Last week we learned that a new research company called ReVuln was showcasing some vulnerabilities they found in several SCADA systems. However, they didn’t disclose their details to ICS-CERT or the vendors, instead planning to sell them privately to their customers.These days, security researchers seem to have gone on two different paths. Some prefer to disclose the vulnerabilities they find, while others prefer not to do so and, instead, sell them to governments or organizations that pay big money for them.
Aaron Portnoy, VP of research and the founder of Exodus Intelligence, is among the researchers who believe that the best way for experts to contribute to a secure cyberspace is by properly disclosing security holes to CERTs or the affected companies.
As a result, after learning that ReVuln identified several vulnerabilities in the SCADA systems of companies such as Siemens, Schneider Electric and General Electric, Portnoy decided to try to identify some of the flaws himself and properly report them.
In total, he has managed to identify 23 security holes in systems developed by Rockwell Automation, Schneider Electric, Indusoft, RealFlex and Eaton Coorporation. Many of the vulnerabilities could be leveraged by a remote attacker to execute arbitrary code or cause a denial-of-service state.
In Eaton Corporation products, he has found bugs that can be exploited to download, delete and upload/overwrite arbitrary files.
“For someone who has spent a lot of time auditing software used in the enterprise and consumer space, SCADA was absurdly simple in comparison. The most difficult part of finding SCADA vulnerabilities seems to be locating the software itself,” the expert explained in a blog post.
While it’s uncertain if the issues he has identified are the same ones found by ReVuln, Portnoy hopes that at least some of them are.
The researcher plans on asking ICS-CERT to establish a repository of SCADA programs that could be audited by experts who are interested in focusing their efforts on such pieces of software.