Industrial and Manufacturing CVEs: Addressing the SCADA in the Room

Author: Charles McFarland, Vulnerability Researcher in the Advanced Threat Research team at Trellix

The industrial and manufacturing spacesare critical to the global economy. They produce the goods and services we rely on every day, from food and clothing to cars and electronics. Disruptions to this space can have far-reaching effects as proven by recent COVID effects on the supply chain. Much like other sectors, they are targeted by cybercriminals for monetary or destructive purposes. However, few otherspaces command the breadth of purpose-built and custom devices necessary to functionas the industrial and manufacturing industries. These unique devices create an uncommon risk that must be assessed and understood to fully protect against incoming attacks.

Such attacks can have massive implications, as seenduring the Khuzestan Steel Co. attack in June 2022. Khuzestan Steel Co. and two other manufacturers were targeted to disrupt steel production, crippling services across Iran.The attackers who took credit for this attack go byGonjeshkeDarande or Predatory Sparrow. They did so by comprising the Industrial Control System (ICS) Siemens PCS7 Process Control System, manipulating the hydrogen gas density causing structuralintegrity and massive fires.

Figure 1: Image of Fire caused by the cyberattack posted by the hacking group.

Their ability to disrupt steel production is only half the story though. Notice this attack was enabled in part throughcompromising an ICS system, systems that are easily overlooked in a typical threat assessment.Most OS’s have routine patching cycles such as ‘Patch Tuesday’, and many major software packages have easy or automated patching mechanisms. On the other hand, ICS are typically not front-and-center like desktop software but are mounted somewhere within the facility – making them much more troublesome to update and patch regularly.This attack is just one example showing how the impact of ignoring such ICS systems can be catastrophic.

Assessing the Current Threat Landscape

 

In order to understand what risks are unique to industry and manufacturingour teamcurated 120different publicly disclosed vulnerabilities in the Supervisory Control and Data Acquisition (SCADA) or ICS space.We specifically looked at those that were disclosed since the beginning of 2023, enablingus to narrow the focus on current systems that are in production or in planning for implementation. Some systems may in fact be older, but generally the approach had the intended effect.

There are two great sources of vulnerability information that the team used asprimary sources:

  • National Vulnerability Database (NVD)
  • ICS Advisories from CISA

We first used NVD for it’s simple-to-use search functionality. To ensure that we only had information relevant to industry and manufacturing,we filtered our results to only include instances of SCADA and then ICS.

Figure 2: The search function and filter from NVD

This filter is only a text matching filter, so the team then manually reviewed each result so that only the desired results remained. CISA Advisories have similar value, albeit more tailored. Again, not all ICS systems are typically found within the industry and manufacturing space so we manually reviewed each advisory to keep the results relevant.There is a lot of overlap between NVD and CISA Advisories;duplicates were removed leaving the examined vulnerabilities.

Results

Since there are a variety of different solutions within the space,weorganized the results into five main categories:

  1. Communication
  2. Device Management and Monitoring
  3. Facility Management
  4. Software
  5. Other

 

Figure 3: Breakdown of CVEs by high level device categories

By and large, the Software category takes up the largest percentage of disclosed CVEs at 38%. These CVEs are specifically comprised of software-only based solutions that do not lend themselves to other categories. The most prevalent technology within this category is asset tracking software used to manage goods, equipment, and/or personnel across the facility. HMI or Human-Machine Interface is also among the top contributors, representing the software used for a human to interact with a device, or to design such user interfaces. From aresearchperspective, it is easy to understand why software solutions have the most CVEs disclosed. They are typically easier for an attacker to understand and interact with – which makes them more straightforward targets for cybercriminals.

Device Management and Monitoring follows significantly behind at23% of disclosed CVEs. The majority of these are Device Management solutions, with 15 CVEs disclosed from a single vendor. The remaining CVEs are scattered among management of different devices such as industrial robots, PLCs, and automotive factory devices.One potential reason for so many disclosed CVEs in this category is that Device Management and Monitoring solutions inherently communicate to other devices. Exploiting communications leads to lateral movement making them a higher priority target.

The next category coming closely behind at 20% of disclosed CVEs was Facilities Management, which also included ‘Plant Management’ in this category for lack of a better grouping. The largest representative sub-category is access control with 11 CVEs, while plant automation only included 5 CVEs. Other more traditional sub-categories include HVAC management, energy management, access control, and remote management.Facility Managementhas gainedinterest among researchers in recent years, including Trellix with our access control research in 2022.

The Communication category covers devices that are purpose-built for communicating, with disclosed CVEs sitting at 13% of the total.Theseare nearly exclusively routers. The few exceptions are relays and a wireless communication framework. The wireless communication framework CVEs also happen to have public proof-of-conceptcode available, which was rare among other CVEs. In fact,we only discovered 3 other proof-of-concepts among the others.We did expect a higher representation from this category as network devices tend to get a lot ofscrutiny from both researchers and cyber criminals. It will be interesting to see if the remainder of the year sees similar results.

The Other category, composed of generic SCADA solutions for services like geolocations or telemetry that did not easily fit into another category, only accounts for 6% of disclosed CVEs.

Surprisingly however, the breadth of vulnerability types was quite large. We’ve based these categories on the standard Common Weakness Enumeration (CWE) but grouped similar ones for brevity. Not many could be grouped together easily. The remaining breadth is so large in fact that the 2nd largest category of vulnerability, Out-of-Bound Read, only took up 8% of the population. The largest,at 34%,was Authentication. This included lack of authentication, clear text storage of passwords, improper permissions, hard coded credentials, and similar issues.We’ve seen similar issues with authentication vulnerabilities in other spaces such as themedical industry. The differing vulnerability types often diverged into smaller groups of 1 or 2 representing less than 1% each. This is why the Other category is so large at 45% of the overall population.

Figure 4: This graph shows the breakdown of CVEs by Vulnerability Categories

A reasonable question is why are authentication issues so common in our findings? This is a difficult question to answer but we believe there are two major factors. The most straight forward factor is a there is a lack of priority for security and/or training among the developers of these devices. The developers are tasked with getting devices to communicate together, manage machinery, or other industrial tasks. If security is not prioritized appropriately,then even simple security measures can be overlooked. Another factor is that we see more authentication issues because it happens to be the first line of defense. When these systems get tested for vulnerabilities, authentication is usually the first defense to be challenged and therefore the most discovered.

 

Is the Industry and Manufacturing Space at Risk?

The short answer is yes, these systems are under threat and actively attacked.There have been some major attacks in the last few years indicating so. A prime example is the Khuzestan Steel Co. attack mentioned before which used ICS systems as part of its attack chain, which is strikingly similar to a 2014 attack against an unnamed German steel company also targeting ICS systems. Both examples resulted in physical damage to the facilities.

Some groups opt for more traditional attacks such as with ransomware as was the case in theColonial Pipeline attack of 2021.Manufacturing accounted for 12% of Ransomwarecampaignspublicly reported in 2022 from Trellix Advance Research Center’s 2023 Threat Report. We also found that the Industrial Good & Services accounted for 32% of the ‘leaks’ resulting from ransomware extortion.

In our analysis of CVEs,the team came across three publicly available proof-of-concept code basesrelated to CVEs publicly disclosed since 2023:

  • CVE-2022-46650 – CVSS score of 4.9 where an authenticated attacker can trick the server in disclosing the administrative password in clear text.
  • CVE-2022-46649 – CVSS score of 8.8 where an authenticated attacker can execute arbitrary shell command on the device.
  • CVE-2023-27394 – CVSS score of 9.8 where an unauthenticated attacker can execute arbitrary shell commands on the device.

The most concerning of the three is CVE-2023-27394, which impacts the Osprey Pump Controller, given that it’s unauthenticated. A quick review of the PoC code shows that it happens to be incredibly easy exploit as well.

$ curl -s http://TARGET/DataLogView.php?eventFileSelected=;id$ curl -s http://TARGET/EventsView.php?eventFileSelected=|id

$ curl -s http://TARGET/AlarmsView.php?eventFileSelected=`id`

 

Figure 5: Taken from the PoC code at https://packetstormsecurity.com/files/171181/Osprey-Pump-Controller-1.0.1-eventFileSelected-Command-Injection.html

Only one of these lines is required to start the exploit and then the attacker can execute arbitrary shell commandon the device. To help put in perspective how easy this vulnerability is to exploit, one can just look at the results from our recent Capture the Flag competition. Trellix provided an open competition requiring red teamers and researchers to use their hacking skills to solve challenges specifically designed to be authentic to real world scenarios.

Oureasiest challenge, with over 250 solves, required challengers to use the same techniques of the Osprey Pump exploit. This was the most solved challenges by a magnitude of 4, as seen in figure 6.CVE-2022-46649 also requires similar techniques but with a few more complications.For CVE-2023-27394 It’s the inclusion of special escape characters that allow the exploit to work. The parser erroneously treats the string past the escape character as a shell command. For CVE-2022-46649, it’s the exclusion of a character that enables an exploit to work. The parser attempts to remove the dangerous ‘-z’ flag but if you exclude a simple space,you can hide and execute a shell command.

Figure 6: Results from the Trellix CTF competition https://www.trellix.com/en-us/about/newsroom/stories/research/trellix-hax-2023-capture-the-flag-results.html

So, what can you take from these findings? First and foremost, software-based solutions are the low-hanging fruit for vulnerability discovery. Fortunately, they are also easier to keep up to date in terms of versioning and patching. Ensure the business isusing automated patching if possible. Device management and monitoring systems should be the next priority. Things can get rather difficult if these are purpose-built devices without robust central management. For anyone running these systems, it’s paramount to keep them up to date, if possible, and withinvendor support. That may prove difficult or impossible for ICS systems if they don’t come with some form of user update method – in which casethe documentation from each vendor can provide more information.

Proper network segregation and monitoring is important to provide some protection while security teams work out how to properly update and patch these systems. It’s certainly easier to focus on traditional attack vectors such as OS and web server vulnerabilities. But these findings make it clear thatignoring the potential impact of more domain specific solutions such as SCADA and ICS is not an option. It’s important that security teamswork with their vendors and partners to ensure that each device is securely implemented, and the patching process works in a sustainable way for their business.

Related posts

IBM Study: More Companies Turning to Open-Source AI Tools to Unlock ROI

RUCKUS Wi-Fi 6 Solution Improves Campus Experience for Amrita University

Team Computers Launches Global Delivery Center in Uttarakhand to Transform Rural India

This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Read More