14 DAY TRIAL // The world's power distribution networks are put at risk again with more vulnerabilities being discovered in Supervisory Control And Data Acquisition (SCADA) software. Multiple flaws found in the AREVA e-terrahabitat application allow for a remote attacker to launch denial of service attacks or to obtain high privileges on the energy management systems.
According to its website, AREVA Group is a "world energy expert, [that] offers its customers technological solutions for highly reliable nuclear power generation and electricity transmission and distribution," with a net income of €743 million (close to $1 billion) in 2007. Its AREVA T&D division develops the e-terraplatform and e-terrahabitat software products, which are used for real-time energy management systems.
The United States Computer Emergency Readiness Team (US-CERT) has issued an advisory documenting no less than five vulnerabilities in this SCADA software package, identified as CVE-2009-0210, CVE-2009-0211, CVE-2009-0212, CVE-2009-0213 and CVE-2009-0214. The flaws affect software versions 5.7 and earlier, and the developer has released a security patch to address them.
Three of the bugs can cause vulnerable systems to crash, one is brought about by a buffer overflow issue, while the other, and most serious one, can allow an attacker to remotely execute arbitrary code and commands. In addition to applying the patch, US-CERT recommends implementing strong network perimeter access controls. The team also points out that the customers can use custom signatures for the Snort network intrusion detection application, which have been developed by AREVA in collaboration with the US Department of Homeland Security (DHS).
The developer credits Idaho National Labs, and Department of Homeland Security Control Systems Security Program (DHS CSSP), as well as Eyal Udassin and Jonathan Afek from C4 Security with the discovery of these flaws. C4 Security is a company specializing in SCADA vulnerability research, and its researchers have discovered and documented three of the five e-terrahabitat flaws.
We previously reported a buffer overflow vulnerability in the ABB PCU400 server software, which provided a communication interface between the electrical grid SCADA server and remote network terminals. This flaw was also discovered by a C4 Security researcher and allowed for an attacker to gain control over the networked terminals by sending a maliciously crafted TCP packet to the PCU400 server.
SCADA vendors have the tendency to downplay such vulnerabilities, because devices running such software are theoretically not supposed to ever be connected to the Internet, thus not being accessible from remote locations. However, experts argue that because the devices are linked to computers on local networks, which also contain systems that are connected to the Internet, a hacker could first penetrate into the local network and then launch a remote attack against a SCADA system.
In September 2008, security researcher Kevin Finisterre released a working exploit for a vulnerability in a SCADA software known as CitectSCADA, which was used to control industrial machineries. He explained that he published the exploit in order to raise awareness of the dangers of downplaying vulnerabilities found in such critical systems, which the Citec company did in its published advisory.