 2.0 Generic; http://commons.wikimedia.org/wiki/File:One_Canada_Square,_Canary_Wharf.jpg!