CitectSCADA Buffer Overflow Vulnerability
CORE Security has posted an alert on a vulnerability in the CitectSCADA product that allows remote attackers to execute a buffer overflow against their ODBC service. The CitectSCADA product is used to collect information from SCADA devices and provide an interface to manage those underlying devices. You can get an idea where CitectSCADA fits in the overall scheme of a SCADA system by taking a look at their product page. Basically, the CitectSCADA product monitors and manages the hardware, and this vulnerability in the worst-case scenario could be used to shutdown or takeover such hardware. This vulnerability also affects CitectFacilities as well. Latest versions of both software packages are vulnerable.
The main mitigating factor of this vulnerability is that such systems should not be connected to corporate networks nor the internet. Citect certainly recommends that these services be on a contained network, and that makes sense for most systems of this type. In the case of a system that is plugged into a "live" or accessible network, an attacker would still need to connect to the TCP port that managed the ODBC service. Firewalls and/or ACLs would prevent such attacks as well (the best firewall being an air gap, of course. ;) The last mitigating step is to turn off the ODBC service if it is not used in an environment.
Assuming that a remote attack could reach out and touch the service, they could perform a buffer overflow attack without authentication. At this time, a patch does not appear to be available, nor is there a statement on Citect's website that I have found. According to press reports, a patch was available last week and the vulnerability has been known by Citect for five months. There is no information about how many have applied the patch, but of course, if you run these systems, patch them.
COMMENTARY: Buffer overflows are well known and there are many tools to help software developers find them in an automated fashion. I have a hard time giving Citect the benefit of the doubt in this especially with the stakes so high in SCADA systems. There is no reason such a vulnerability make it out the door into production.
--
John Bambenek / bambenek \at\ gmail |dot| com
Comments