Researchers Discover Vulnerable SCADA Product & Responsive SCADA Vendor
September 3, 2019 • RBS
We previously published research about critical vulnerabilities in South Korean ActiveX controls and, soon after that, how the coordination through Korea Internet & Security Agency (KISA) presented some challenges that other government entities and vendors could learn from.
Today, we released our research that uncovered multiple vulnerabilities in the AK-EM 800 product from the major SCADA vendor Danfoss. These included two critical vulnerabilities with one basically being a backdoor into highly privileged functionality to manage the software. The other was related to missing permission checks when accessing a servlet that allowed performing sensitive database queries to e.g. disclose usernames and passwords. Other vulnerabilities allowed remote attackers to lock out accounts or local attackers to disclose passwords or gain SYSTEM privileges.
|IN THE NEWS|
|Threat Post||Critical Bugs Open Food-Safety Systems to Remote Attacks|
|Help Net Security||Critical vulnerabilities uncovered in Danfoss SCADA product, patch now!|
More details can be read in our research report.
The vulnerabilities were discovered late 2018 and have been coordinated with Danfoss, who recently published an updated version of their product to fix the reported vulnerabilities. The ray of sunshine in this story is that the coordination process with Danfoss was excellent.
Historically, SCADA vendors in general have a poor reputation when it comes to handling vulnerability reports. The handling by Danfoss was close to exemplary, and they managed to check all the boxes mentioned in our previous blog about KISA’s shortcomings. They were responsive and provided monthly status updates that were very detailed on their progress. The coordination process hands down ranked in our Top 5, and we’ve coordinated hundreds of vulnerabilities.
The only real critique is that the vendor spent ten months releasing an updated version. SCADA vendors are generally notorious for taking a lot longer to release security fixes than many other vendors. In fairness, the vendor did in this case have to address design issues that extend beyond e.g. fixing a simple buffer overflow with a single line code change, so it was not unexpected. However it was still beyond the 90 to 180 day deadline that researchers typically extend to vendors to address a reported vulnerability before disclosure.
That said, from the beginning Danfoss very clearly communicated when they expected to have the fix ready even if they had to push the date. When they ran into a snag trying to update various old third-party components, they postponed the less serious ones for a later release. Instead of delaying a security release unnecessarily for already implemented critical fixes, Danfoss opted to release an updated version and then address remaining issues related to 3rd party components later.
This is a good example of how vendors should go about dealing with unsafe 3rd party components used in their code, but that is a blog for another day.