Threat Level: green Handler on Duty: Deborah Hale

SANS ISC: InfoSec Handlers Diary Blog - Industrial Control Systems Vulnerability InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Industrial Control Systems Vulnerability

Published: 2008-05-06
Last Updated: 2008-05-06 20:05:51 UTC
by Marcus Sachs (Version: 1)
0 comment(s)

While a day does not go by without many public announcements of vulnerabilities in consumer and business software, it is rather rare when we hear about something wrong with software that is used to monitor or control industrial systems.  Commonly called SCADA (Supervisory Control And Data Acquisition) or PCS (Process Control System), these are the systems that monitor and operate oil and gas refineries, large manufacturing plants, assembly lines, railroads, electrical grids, and countless other industrial processes.

Core Security announced yesterday that there is a Denial of Service vulnerability in the Invensys Wonderware InTouch SuiteLink service running in Windows operating systems, specifically slssvc.exe. According to Core, this vulnerability "could allow an un-authenticated remote attacker with the ability to connect to the SuiteLink service TCP port to shutdown the service abnormally by sending a malformed packet. Exploitation of the vulnerability for remote code execution has not been proven, but it has not been eliminated as a potential scenario."

According to Wonderware's website, "Wonderware is the leading supplier of industrial automation and information software solutions. One third of the world’s plants run Wonderware software solutions. Having sold more than 500,000 software licenses in over 100,000 plants worldwide, Wonderware has customers in virtually every global industry — including Oil & Gas, Food & Beverage, Utilities, Pharmaceuticals, Electronics, Metals, Automotive and more."  It's no wonder that a vulnerability in their monitoring software might be something the bad guys would be very interested in.

DHS (National vulnerability database) rates this one pretty high and says that the vulnerability "Provides unauthorized access, Allows partial confidentiality, integrity, and availability violation, Allows unauthorized disclosure of information, Allows disruption of service."    Our advice:   Patch now.

Marcus H. Sachs
Director, SANS Internet Storm Center

0 comment(s)
Diary Archives