[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Vulnerabilities in some SCADA server softwares



On 3/23/2011 12:54 PM, Luigi Auriemma wrote:
>> I fundamentally disagree with the idea that public disclosure
>> as a means of vendor notification serves any purpose
> so now the question is, why don't all these "good guys" spend their
> personal time and skills to find these vulnerabilities and reporting
> them to the vendors before me?
>
> the answer is that usually such people don't have the skills or simply
> don't like the idea of doing a professional work completely for free and
> even with the obligation of doing everything the vendor wants before
> the releasing of the patch that can take months or even years...
> practically a slave.
>

You stated: "usually such people don't have the skills" Humor me and
others on this list why don't you... Reported to CERT two days ago:

Vulnerability Report
Vulnerability Description Over 300 ActiveX based vulnerabilities have
been discovered on multiple VMWare Server applications. Vulnerabilities
range from denial of service attacks to full control of EIP which can
lead to code execution
Vulnerability Impact Attacker can trigger code execution
Date 2011-03-21T11:53:40

I contacted CERT after getting a slight run around from the vendor yet I
could have turned around and unloaded this information anywhere. The
reality is what point would it prove? This does not include the fact
that I'm sitting on vulnerabilities for SAP, IBM, CA even Siemens via
way of Stuxnet analysis. There others that I've reported and others I
haven't had time or chose not to and I'm sure there are plenty of
security researchers, hackers, attackers, etc. who do the same. Sure I
understand where the argument comes from: "they can take months or even
years" but the reality is, SCADA is "hip" right now so this comes across
as nothing more than juvenile idiocy to release SCADA based bugs. "Look
at me, I has SCADA!" You assume that every vendor is similar to the
irresponsible vendors who do take forever to respond. To that I refer
back to the car analogy. You did nothing to give anyone an iota of an
idea there was/is an issue. Bravo.

Personally, I am torn between full, responsible and even "no more free
bugs" types of disclosure, however, common sense dictates that playing
with SCADA right about now is like playing with fire. We're not talking
about a system blue screen or website graffiti as the outcome. "Look at
me I reverse shelled MS08067. With SCADA based systems, we are
potentially dealing with the risks of physical harm to individuals via
those systems. Did this cross your mind as being "responsible" or would
you rather jump out in the public with the following: "Look, I have a
gun... See I just shot someone, you can too, all you have to do is the
following" What you did was nothing more than that. "Look I have SCADA
bugs, SCADA systems can be dangerous and kill you. Here, here is the bug
to trigger potential damage. Thank you sincerely, Luigi."

> now that the users of the vulnerable products are aware of the
> vulnerabilities they can verify if their network is really safe like it
> should be in any case and in the meantime they will wait the patches of
> the vendors.
>

How about we reflect reality?

"Now that millions of script kiddies, organized crime groups, need I
mention the *t* word here also have this information. Now anyone can
custom target these vulnerable products. It's ok because many SCADA
systems engineers are not coders and many are incapable of making a
patch on their own but hey, what the hell!!! I has lots of bugs"

Systems that otherwise could have been secured had you taken the time to
be responsible and or mindful maybe even clueful are now at a greater
risk. What did you accomplish? SCADA vulnerabilities are no big mystery
and there are plenty of researchers who do things responsibly and make
money at the same time. You could have chose the ZDI route which would
have yielded you the same credits in the advisory while being paid for
your research. So unless you live under a rock, your argument is sort of
moot with regards to: "or do you think that you can contact the vendor
asking funds for the research you have already found?"


-- 

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
J. Oquendo
SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT, RWSP

"It takes 20 years to build a reputation and five minutes to
ruin it. If you think about that, you'll do things
differently." - Warren Buffett

42B0 5A53 6505 6638 44BB  3943 2BF7 D83F 210A 95AF
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x2BF7D83F210A95AF