Tag Archives: vulnerability disclosure

CERT Issues Alert for Possible SCADA Vulnerability

ICS-CERT (Industrial Control Systems Cyber Emergency Response Team), under the Department of Homeland Security of the US government, has issued an alert of a possible SCADA vulnerability affecting solar power plants.

The affected product is the Sinapsi eSolar Light Photovoltaic System Monitor which is used to communicate with photovoltaic inverters, gauges, energy meters, network analysers etc. The exploit allows a hacker to “remotely connect to the server and executing remote code, possibly affecting the availability and integrity of the device,” according to the report issued at the CERT website.

The vulnerabilities are exploited by authenticating to the service using hard coded credentials as per two security researchers, Roberto Paleari and Ivan Speziale, who identified the vulnerable system as the Schneider Electric Ezylog photovoltaic SCADA management server. It is stated to suffer from multiple vulnerabilities including SQL injection vulnerabilities and hard coded authorizations.

ICS-CERT has a working proof of concept code and has contacted the vendor of the software to confirm the vulnerability and identify mitigations. This is days after Defense Secretary Leon Panetta had warned about possible ‘cyber Pearl Harbour’ in a speech at the Interpid Air and Space Museum. SCADA systems are the underlying control systems of important national infrastructures such as power plants and even small cyber-attacks on them could have big repercussions on the nation as a whole.

Source: ICS-CERT (PDF)

Via: Naked Security

Vulnerability Arbitration – Neat Idea For Responsible Vulnerability Disclosure

Vulnerability disclosure is a method of publishing information about a problem, often related to computer security which if gone unreported can result in serious consequences. One of the contentions involving disclosure is often up to what amount of information need to be disclosed. Too little information might result in the disclosure being brushed off, and too much disclosure gives people willing to exploit the vulnerability a head start in causing some serious damage with it.

Vulnerability Arbitration(Vulnarb.com) is a neat concept by Zed Shaw which aims in helping security researches, consumers, and the affected companies deal with security vulnerabilities in a timely and a responsible manner.

Vulnarb helps

  • Security researchers to disclose the vulnerabilities that they found in a responsible way
  • Consumers get to know which products are affected, but not know what the vulnerability is
  • Incentive for companies to fix security holes

The concept with Vulnarb is to use a site’s public SSL certificate and a generated  random key to encrypt the vulnerability disclosure. The affected company can then use their private SSL certificate to decrypt the encrypted message and act upon it. Once the vulnerability has been fixed, the company can then publish the decrypted disclosure indicating that it has been fixed or indicate that the disclosure is incorrect.

For the time being, Zed has indicated this is a concept and has invited people to test it out and see if it can work. Indeed, this looks like a great idea. Do feel free to head over to Vulnarb, check it out and drop in a comment or two about this.