Metasploit and SCADA Exploits: Dawn of a New Era?

Thursday, November 04, 2010

shawn merdinger


On 18 October, 2010 a significant event occurred concerning threats to SCADA.

That event is the addition of a zero-day exploit for the RealFlex RealWin SCADA software product into the Metasploit repository.

Some striking facts about this event follow:

1.  This was a zero-day vulnerability that unfortunately was not reported publicly, to a organization like ICS-CERT or CERT/CC, or (afaik) to the RealFlex vendor.

2.  This exploit was not added to the public Exploit-DB site until 27 October, 2011

3.   The existence of this exploit was not acknowledged with a ICS-CERT advisory until 1 November, 2010.

4.  This is the first SCADA exploit added to Metasploit.

So what are the lessons learned and takeaways from this seminal event?

First, the SCADA community can expect to see an explosion of vulnerabilities and accompanying exploits against SCADA devices in the near future. 

Personally, I expect we will see in the next 12 months at least a doubling of the known 16 SCADA vulnerabilities documented in NIST’s National Vulnerability Database.

Second, the diverse information sources that SCADA vulnerabilities may appear must be vigilantly monitored by numerous organizations and security researchers. 

Afaik, the first widely-disseminated information on the RealFlex RealWinbuffer overflow occurred on 1 November, when I sent the information to the SCADASEC mailing list.

Third, people should recognize that the recent Stuxnet threat has cast a light on SCADA security issues.  Put bluntly, there is blood in the water

Quite a few people, companies and other organizations are currently investigating SCADA product security, buying equipment and conducting security testing for a number of differing interests and objectives. 

I expect SCADA security issues will be the shiny hot topic on the 2011 security and hacker conference circuit, both in the US and abroad.

Fourth, understand that because of the current broken business model, security researchers are often frustrated by software vendors’ action, or inaction, when it comes to reporting vulnerabilities. 

Often, there is no security point-of-contact at the vendor.  Even worse, the technical support who are contacted by the security researcher often do not understand the technical and security implications of the issue reported. 

And it is worth mentioning that a vendor acknowledging a product security issue is then “on the hook” — so there is incentive for the vendor to dismiss the vulnerability report.

Even in the case of specialty SCADA security shops reporting vulnerabilites to the vendor, we are seeing documented cases of “vendor spin” furthering the bad blood between vendors and ethical research.  

All of these factors lead to frustrated security researchers, some of whom will simply expose the vulnerability and exploit to the world, rather than take a disclosure path through a CERT.

Fifth, folks should recognize that attack frameworks like Metasploit enable a never-before-seen level of integration of these kinds of targeted critical infrastructure-relate exploits into a powerful tool. 

For a kinetic metaphor, Metasploit is akin to a.50 caliber sniper rifle, and a zero-day SCADA vulnerability is equivalent to a .50 caliber depleted uranium round for that rifle.

As a SCADA end user, what are you to do?

I recommend the following, at a minimum:  push your vendors to have a product security POC and process, monitor resources like SCADASEC, keep current with tools like Metasploit, receive vulnerability notifications from appropriate CERT organizations like ICS-CERT.

Possibly Related Articles:
Information Security
SCADA Zero Day Hacking Metasploit
Post Rating I Like this!
shawn merdinger Update: arguably the RealWin exploit is not the first SCADA module in VxWorks. CITECT was a unincorporated into MSF module, and the VxWorks modules are related to SCADA.

Thanks to HDM for setting me straight on this.

shawn merdinger Update: This vulnerability and exploit was published 26 September, 2008.

Also, DigitalBond has a IDS signature published in September, 2008 for this exploit:

shawn merdinger Update: This vulnerability "DATAC RealWin SCADA 1.06 Buffer Overflow Exploit" and the vulnerability in September, 2008 "DATAC RealWin SCADA Software PreaAuth" do _seem_ to differ. Further verification is needed.

A good point however is questioning what the vendor has learned...
shawn merdinger Author update here.

Some folks have helpfully pointed out some issues to me about this blog post. If you are interested in the specifics, please see the SCADASEC mailing list archives here:

Patrick Webster Just thought I'd mention that I've gone ahead and added the Citect SCADA exploit module to the official Metasploit Framework a few days ago. It was on my to-do list from a year ago but got lost in my Inbox :)
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.