HACK SCADA: Zero-Day Vulnerability Discovery on the Nano-10 PLC

Wei Gao
October 22, 2013

Supervisory Control and Data Acquisition (SCADA) systems are computer-based process control systems that interconnect and monitor remote physical processes. SCADA systems collect data from remote facilities about the state of the physical process and send commands to control the physical process, creating a feedback control loop. SCADA systems are widely used in chemical processing, petroleum refining, electrical power generation and distribution, water purification and distribution, intelligent buildings, and nuclear plants.

There have been several real-world documented incidents and cyber attacks affecting SCADA systems that clearly illustrate critical infrastructure vulnerabilities. These reported incidents demonstrate that cyber attacks on SCADA systems might produce a variety of financial damage and harmful events to humans and their environment.

Team Cymru, a specialized Internet security research firm, released a briefing paper in 2008[i] that discussed malicious port scan activity against their DarkNet (a honey pot) that was searching for open ports on port numbers commonly associated with SCADA system network protocols. This report showed heavy scanning activity from four areas: Asia, North America, Western Europe, and Eastern Europe. The report cited heavy scanning of DNP3 ports from Russia and Taiwan and heavy scanning activities of MODBUS-related ports from Western Europe and China. This port scanning is potentially indicative of attackers searching for SCADA systems for later attacks.

Stuxnet[ii] is the first known worm to target an industrial control system. Stuxnet targeted PC’s running the Siemens WinCC SCADA software product. Infected systems had a DLL replaced that is used by the WinCC Step7 tool. The worm then monitored communications between the WinCC tool and a remote terminal. If a specific signature related to the remote terminal was found, firmware on the remote terminal was replaced with malicious code. The malicious code on the remote terminal caused the physical process to operate improperly while continuing to inform operators that the system was functioning correctly.

On January 2000, an ex-employee of a contracting company attacked the Maroochy Shire Council’s sewage control system in Queensland, Australia. A pump in the control system failed to start or stop when specified and an alarm failed to alert. This attack made approximately 264, 000 gallons of raw sewage leak to nearby rivers.[iii]

In 2003, the Davis-Besse nuclear plant in Oak Harbor Ohio was attacked by the Slammer Worm, which took a safety monitoring system of the plant offline for approximately five hours.[iv]

Dillon Beresford[v] at the 2011 Blackhat conference introduced reconnaissance, fingerprint, replay, authentication bypass, and remote attacks against a Siemens Simatic S7 PLC. This work analyzes the vulnerabilities of the S7 PLC and the PROFINET protocol, and introduces the MetaSploit Auxiliary S7 PLC scanner module.

Nano-10 PLC[vi] is a full-function programmable logic controller (PLC) that is manufactured by Triangle Research International, Inc. (Tri Inc.). Nano-10 PLC is a low-cost, rich-feature PLC. It supports MODBUS TCP, MODBUS RTU, and MODBUS ASCII. It has 8K word memory and can be expanded to 16 K. Nano-10 PLC can also be programmed as the MODBUS TCP gateway so that the operator can access it through the Internet. This PLC can be used in step motor control, chemical processing control systems, home control systems, etc. According Tri Inc., the distribution of the Nano-10 PLC[vii] is as shown:

The ports and services of the Nano-10 PLC are described as follows:

Port

Service

Function

21/TCP

FTP

Firmware/File Management

502/TCP

MODBUS TCP

Monitoring and Control

9080/TCP

Server

PLC Configuration

As a security researcher at Ixia, I have identified an improper input validation vulnerability (CVE-2013-5741)[viii] in the Tri Inc. Nano-10 PLC. This vulnerability is remotely exploitable. All firmware versions prior-to and including r81 are affected.

A remote attacker could send a crafted packet to the Nano-10 PLC and cause a denial of service (DOS) attack. This exploit could cause the device to run in an undefined, interrupt state and only recover with a manual power restart.

This 0-day vulnerability and another DOS vulnerability CVE-2013-2784[ix], which was also discovered in Nano-10 PLC, have been integrated into the Ixia BreakingPoint’s ATI strike center.

Leverage subscription service to stay ahead of attacks

The Ixia BreakingPoint Application and Threat Intelligence (ATI) program provides bi-weekly updates of the latest application protocols and attacks for use with Ixia platforms.

Additional Information:

View the Full ATI Protocol List

Ixia BreakingPoint Solutions

 

Santorelli, S. Who is looking for your SCADA infrastructure? March 2009. Published online. Sample June 30,2010.

N. Falliere, L. O. Murchu, and E. Chien, W32.Stuxnet Dossier, Symantec Tech. Rep. 1.4, 2011.

J. Slay and M. Miller, “Lessons learned from the maroochy water breach,” in Critical Infrastructure Protection, ser. IFIP International Federation for Information Processing, E. Goetz and S. Shenoi, Eds. New York: Springer, 2007, vol. 253, pp. 73–82.

K. Poulsen, “Slammer worm crashed Ohio nuke plant network,” 2009 [Online]. Available: http://www.securityfocus.com/news/6767

Dillon Beresford, “Exploiting Siemens Simatic S7 PLCs”, Black Hat USA, July 8, 2011

http://www.triplc.com/nano10.htm

http://www.isssource.com/nano-10-plc-denial-of-service/

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2013-5741

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2784

blog comments powered by Disqus