A security researcher claims that he found 23 vulnerabilities in industrial control software from several vendors after a different security company last week showcased vulnerabilities in applications from some of the same manufacturers, but chose not to report them.
The vulnerabilities were discovered by Aaron Portnoy, vice president of research at startup security firm Exodus Intelligence, and affect SCADA (supervisory control and data acquisition) software from Rockwell Automation, Schneider Electric, Indusoft, RealFlex and Eaton. This type of software is used to control industrial processes in critical infrastructure, manufacturing plants, and other industrial facilities.
Last week, a Malta-based vulnerability research firm called ReVuln announced that it had found critical vulnerabilities in SCADA software from General Electric, Schneider Electric, Kaskad, Rockwell Automation, Eaton and Siemens. However, the security company said that it would not report the flaws to the affected vendors or the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) of the US Department of Homeland Security.
ReVuln sells information about the vulnerabilities it finds to government agencies and other select private buyers through a subscription-based service.
"I decided to research SCADA software after reading the mentioned articles and thought that it was dangerous to force vendors to purchase the ReVuln feed in order to protect critical infrastructure," Portnoy said Monday via email.
ReVuln's subscription-based feed service is not available to software vendors, but the security firm offers vulnerability assessment services to software manufacturers, ReVuln's co-founder Luigi Auriemma said Monday via email. Auriemma defended his company's decision not to report vulnerabilities and said that this business model is used by other vulnerability research companies and brokers as well.
The business of selling critical exploits information
The practice of selling information about unreported vulnerabilities to private buyers is not new in the security research community. However, it's only recently that some companies began advertising such services publicly. For example, French vulnerability research firm VUPEN was criticised by digital rights advocates after openly admitting that it sells exploits to NATO governments without reporting the vulnerabilities to vendors.
Portnoy presented his findings in a blog post published on Monday. They included seven remote code execution flaws, 14 denial of service issues and some other vulnerabilities that can allow attackers to download, upload and delete arbitrary files from systems running the vulnerable software.
"The most interesting thing about these bugs was how trivial they were to find," Portnoy wrote in the blog post. "The first exploitable 0day [previously unknown vulnerability] took a mere 7 minutes to discover from the time the software was installed. For someone who has spent a lot of time auditing software used in the enterprise and consumer space, SCADA was absurdly simple in comparison."
In fact, according to Portnoy, it was more difficult to obtain the software than it was to find flaws in it. "I used a different approach to retrieve software for the various SCADA vendors," he said via email. "Some of them had trial software available to interested parties, others I had to dig up FTP credentials in some obscure document on their support portal. I did my best to ensure that I was auditing the latest version of the software I looked at."
Portnoy hopes that his findings partially overlap with those of ReVuln, because unlike ReVuln, he plans to report the vulnerabilities to ICS-CERT, which will then coordinate the disclosure with the affected vendors.
He would like to see ICS-CERT create a repository of SCADA software accessible to researchers who practice responsible disclosure. Even a list of software that's most important to audit would help, he said.
"I have a problem with nondisclosure," Portnoy said. "I don't think it does the industry or the general populace any good to purposely not allow a vendor to fix vulnerabilities by withholding information, which is why we responsibly disclose all of ours."
Much like ReVuln, Exodus Intelligence sells information about unpatched vulnerabilities through a subscription-based service. However, the service is aimed at helping companies defend their systems against attacks targeting such vulnerabilities until the software vendor is able to provide a patch.
The company always notifies vendors about the flaws before sharing information about them with its customers, Portnoy said. "All our clients are under a strict contract disallowing them from doing anything externally offensive with the information, besides testing their own defensive mitigations while the vendor works on a patch."
Exodus' reports include detailed analysis of the issues, an assessment of their risks, mitigation recommendations and sometimes exploit code. "We supply exploits for these issues because we've seen a history of defensive vendors basing their output on simple proof of concepts, and that does not yield realistic protection."
Portnoy is not the only researcher who had the idea of independently finding the vulnerabilities showcased by ReVuln and reporting them to vendors.
SCADA vendors might require outsourced code reviews
"We have been planning to do the exact same thing at Secunia as what Aaron [Portnoy] mentions (i.e. perform internal research to attempt a partial overlap and then coordinate with the vendors and ICS-CERT)," Carsten Eiram, chief security specialist at vulnerability research firm Secunia, said Monday via email.
When asked what he thinks about ReVuln's decision to sell information about vulnerabilities without reporting them to vendors, Eiram said that he doesn't want to be the judge of what's right or wrong when it comes to disclosure policies. "However, at Secunia we do things differently," he said.
Secunia's disclosure policy is even stricter than that of Exodus Intelligence. Whenever the company's researchers find vulnerabilities, the company reports them to the affected vendors and does not share information about them with its customers or the public until they have been addressed or if communication with the vendor fails, Eiram said.
ReVuln doesn't plan to stop publishing the names of software vendors that it has vulnerabilities for, even if this will lead to efforts from other researchers to independently find the flaws and report them to the affected companies, Auriemma said. If any of the vulnerabilities offered by ReVuln through its feed service are patched by the vendor, the company will release a generic public advisory about the issue, but will not disclose any technical details publicly, he said.
Ruben Santamarta, a security researcher at security consultancy firm IOActive, who previously reported vulnerabilities in industrial control systems (ICS), believes that business models based on nondisclosure policies are here to stay until software companies make them unsustainable by securing their products.
"This business model can be reprehensible or not, that depends on your ethical point of view," Santamarta said Monday via email. "Regulated or not, as long as there are buyers, there will be sellers, unless we reach the point where there is nothing to sell. Until that moment, I think this kind of company is something the sector has to live with."
Portnoy said that it was easy for him to find vulnerabilities in SCADA software because many of the products he tested didn't even have rudimentary security mitigations built in.
"I think many of these vendors should be forced to perform outsourced code review, at the very least -- especially considering the implications if their software was leveraged by an attacker to gain access to the sensitive systems they support," he said.
"I don't necessarily think SCADA vendors should be forced to perform outsourced code reviews, but looking at the vulnerabilities being discovered, it may be in their best interest to do so," Eiram said. "Many SCADA vendors seem to require a solid SDL [security development lifecycle program]."
"The ICS industry cannot completely rely on the good intentions of a bunch of security researchers to secure their products," Santamarta said. "We have to take into account that if someone, who has no previous knowledge about your product, is able to find a flaw, probably someone with the proper knowledge is doing something wrong."