Monday, October 25, 2010

Siemens Stuxnet Patch Does Not Provide Sufficient Protection

Va -

The Siemens SIMATIC Security Update for protecting WinCC systems against Stuxnet infections doesn't close the actual hole in the SQL server configuration. It only prevents the known Stuxnet variants from working. As IT forensics expert Oliver Sucker demonstrates (German language link) in a video, only a few steps are required to bypass the protection and regain full remote access to a WinCC system.

The issue is based around the hard-coded access data for the WinCC system's Microsoft SQL database. The Stuxnet worm uses this data to log into further systems from another infected system. There, it uses the integrated xp_cmdshell command shell to access the underlying Windows operating system at system privilege level from the database.

The SIMATIC update prevents the database from executing commands via xp_cmdshell by switching the pertaining configuration option from 1 to 0. According to Sucker, however, the privileges of the hard-coded WinCCAdmin database user are so comprehensive that an attacker can use a few trivial SQL commands to switch the setting back from 0 to 1 after logging in. This will re-enable the execution of commands via the command shell. Sucker has so far not disclosed the exact SQL commands required.

When asked by The H's associates at heise Security, Siemens refused to comment on the issue. Siemens spokesman Gerhard Stauss said in an email, "Our (latest) official statement to the effect that we are investigating ways of tightening authentication procedures remains in place". Until Siemens decides to improve its authentication by allowing the definition of custom access credentials, users can only hope that there will be no further Stuxnet variants or hacker attacks.


SCADA Vendors Still Need Security Wake Up Call

Speaking at the ToorCon Security Conference in San Diego, Jeremy Brown, a vulnerability researcher at security firm Tenable said that many SCADA software vendors lag far behind other IT firms in vulnerability research and lack even a basic awareness of modern security principles. Despite the recent, high profile Stuxnet worm, which made headlines around the world by targeting Siemens industrial control system (ICS) software used in power plants and other critical infrastructure, SCADA vendors are not receptive to vulnerability reports from security researchers and often lack the internal processes to properly handle and address vulnerabilities discovered by outside researchers, Brown said.

No comments:

Post a Comment