M
There is a story in the IT news about a security vulnerability in Citect that has been made public. If anyone is using an affected system, they might want to review their SCADA security systems.
http://www.theregister.co.uk/2008/09/08/scada_exploit_released/
The article states: "The exploit code, published over the weekend as a module to the Metasploit penetration testing tool kit, attacks a vulnerability that resides in CitectSCADA..."
It describes the security vulnerability as: "a classic stack-based buffer overflow. By default, a server component of CitectSCADA known as ODBC, or Open Database Connectivity, monitors TCP/IP networks for client requests. Attackers can gain control by modifying the size of the packets sent to the system."
The paper that forms the basis of the story is at: http://www.milw0rm.com/papers/221
It describes the problem as: "A vulnerability was found in CitectSCADA that could allow a remote un-authenticated attacker to force an abnormal termination of the vulnerable software (Denial of Service) or to execute arbitrary code on vulnerable systems to gain complete control of the software." (...) "In essence an attacker is given access to a command prompt with the privileges of the currently running Citect process. This method and technique is similar across all versions of Windows..."
A lot of SCADA systems use (or can use) ODBC. It is not clear from the report whether the vulnerability is in code that Citect wrote, or whether it was in a third party (i.e. from Microsoft) library. If the latter, then other SCADA systems may be vulnerable to the same problem. The description seems to imply that the problem is in the code that receives the ODBC connection, which raises the possibility that the problem is widespread.
http://www.theregister.co.uk/2008/09/08/scada_exploit_released/
The article states: "The exploit code, published over the weekend as a module to the Metasploit penetration testing tool kit, attacks a vulnerability that resides in CitectSCADA..."
It describes the security vulnerability as: "a classic stack-based buffer overflow. By default, a server component of CitectSCADA known as ODBC, or Open Database Connectivity, monitors TCP/IP networks for client requests. Attackers can gain control by modifying the size of the packets sent to the system."
The paper that forms the basis of the story is at: http://www.milw0rm.com/papers/221
It describes the problem as: "A vulnerability was found in CitectSCADA that could allow a remote un-authenticated attacker to force an abnormal termination of the vulnerable software (Denial of Service) or to execute arbitrary code on vulnerable systems to gain complete control of the software." (...) "In essence an attacker is given access to a command prompt with the privileges of the currently running Citect process. This method and technique is similar across all versions of Windows..."
A lot of SCADA systems use (or can use) ODBC. It is not clear from the report whether the vulnerability is in code that Citect wrote, or whether it was in a third party (i.e. from Microsoft) library. If the latter, then other SCADA systems may be vulnerable to the same problem. The description seems to imply that the problem is in the code that receives the ODBC connection, which raises the possibility that the problem is widespread.
