GE Fanuc releases info on iFIX vulnerabilities VU# 310355

 SCADA, vulnerabilities  2 Responses »
Feb 102009
 

If you’ve been looking for my slides from the SCADA Summit that included information on the GE Fanuc iFIX vulnerabilities that I discovered and reported, then you’re still out of luck, but this is just as good, really.  If you’re an end-user of iFIX, or a penetration tester/red-team member testing installations of iFIX products, this is really all the info you need:

It’s a pretty good prose description of the vulnerabilities, in more detail than I was expecting from them.  Boiling it down to a couple of bullet points, these vulnerabilities encompass the following issues (trying not to put it in more detail than their write-up):

  • Password storage is done in an easily reversible manner
  • “Network” authentication involves passing the file over Windows shares without additional encryption/protection
  • Authentication of users can be bypassed, as iFIX’s security measures for managing users’ access run in the context of the currently-logged-in Windows user that is running the iFIX system.
  • Features that prevent operators from exiting the HMI screen can be bypassed with an auto-run capable USB drive (such as U3).

There are some excellent suggestions for end-users that would allow them to mitigate the impact of these vulnerabilities until they are fixed in a future release of iFIX.  There’s good advice in there, even if you’re running something other than iFIX for your HMI.

Enjoy!

Edit: Quick edit for clarity.

 Posted by wesley at 11:05 pm

SCADA/HMI Security: Vulnerabilities in GE Fanuc iFIX

 SANS, SCADA  4 Responses »
Feb 012009
 

I’m all settled in at the Walt Disney Dolphin resort hotel, registered for the SANS SCADA Summit, and just finished up going over my slides one more time.

I’m going to go ahead and make the slides available now, so anyone interested in attending the talk tomorrow can go ahead and get them.  If you’re not at the Summit, then here’s your little slice of it:

  • Sorry, not here anymore (right-click, save as)

It’s about 3 megs (pictures :) , and they compressed ugly when I tried).

<redacted>

Edit: A few folks have asked: SANS did not ask for the slides to be removed.  They’re totally cool, and have been great to me and the other speakers during this conference.

 Posted by wesley at 10:47 pm

HMI Vulnerabilities at SANS SCADA Summit 2009

 SCADA  7 Responses »
Jan 262009
 

The agenda for the SANS Process Control & SCADA Security Summit 2009 has changed a bit and it’s definitely for the better.  I am now scheduled for a session at 1:40 PM, on Monday, February 2nd: In-Depth Discussion: SCADA HMI Software Security Threats with Wesley McGrew.

I plan on using this session to present a talk entitled “Vulnerabilities in SCADA Human-Machine Interface Software”:

In this presentation, I will discuss the attack surface of HMI software, why it might be an attractive target for attackers (and penetration testers!), and how these risks might be mitigated, both by software vendors and end users.  

As an example during this presentation, I will be going through the details of a specific set of vulnerabilities in a widely-used HMI software product.  These vulnerabilities were disclosed to the vendor about 6 months ago, and this will be the first time that they will see public disclosure.  The problems are fundamental to the architecture of this product, easy to understand and follow, and serve as an excellent illustration of the points we’ll be discussing in this session :-) .

If you’re interested in how HMI software fits into SCADA security, a user or developer of HMI software looking for mitigation strategies, or a penetration tester looking for new ways of testing target systems, then I think this would be an interesting talk for you to attend at the Summit.  I’m going to try to keep things interactive with the attendees, and I think we’re going to have a lot of fun.

Get in touch with me if you plan on attending this talk!  I’d love to hear from you.  I’ll also have the slides posted here on my blog once the talk is over.

 Posted by wesley at 5:20 pm

Wesley at the SANS SCADA Summit 2009

 SANS, SCADA  2 Responses »
Jan 122009
 

I will be in attendance and talking at the SANS Process Control and SCADA Security Summit 2009, at the Walt Disney World Dolphin hotel.  I have been invited to take part in the keynote discussion panel on the topic of security issues surrounding the smart grid and Automated Metering Systems.  I’m in very good company on this panel, with three top-tier co-panelists:

I’m looking forward to discussing control system security with these guys, and I’ll try to keep up!.  I’m also going to be involved in an interactive workshop on the topic of wireless threats with Matt Carpenter later on in the first day.  If you’re looking for me outside of my talks, I’ll be attending as many other talks as possible, and trying to network with other penetration testers :) .

If any of my readers are going to be attending the summit, please get in touch with me!  I’d love to meet you, and would be happy to talk to you at length about my current SCADA security research interest: vulnerabilities in Human Machine Interface (HMI) products.

 Posted by wesley at 3:31 pm

Upcoming paper on SCADA software vulnerabilities

 exploitation, SCADA, vulnerabilities  2 Responses »
Aug 042008
 

I wasn’t going to talk about this on here for a while, since the public disclosure and paper won’t be out for another six months, probably, but my major professor is so excited about it that he just had to put out a press release:

I’m going to clear up a few things on this, but I’m also going to have a bit of fun…

A Mississippi State graduate student working with the university’s Critical Infrastructure Protection Center could be nicknamed “Johnny-on-the spot.” (sic)

I feel like I’m in the Rat-Pack now.  “Hey Frank, I need a big-leaguer who can trace through this stuff in immdbg!”, “Call that kid up at MSU, he’s a real Johnny-on-the-spot.”

Robert W. “Wes” McGrew

This is the part where we abbreviate my middle name, Wesley (which I go by among people I know), put it in quotes as a nickname, and then place it after my middle initial, which is what it stands for anyw… damnit now even I’m confused.

OK, now for some clarifications:

…discovered what is being called “a significant software vulnerability” that could allow hackers the ability to gain entry to computer control systems of numerous industries and potentially threaten national security.

“We know that this software exists in very critical infrastructures in the U.S.,” said Vaughn. “Through his research, Wes demonstrated how it was possible to obtain unauthorized access to the control system in just a few seconds.

The vulnerabilties that I have found (I’m not even disclosing the software’s name yet) are very serious, however they’re not remote-access-granting by themselves.  Once you have any sort of access, remote or local, you can pretty much run all over the access controls and other security/auditing mechanisms.  It’s still troubling, as many installations of these systems have hacked-together remote access over rdp or software packages like PCAnywhere.  We’ve heard several first-hand accounts of the poor physical security of these systems as well.

There’s been a lot of instances in the past of computers on SCADA networks being compromised by worms, botnet herders, and other attackers that didn’t even realize they were on a SCADA system.  These are the sort of vulnerabilities that can turn a normal attack that happens to be on a SCADA system into an actual control systems attack.

I promise you’ll get all the juicy details you can eat in the paper.

The National Security Agency was notified immediately of McGrew’s discovery. Shortly thereafter, the Department of Homeland Security broadcast an alert that included information on how to rectify the problem.

Too bad you didn’t have your shortwave radio tuned to the right frequency or you would have caught some zero day.  Seriously though, I do think some important installations have been given some heads-up and mitigation strategies.

That’s really about all (or more than) I want say about it at this point :)

Edit: Never going to live this down on IRC:

14:05 < jgk> Robert W. "Wes" McGrew of Collinsville recently discovered
             what is being called "a tiramisu" that could allow hackers
             the ability to gain satiety of numerous industries and
             potentially threaten a toilet.
 Posted by wesley at 12:42 pm  Tagged with:
 Newer Entries
© 2012 McGrew Security Suffusion theme by Sayontan Sinha