The recent revelation that Malta-based start-up ReVuln is offering only to paying customers information about SCADA zero-day vulnerabilities has spurred security researcher Aaron Portnoy into trying his hand at finding some.
And he did – 23 in all, affecting software sold by Rockwell Automation, Schneider Electric, Indusoft, RealFlex and Eaton Corporation.
He hopes that at least some of these discovered flaws are the same ones unearthed by ReVuln, because unlike that company, he means to share the information free of charge with ICS-CERT so that they can collaborate with SCADA vendors to ensure these vulnerabilities are fixed.
Portnoy did the research and discovered the flaws during one slow morning, and seems a little amazed at how easy they were to find. “The first exploitable 0day took a mere 7 minutes to discover from the time the software was installed,” he noted.
“For someone who has spent a lot of time auditing software used in the enterprise and consumer space, SCADA was absurdly simple in comparison,” he added. “The most difficult part of finding SCADA vulnerabilities seems to be locating the software itself.”
With that in mind, he says that he intends to ask the ICS-CERT to create a repository of SCADA software so that researchers might download, audit it, and share the findings with the CERT. “Even a list of what software is of interest would be beneficial,” he pointed out.
“Now, I realize I haven’t found nearly all the vulnerabilities in these products, but hopefully there is some overlap with those that were never going to end up in the hands of those able to fix them,” he concluded.
Exodus Intelligence, the security firm of which Portnoy is VP of Research, also offers a vulnerability intelligence data feed for buying customers, but its customer base consists of those who wish to protect themselves against the exploitation of the zero-day flaws. Also, the company first shares the information with the affected vendors.