Analysis of the ICONICS GENESIS Security Vulnerabilities for Industrial Control System Professionals
30 March 2011
A number of previously unknown security vulnerabilities in the ICONICS GENESIS32 and GENESIS64 products have been publically disclosed. The release of these vulnerabilities included proof-of-concept (PoC) exploit code.
While we are currently unaware of any malware or cyber attacks taking advantage of these security issues, there is a risk that criminals or political groups may attempt to exploit them for either financial or ideological gain.
The products affected, namely GENESIS32 and GENESIS 64 are OPC Web-based human-machine interface (HMI) / Supervisory Control and Data Acquisition (SCADA) systems. They are widely used in critical control applications including oil and gas pipelines, military building management systems, airport terminal systems, and power generation plants.
Of concern to the SCADA and industrial control systems (ICS) community is the fact that, though these vulnerabilities may initially appear to be trivial, a more experienced attacker could exploit them to gain initial system access and then inject additional payloads and/or potentially malicious code. At a minimum, all these vulnerabilities can be used to forcefully crash system servers, causing a denial-of-service condition. What makes these vulnerabilities difficult to detect and prevent is that they expose the core communication application within the GENESIS platform used to manage and transmit messages between various clients and services.
This White Paper summarizes the current known facts about these vulnerabilities. It also provides guidance regarding a number of possible mitigations and compensating controls that operators of SCADA and ICS systems can take to protect critical operations.
What’s New in this Version
The following are the primary changes in version 1.1 of this white paper:
• Information on the availability of Intrusion Detection System (IDS) signatures,
• The use of IDS in control networks has been added as an addition compensating control.
A number of grammatical errors have also been corrected.
What is it?
A total of 13 vulnerabilities were disclosed that all exploit the GenBroker.exe application on TCP port 38080 within the ICONICS GENESIS 32- (version 9.21 or earlier) and 64-bit (version 10.51 or earlier) platforms. Of the 13 vulnerabilities disclosed, 12 of them exploit remote integer (buffer) overflows, while one (1) exploits a memory corruption vulnerability.
All 13 vulnerabilities can be remotely exploited using the vulnerable port TCP/38080. This port is nearly always open on the affected GENESIS machines, as it provides access to a core application used to manage communications between clients and servers.
What can an attacker do with this information?
The public disclosure of these vulnerabilities included PoC code in the form of source code and a compiled Windows executable file. With this code, it is possible for a potential attacker to further experiment, and with moderate expertise, create the malicious payload that can then be executed following the successful exploitation of the buffer overflows.
Possible payloads range from simple remote shells, to information and credential stealing, to advanced call-back applications that can be used to further compromise the target control system.
How easy is it to use these vulnerabilities to attack a system?
The publically available proof-of-concept code available with the disclosure makes it easy to cause the affected service to terminate prematurely, resulting in a denial-of-service condition and loss of view in the control system. To execute arbitrary code on the affected servers would require the moderate to advanced skills needed to create the payload and incorporate it into the PoC code.
Is exploit code publically available?
Yes, the exploit code, including source code, is available through various forums including:
Are any known viruses/worms or attack tools using these vulnerabilities?
There are currently no known viruses/worms or attack tools currently using these vulnerabilities. In addition, there are no automated exploit modules (Immunity CANVAS/Agora, Metasploit, etc.) utilizing these vulnerabilities. However, this is likely to change rapidly based on the current high state of awareness regarding ICS security.
What are the potential consequences to SCADA and control systems?
Many in the ICS industry are aware of the issues associated with using the Distributed Component Object Model (DCOM) and its many shortfalls. For example, DCOM provides challenges when working across domains and through firewalls, causing some organizations to disable the security features inherent in the operating system platform.
ICONICS helps to address the DCOM issues through the GenBroker application. This is the core component that manages communication into and out of the GENESIS server, and has been developed to offer users options for improving and simplifying communication between hosts within the control system architecture.
By using the GenBroker, users can communicate directly with other OPC devices either using the traditional DCOM method (as might be the case within a local network environment), or by using GenBroker via TCP/IP and SOAP/XML channels. With GenBroker, it is even possible to allow communication over wide area networks, including the Internet.
This added flexibility to allow wide area communications is one reason why a vulnerability in such a critical service could compromise the overall integrity of the system communications, leading to deeper system penetration and potential compromise.
What Control/SCADA Systems are affected?
The following control and SCADA systems are believed to be directly affected by these vulnerabilities:
• ICONICS GENESIS 32-bit (version 9.21 or earlier)
• ICONICS GENESIS 64-bit (version 10.51 or earlier)
Detection and Removal
Since this is not a virus, worm, or trojan, but rather a remote exploit, there are no known detection and/or removal products available. Certain anti-virus products are capable of detecting buffer overflow situations, but none have been specifically tested against these exploits at this time.
Intrusion detection products
Emerging Threats Pro, with assistance from NitroSecurity, have developed Intrusion Detection System (IDS) signatures for all of the vulnerabilities noted in this white paper. These IDS signatures are also available in the Quickdraw SCADA IDS Vulnerability Ruleset.
Available Patches or Updates
As of March 28, 2011, no patches are available from ICONICS. They are working on addressing these vulnerabilities and will provide a patch as soon as it is available. An announcement will be posted on the company home page at http://www.iconics.com.
Compensating controls are actions that will not correct the underlying issue, but will help block known attack vectors for systems where no patch is available. The following are seven suggested compensating controls for GENESIS systems:
1. Move GenBroker Communication to a Non-Default Port
The public disclosure was based on the fact that GenBroker was running on port TCP/38080. Within the GENESIS “GenBroker Configurator”, it is possible to reassign the application to utilize a different TCP port. These changes should be carefully reviewed and analyzed prior to implementation, as it will impact the communications configuration for all clients and services within the control system architecture. If you are unclear of how to perform this change, consult your local ICONICS representative for technical support.
2. Installation of Industrial Firewalls to Protect the Server
These vulnerabilities represent a significant risk to the integrity of the GENESIS system, yet are difficult to detect or prevent as they are using "valid" communications with the targeted GenBroker server. Thus it is recommended that industrial firewalls are installed in-line between any computer running the GenBroker server applications and the nearest switch. This firewall should be implemented with a rule set that allows traffic only from other authorized GENESIS hosts using the specific services/ports needed for the ICONICS product to operate. To determine the port needed, contact your ICONICS representative or use a firewall offering automated learning features.
The use of industrial firewalls is recommended due to the high-risk exposure of these services from not only less-trusted remote networks, but also the local trusted control system network .
3. Minimize Exposure of Vulnerable Systems to External Networks
Due to the extent of these vulnerabilities and how they impact the primary communications infrastructure of the GENESIS environment, external or remote access from less-trusted networks should be severely restricted or eliminated. Less-trusted networks include both public networks like the Internet, as well as general-purpose office networks which may have access to the Internet.
If external communications are required, industrial firewalls should be utilized between networks, and should contain rule sets that severely limit the external hosts that are allowed to communicate with the GENESIS hosts. For the allowed hosts, communications should be restricted to just the services/ports which are used in critical communications. Considerable security risk is present if host-to-host communication is filtered on an IP address alone, so additional port/service rules are essential.
4. Install an Intrusion Detection System (IDS)
IDS are monitoring systems designed to detect network messages that match known vulnerability signatures. As noted earlier, a number of IDS vendors have released signatures for the vulnerabilities affecting the IGSS products. We strongly recommend that users of the IGSS product install an IDS product on their control network and monitor it regularly.
5. Regularly Check System Log Files
Until a vendor patch is available, all system log files, especially those contained within the Windows operating system, should be checked regularly and reviewed for any unexpected termination of applications and services. These could be a sign that a remote attack is being attempted.
6. Regularly Check Security Perimeter Device Log Files
Significant information can be determined by looking at log files in perimeter devices (such as firewalls), paying particular attention to “denied” access attempts to the trusted control system network via port TCP/38080. These failed attempts could point to a potential attacker trying to exploit the vulnerabilities.
7. Monitor Vendor Support Site for Applicable Patches
These vulnerabilities are expected to extend beyond a broad range of software releases. This could mean that many sites are not covered under current support contracts, and are unable to download patches as they become available. In all cases, we recommend that users contact their local ICONICS representative for instructions on distribution and installation of the patches, when they become available.
Frequently Asked Questions
What is a Freeing of Arbitrary or Uninitialized Memory Vulnerability?
A Freeing of Memory vulnerability occurs when a program is forced to clear the same memory address more than once. This causes the program’s memory management data structures to become corrupted. In turn, this can cause the program to crash, leading to a denial-of-service condition. In the case of one of the exploits noted in the ICONICS product, this situation leads to a buffer overflow condition (see next question), potentially allowing arbitrary code to be remotely injected and executed by an attacker.
What is an Integer Overflow Vulnerability?
An Integer Overflow occurs when the results from a valid operation create a result that is larger than that which can be managed by the memory space allocated, often resulting in memory corruption. This is typically caused by the application code failing to validate user input prior to processing. A successful exploit could allow additional malicious code to be injected and executed, Unsuccessful attempts will likely result in the premature termination of the application and a denial-of-service condition. This vulnerability is also known as a Buffer Overflow vulnerability.
What is a Zero-Day Vulnerability?
Zero-day vulnerabilities or “0 days” (pronounced “oh days”) are those that are unpatched by the affected software’s manufacturer. The “days” start counting once a patch is publically released.
I don’t use the versions of GENESIS listed on the BugTrak site – do I still need to be concerned?
Absolutely – it is likely that all versions of GENESIS32 and GENESIS64 up to and including those listed are affected by these vulnerabilities.
Who is ICONICS and what is their GENESIS product?
ICONICS is a visualization and automation software company, founded in 1986. They currently have 250,000 installations in over 60 countries worldwide.
ICONICS offers a wide range of industrial automation software solutions focused on “visualizing the enterprise”. The GENESIS product is an OPC Web-based human-machine interface (HMI) / Supervisory Control and Data Acquisition (SCADA) system available for both 32- and 64-bit environments.
ICONICS GENSIS can be found in a wide range of industrial sectors, including automotive, building automation, food and beverage, government infrastructure, manufacturing, petrochemical, pharmaceutical, renewable energy, utilities and water/wastewater industries.
For more information, please contact:
Byres Security Inc
PO Box 178
No. 5-7217 Lantzville Road
Tel: 001 250 3901333
Fax: 001 250 3903899