Daily cyber threats and internet security news: network security, online safety and latest security alerts
September 8th, 2008

CitectSCADA ODBC Service Exploit Published, Computerized Control Systems In Critical Facilities Are Vulnerable

Supervisory Control And Data Acquisition (SCADA) systems buffer overflow vulnerability was discovered in June by CORE. It affects the CitectSCADA product and could allow a remote unauthenticated attacker to force DoS or to execute arbitrary code on vulnerable systems. This weekend, Kevin Finisterre, the director of penetration testing at security firm Netragard, has published a working exploit in the form of a Metasploit (MSF) module that demonstrates how critical this vulnerability against the ODBC service is.

Gasoline refineries, manufacturing plants and other critical facilities that rely on computerized control systems might became more vulnerable to tampering or sabotage with the release of this attack code, since it exploits a security flaw in a widely used piece of software.

The exploit code attacks a vulnerability that resides in CitectSCADA, software used to manage industrial control mechanisms known as SCADA. In June, the manufacturer of the program, Australia-based Citect, and Computer Emergency Response Teams (CERTs) in the US, Argentina and Australia warned the flawed software could put companies in the aerospace, manufacturing and petroleum industries at risk from outsiders or disgruntled employees.

Kevin Finisterre said that he decided to release the code following conflicting statements by Citect about the severity of the flaw. As a result, he said, organizations that use CitectSCADA were confused about whether they were truly vulnerable. Finisterre provided a detailed description of the bug, which he described as a “classic stack-based buffer overflow.” By default, a server component of CitectSCADA known as ODBC, or Open Database Connectivity, monitors TCP/IP networks for client requests. Attackers can gain control by modifying the size of the packets sent to the system.

A core tenet among system administrators of such systems is that remote terminal units and other critical industrial controls should never be exposed to the internet. In reality, however, there are frequently numerous ways unauthorized people can gain access to those controls.

Two of the more common means for gaining unauthorized control include wireless access points and internet-facing controls designed to save organizations money by allowing employees remote access, according to Core Security, which discovered the bug early this year.

The public exploit is just the latest chapter in a growing body of research revealing the risks of using SCADA systems. In May, Core warned of a flaw in monitoring software known as InTouch SuiteLink that put power plants at risk of being shut down. That same month, US lawmakers lambasted the organization that oversees the North American electrical grid. A UK government minister sounded a similar alarm in that country last month.

Given the increased reliance of SCADA systems – and the confusion that frequently surrounds security advisories – Finisterre said it’s crucial white-hat penetration testers have a full chest of tools at their disposal for detecting and fixing vulnerabilities in the systems.

Share this item with others:

More on CyberInsecure:
  • Critical 0-day Vulnerability In Internet Explorer 6 And 7, Exploit Already Published
  • Microsoft Releases Emergency Patch For Critical Windows Vulnerability
  • Exploit Targeting Corporate Computer Associates Users
  • Trend Micro Releases Update For HouseCall Due To Vulnerable ActiveX Control
  • RealPlayer Vulnerability Exploited In The Wild

  • If you found this information useful, consider linking to it from your own website.
    Just copy and paste the code below into your website (Ctrl+C to copy)
    It will look like this: CitectSCADA ODBC Service Exploit Published, Computerized Control Systems In Critical Facilities Are Vulnerable

    Leave a Reply

    Comments with unsolicited links to other resources will be marked as spam. DO NOT leave links in comments. Please leave your real email, it wont be published.

    To prove you’re a person (not a spam script), type the security word shown in the picture. Click on the picture to hear an audio file of the word.