14 DAY TRIAL // Security researcher Kevin Finisterre has released a working exploit for a vulnerability discovered in June in the CitectSCADA software used by many companies to control industrial machineries. This poses a threat for vital strategic facilities like power/water distribution plants or oil/gas refineries to name a few. The threat is even greater since the exploit was made available as a module for a popular hacking utility named Metasploit, which makes it usable by less technical individuals, too.
SCADA stands for Supervisory Control And Data Acquisition and it refers to computerized systems that monitor and control processes like manufacturing, production, power generation, etc. in a facility. There is general belief that the software running such systems is less prone to security risks mainly because it is custom built and has less exposure to the hacking community, since it is only sold to big companies and institutions. However, for the past few years, in order to reduce costs, companies that develop such software started building it on top of more mainstream operating systems.
Kevin Finisterre is the director of penetration testing at security company Netragard and he chose to release this exploit in order to raise awareness about the security risks that exist in such computerized systems because, according to him, "these vendors are not being held responsible for the software that they're producing," and that "they're telling their customers that there is no problem, meanwhile this software is running critical infrastructure".
Sebastián Muñiz from the Core IMPACT Exploit Writers Team (EWT) at Core Security Technologies is credited with discovering the stack-based buffer overflow vulnerability in the CitectSCADA software back in June. The vulnerability resides in the ODBC service and is both remotely and locally exploitable. Successful exploitation results in DoS (Denial of Service) or remote code execution which could compromise the entire system. Clearly, such a scenario can have disastrous consequences if it occurs on the systems of a strategic facility.
The Australian based Citect company has released a patch when the vulnerability was discovered, but downplayed the risks by saying that none of their customers has reported any incident most likely because in order for this to be exploited, the system needs to be connected to the Internet without protection from a firewall and that such systems should not generally benefit from Internet connection, unless by mistake.
This made Finisterre write in his paper that “in reality, I would be willing to wager a small fortune that most of the folks that received the Citect advisory were not inspired to take immediate action” and continued by pointing out that “no one should be more knowledgeable about a software product than the vendor, so if the vendor pulls an Alfred E. Newman and says 'What, me worry?' you can rest assured the userbase will do the same". In response to Finisterre's actions of releasing the exploit, Citect has posted a media statement in which they encourage all of their customers that have not patched yet their systems to contact the company's support service and ask for assistance.