LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

LWN Weekly Edition

Front page
Security
Kernel development
Distributions
Development
Linux in the news
Announcements
->One big page

 

This page

Previous week
Following week

Recent Features

LWN.net Weekly Edition for January 8, 2009

Btrfs aims for the mainline

The Android Dev Phone 1

LWN.net Weekly Edition for December 25, 2008

The Grumpy Editor's 2008 retrospective

Printable page
Weekly edition Kernel Security Distributions Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ

Security

SCADA system vulnerabilities

By Jake Edge
June 11, 2008

Core Security released a security advisory on 11 June that details a fairly pedestrian stack-based buffer overflow vulnerability. This is similar to hundreds or thousands of this kind of flaw reported over the years except for one thing: it was found in large industrial control systems for things like power and water utility companies. That there is a vulnerability is not surprising—there are certainly many more—but it does give one pause about the dangers of connecting these systems to the internet.

The bug was found in a Supervisory Control and Data Acquisition—better known as SCADA—system and could be exploited to execute arbitrary code. Given that SCADA systems run much of the world's infrastructure, an exploit of a vulnerable system could have severe repercussions. The customers of Citect, the company that makes the affected systems, include "organizations in the aerospace, food, manufacturing, oil and gas, and public utilities industries."

Makers of SCADA systems nearly uniformly tell their customers to keep those systems isolated from the internet. But as Core observes: "the reality is that many organizations do have their process control networks accessible from wireless and wired corporate data networks that are in turn exposed to public networks such as the Internet." So, the potential for a random internet bad guy to take control of these systems does exist.

None of that should be particularly surprising when you stop to think about it, but it is worrying. Many SCADA systems—along with various other control systems—were designed and developed long before the internet started reaching homes and offices everywhere. They were designed for "friendly" environments, with little or no change for the hostile environment that characterizes today's internet. Also, as we have seen, security rarely gets the attention it deserves until some kind of ugly incident occurs.

Even for systems that were designed recently, there are undoubtedly vulnerabilities, so it is a bit hard to believe that they might be internet-connected. According to the advisory, though, SCADA makers do not necessarily require that the systems be physically isolated from the network, instead customers can "utilize technologies including firewalls to keep them protected from improper external communications."

Firewalls—along with other security techniques—do provide a measure of protection, but with the stakes so high, it would seem that more caution is required. It is probably convenient for SCADA users to be able to connect to other machines on the LAN, as well as to the internet, but with that convenience comes quite a risk. Even systems that are just locally connected could fall prey to a disgruntled employee exploiting a vulnerability to gain access to systems they normally wouldn't have.

One can envision all manner of havoc that could be wreaked by a malicious person (or government) who can take over the systems that control nuclear power plants, enormous gas pipelines, or some chunk of the power grid. Unfortunately, it will probably take an incident like that to force these industries into paying as much attention to their computer security as they do to their physical security.

Comments (5 posted)

New vulnerabilities

kernel: arbitrary code execution

Package(s):kernel CVE #(s):CVE-2008-1673
Created:June 9, 2008 Updated:November 14, 2008
Description:

From the Debian advisory:

Wei Wang from McAfee reported a potential heap overflow in the ASN.1 decode code that is used by the SNMP NAT and CIFS subsystem. Exploitation of this issue may lead to arbitrary code execution. This issue is not believed to be exploitable with the pre-built kernel images provided by Debian, but it might be an issue for custom images built from the Debian-provided source package.

Alerts:
Mandriva MDVSA-2008:174 2008-08-19
SuSE SUSE-SA:2008:038 2008-07-29
Ubuntu USN-625-1 2008-07-15
SuSE SUSE-SA:2008:035 2008-07-21
Fedora FEDORA-2008-5454 2008-06-20
Mandriva MDVSA-2008:113 2008-06-13
Fedora FEDORA-2008-5308 2008-06-12
rPath rPSA-2008-0189-1 2008-06-11
Debian DSA-1592-2 2008-06-09
Debian DSA-1592-1 2008-06-09
SuSE SUSE-SA:2008:044 2008-09-11
SuSE SUSE-SA:2008:047 2008-10-01
SuSE SUSE-SA:2008:048 2008-10-01
SuSE SUSE-SA:2008:049 2008-10-02
SuSE SUSE-SA:2008:052 2008-10-21
SuSE SUSE-SR:2008:025 2008-11-14

Comments (none posted)

kernel: arbitrary code execution

Package(s):kernel CVE #(s):CVE-2008-2358
Created:June 9, 2008 Updated:August 13, 2008
Description:

From the Debian advisory:

Brandon Edwards of McAfee Avert labs discovered an issue in the DCCP subsystem. Due to missing feature length checks it is possible to cause an overflow they may result in remote arbitrary code execution.

Alerts:
Mandriva MDVSA-2008:167 2008-08-12
Ubuntu USN-625-1 2008-07-15
Fedora FEDORA-2008-5893 2008-07-02
CentOS CESA-2008:0519 2008-06-26
Red Hat RHSA-2008:0519-01 2008-06-25
SuSE SUSE-SA:2008:030 2008-06-20
Mandriva MDVSA-2008:112 2007-06-12
Debian DSA-1592-2 2008-06-09
Debian DSA-1592-1 2008-06-09

Comments (none posted)

net-snmp: buffer overflow

Package(s):net-snmp CVE #(s):CVE-2008-2292
Created:June 11, 2008 Updated:December 4, 2008
Description: From the CVE entry: Buffer overflow in the __snprint_value function in snmp_get in Net-SNMP 5.1.4, 5.2.4, and 5.4.1, as used in SNMP.xs for Perl, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a large OCTETSTRING in an attribute value pair (AVP).
Alerts:
SuSE SUSE-SA:2008:039 2008-08-01
Gentoo 200808-02 2008-08-06
Slackware SSA:2008-210-07 2008-07-29
Mandriva MDVSA-2008:118 2007-06-19
Fedora FEDORA-2008-5224 2008-06-11
Fedora FEDORA-2008-5218 2008-06-11
Debian DSA-1663-1 2008-11-09
Ubuntu USN-685-1 2008-12-03

Comments (none posted)

openoffice.org: integer overflow

Package(s):openoffice.org CVE #(s):CVE-2008-2152
Created:June 11, 2008 Updated:September 10, 2008
Description: OpenOffice.org has reported an integer overflow vulnerability in rtl_allocateMemory().
Alerts:
Mandriva MDVSA-2008:138-1 2008-07-11
Gentoo 200807-05 2008-07-09
Mandriva MDVSA-2008:137 2008-07-08
CentOS CESA-2008:0537 2008-06-27
CentOS CESA-2008:0538 2008-06-14
Red Hat RHSA-2008:0538-01 2008-06-12
Red Hat RHSA-2008:0537-01 2008-06-12
Fedora FEDORA-2008-5247 2008-06-11
Fedora FEDORA-2008-5239 2008-06-11
Fedora FEDORA-2008-5143 2008-06-11
Fedora FEDORA-2008-7531 2008-09-05

Comments (none posted)

snort: detection rules bypass

Package(s):snort CVE #(s):CVE-2008-1804
Created:June 6, 2008 Updated:June 11, 2008
Description: From the CVE entry: preprocessors/spp_frag3.c in Sourcefire Snort before 2.8.1 does not properly identify packet fragments that have dissimilar TTL values, which allows remote attackers to bypass detection rules by using a different TTL for each fragment.
Alerts:
Fedora FEDORA-2008-5045 2008-06-06
Fedora FEDORA-2008-5001 2008-06-06
Fedora FEDORA-2008-4986 2008-06-06

Comments (none posted)

tomcat: insufficient input sanitizing

Package(s):tomcat5.5 CVE #(s):CVE-2008-1947
Created:June 10, 2008 Updated:October 2, 2008
Description: From the Debian advisory: It was discovered that the Host Manager web application performed insufficient input sanitizing, which could lead to cross-site scripting.
Alerts:
SuSE SUSE-SR:2008:014 2008-07-04
Debian DSA-1593-1 2008-06-09
Red Hat RHSA-2008:0648-01 2008-08-27
CentOS CESA-2008:0648 2008-08-28
Mandriva MDVSA-2008:188 2008-09-05
Fedora FEDORA-2008-7977 2008-09-11
Fedora FEDORA-2008-8130 2008-09-16
Fedora FEDORA-2008-8113 2008-09-16
Red Hat RHSA-2008:0862-02 2008-10-02
Red Hat RHSA-2008:0864-02 2008-10-02

Comments (none posted)

ucd-snmp: possible spoof

Package(s):ucd-snmp CVE #(s):CVE-2008-0960
Created:June 10, 2008 Updated:December 4, 2008
Description: From the Red Hat advisory: A flaw was found in the way ucd-snmp checked an SNMPv3 packet's Keyed-Hash Message Authentication Code (HMAC). An attacker could use this flaw to spoof an authenticated SNMPv3 packet.
Alerts:
Gentoo 200808-02 2008-08-06
SuSE SUSE-SA:2008:039 2008-08-01
Slackware SSA:2008-210-07 2008-07-29
Mandriva MDVSA-2008:118 2007-06-19
Fedora FEDORA-2008-5224 2008-06-11
Fedora FEDORA-2008-5218 2008-06-11
Fedora FEDORA-2008-5215 2008-06-11
CentOS CESA-2008:0528:01 2008-06-11
CentOS CESA-2008:0529 2008-06-10
Red Hat RHSA-2008:0529-01 2008-06-10
Red Hat RHSA-2008:0528-01 2008-06-10
Debian DSA-1663-1 2008-11-09
Ubuntu USN-685-1 2008-12-03

Comments (none posted)

Page editor: Jake Edge
Next page: Kernel development>>

Copyright © 2008, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds