SCADA Developer Network

Web developers surely heard of acronym like HTML, CSS, JS, XML etc. But, what about XSS? It’s something a good boy never bother to know, until one day he’s been threaten so. As such we learned the details to defense ourselves, and all you need to do is to upgrade to the latest version to get the SCADA system protected.

Summary of Event

• 13-Apr-2011: ICS CERT Contacted IntegraXor support team that a Security Researcher has discovered XSS vulnerarity in IntegraXor system.
• 14-Apr-2011: 5 Exploit Codes for the vulnerability is received.
• 18-Apr-2011: IntegraXor Support Team confirmed to US-CERT that only 1 out of 5 Exploit Codes is valid. Another 1 is due to database read level security configuration which was set to zero on demo project, hence has nothing to patch.
• 22-Apr-2011: Thanks to US-CERT Malware Team who has confirmed our finding with a very professional analysis report, and they managed to twist one of the invalid exploit code to function. Hence made the total 2 out of 5 exploit codes valid.
• 04-May-2011: IntegraXor Support Team announced to ICS-CERT and Security Researcher all confirmed vulnerabilities have been patched for any version after RC 3.60.4061.
• 09-May-2011: Security fixed is issued as official release 3.60 Build 4080 for general download.
• 24-May-2011: Security researcher confirmed the vulnerability issue has been fixed.
• 27-May-2011: ICS CERT made public announcement.
• 09-Jun-2011: Public announcement was made by IntegraXor.

Image Credits:

Scroll: DooFi

Barricades: Rfc1394

HD Moore of Metasploit published a blog about Exploiting DLL Hijacking Flaws on Sunday, August 22, 2010, and then almost everyone who use Windows are at risk, because you can easily spot one familiar application in the long list of applications that prone for this vulnerabilitie, and IntegraXor is also affected for DLL Hijacking vulnerability. DLL Hijacking vulnerability within IntegraXor was found since end of last year, this is thus far the longest vulnerability that we put on hold to patch. The biggest reason is we need to put our existing customers’ requests in priority, and this vulnerability is an attack which may have some lead way on the time line. As such we put this vulnerability in a lower priority to mitigate as compare to other security vulnerabilities that found later.

Summary of Event

• 22-Dec-2010: An anonymous security researcher that addressed himself/herself as “Mister Teatime” has published an “Uncoordinated Disclosure” of a DLL Hijacking vulnerability at The Open Source Vulnerability Database.
• 28-Dec-2010: ICS-CERT published a security alert.
• 12-Jan-2011: ICS-CERT contacted IntegraXor Support Team for confirmation.
• 17-May-2011: Build 4081 with patch was sent to ICS-CERT for verification.
• 25-May-2011: ICS-CERT confirmed DLL hijacking has been patched.
• 30-May-2011: IntegraXor support team issued VN and declared all version after build 4081 are patched for DLL Hijacking attack.

Note: The screenshot/drawing is published under Creative Commons Attribution 3.0 US License.

Earlier we announced that SQL vulnerability issue has been resolved by adding Read/Write security control onto database configuration, however the security researcher Dan Rosenberg from VSR claimed that the vulnerability is not fully patched. We were forced to put this issue aside as we have putting on hold too many other features request earlier, and then when we returned to merge the production line with security fix, we were dragged by some crash issues for this fix and worst still bumped into unnecessary problem that due to breaking change in ADO update KB983246 (included in Windows 7 Service Pack 1).

And after the vulnerability is fixed we ourselves have been confused by the default configuration that has no Write security control. And finally after more tests and clarification from developer and analysts, last week ICS-CERT has confirmed via email that the reported SQL Unauthenticated Vulnerability has been resolved, that was right before we almost need to setup a conference call with ICS-CERT analysts.

So by the time ICS-CERT confirmed that issue has been *completely* resolved, the correspondence on one single vulnerability has accumulated up to 53 messages that span across three months. So far this is the vulnerability issue that we find most tedious to solve, and again we thank ICS-CERT for helping up in verifying this fix.

Due to the confusion arised, we have decided to accept ICS-CERT recommendation to make Write security level default to a value of 100, but Read level remains as 0 which is open for world reading. This means guest user no longer allow to acknowledge alarm nor delete any report by default, starting from this Release Candidate version 3.60.4042 or for any other version later.

SQL Authentication Vulnerability

IntegraXor 3.6.4000.5 is now added with Read and Write level column to database table which allows user to configure security level for individual database entry. Now only user with security level higher than or equal to the read level can browse for trend and alarm data, and user with security level higher than or equal to the write level can acknowledge alarm. The credit for finding this vulnerability goes to Security Researcher from Virtual Security Research who has reported to ICS-CERT at 22nd December 2010.

Every database could have its own read and write level setting which associated to User level/privilege setting. Note that the default level for both read/write is nil which has no security, this is to ensure compatibility issue for previously developed project. User must manually enter higher level of security as per project requirement.

Along with this SQL authentication feature, we have also fit in the improvement done for Watch List – Now Watch Window could save user defined list created across session. And also server stability improvement. Lastly, debugging messages in status output will be hidden when debug mode is turned off.

Summary of Event

• 22-Dec-2010: ICS CERT Contacted IntegraXor support team. Technical report for the vulnerability is received.
• 27-Dec-2010: IntegraXor development team acknowledged the vulnerability.
• 11-Jan-2011: Security fixed is issued as official release for general download.
• 11-Jan-2011: Public announcement is made by IntegraXor support team.

Crossing 2011 seems to be quite challenging for IntegraXor team in handling security issues. However we are very glad that several security researcher are helping us in finding security vulnerability and even help us to verify the patched release when the loophole is fixed. We wish to thank them and also Kevin, Kathy & Bryan from Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) who have been very helpful and responsible in verifying and coordinating.

In fact it was our original idea to invite white hat hackers to find any vulnerability in IntegraXor SCADA, as we don’t believe security in obscurity. Now that so many excellence security researchers come by and we truly welcome them, and we are very pleased that we could response and patch the vulnerability within very fast time frame. Thanks to the development team who have carefully designed the well structured architecture that could be easily improved and maintained.

Having done and said that, we do not always response fast to security issues that we may otherwise judge not severe, especially some vulnerability issues that required physical present of the attacker. Some security issues will also take us longer time to fix when it involves different GUI design as we concern a lot on user friendliness. Also we will have concern on compatibility impact as we wish to ensure previously developed project can be easily upgraded to latest release so that the attacker will not be interested to develop any malware targeting older versions of IntegraXor.

We wish to thank everyone again in making IntegraXor Web SCADA to become more secure than ever.