[BreachExchange] Researchers Discover Vulnerable SCADA Product & Responsive SCADA Vendor

Fri Sep 6 09:59:07 EDT 2019

https://www.riskbasedsecurity.com/2019/09/03/researchers-discover-vulnerable-scada-product/

We previously published research about critical vulnerabilities in
South Korean ActiveX controls and, soon after that, how the
coordination through Korea Internet & Security Agency (KISA) presented
some challenges that other government entities and vendors could learn
from.

Today, we released our research that uncovered multiple
vulnerabilities in the AK-EM 800 product from the major SCADA vendor
Danfoss. These included two critical vulnerabilities with one
basically being a backdoor into highly privileged functionality to
manage the software. The other was related to missing permission
checks when accessing a servlet that allowed performing sensitive
database queries to e.g. disclose usernames and passwords. Other
vulnerabilities allowed remote attackers to lock out accounts or local
attackers to disclose passwords or gain SYSTEM privileges.

More details can be read in our research report.

The vulnerabilities were discovered late 2018 and have been
coordinated with Danfoss, who recently published an updated version of
their product to fix the reported vulnerabilities. The ray of sunshine
in this story is that the coordination process with Danfoss was
excellent.

Historically, SCADA vendors in general have a poor reputation when it
comes to handling vulnerability reports. The handling by Danfoss was
close to exemplary, and they managed to check all the boxes mentioned
in our previous blog about KISA’s shortcomings. They were responsive
and provided monthly status updates that were very detailed on their
progress. The coordination process hands down ranked in our Top 5, and
we’ve coordinated hundreds of vulnerabilities.

The only real critique is that the vendor spent ten months releasing
an updated version. SCADA vendors are generally notorious for taking a
lot longer to release security fixes than many other vendors. In
fairness, the vendor did in this case have to address design issues
that extend beyond e.g. fixing a simple buffer overflow with a single
line code change, so it was not unexpected. However it was still
beyond the 90 to 180 day deadline that researchers typically extend to
vendors to address a reported vulnerability before disclosure.

That said, from the beginning Danfoss very clearly communicated when
they expected to have the fix ready even if they had to push the date.
When they ran into a snag trying to update various old third-party
components, they postponed the less serious ones for a later release.
Instead of delaying a security release unnecessarily for already
implemented critical fixes, Danfoss opted to release an updated
version and then address remaining issues related to 3rd party
components later.

This is a good example of how vendors should go about dealing with
unsafe 3rd party components used in their code, but that is a blog for
another day.