Deadly Combo: Zero Day Application Vulnerability + OS Vulnerability = Attacker Win

The recent Siemens WinCC SCADA targeted malware packages an zero day application vulnerability with a zero day OS vulnerability. The OS vulnerability in Windows creates a worm capability to get to the target and once on the target the application vulnerability allows compromise of the application’s data. The vulnerabilities are used in stages:

Stage 1: Use a Windows OS vulnerability for wormable spread. This is the zero day .LNK file attack.
Stage 2: If the malware lands on a computer running Siemens WinCC software it uses an application vulnerability to access the database containing sensitive information and exfiltrates the data

Stage 1 is an OS vulnerability. This effects everyone running Windows. Stage 2 is an application vulnerability. This effects only those running Siemens WinCC which the attack is targeted for. Siemens software has a critical severity vulnerability that is also easy to exploit: a hard coded password. Once hard coded passwords are discovered it is trivial for the attacker to access systems using that password, in this case a database.

Hard Coded password (also known as CWE-798: Use of Hard-coded Credentials) is #11 on the CWE/SANS Top 25 Most Dangerous Software Errors, an industry standard list that Veracode contributed to. It is a very common problem and is found in a lot of software that has not undergone proper security testing before shipping to customers. Veracode commonly finds this vulnerability in the software we test for our customers.

This is what the CWE/SANS Top 25 Most Serious Software Errors has to say about hard coded passwords:

“Hard-coding a secret password or cryptograpic key into your program is bad manners, even though it makes it extremely convenient – for skilled reverse engineers. While it might shrink your testing and support budgets, it can reduce the security of your customers to dust. If the password is the same across all your software, then every customer becomes vulnerable if (rather, when) your password becomes known. Because it’s hard-coded, it’s usually a huge pain for sysadmins to fix. And you know how much they love inconvenience at 2 AM when their network’s being hacked – about as much as you’ll love responding to hordes of angry customers and reams of bad press if your little secret should get out. Most of the CWE Top 25 can be explained away as an honest mistake; for this issue, though, customers won’t see it that way. Another way that hard-coded credentials arise is through unencrypted or obfuscated storage in a configuration file, registry key, or other location that is only intended to be accessible to an administrator. While this is much more polite than burying it in a binary program where it can’t be modified, it becomes a Bad Idea to expose this file to outsiders through lax permissions or other means.”

Siemens has put their customers at risk with this egregious vulnerability in their software. Worse, in my book however, is all the customers who purchased the software not knowing of its risk. Software customers that are operating SCADA systems on critical infrastructure or their factories with the WinCC Software had a duty to their customers and shareholders to not purchase this software without proper security testing.

We should ask the question, “Why didn’t Siemens fix the hard coded password vulnerability when it was first publicly disclosed?” They waited 2+ years and started to fix it only after a worm exploited it. We should also ask the question, “Is it negligence when you don’t fix a critical known vulnerability and wait for your customers to get exploited?”

The way to solve the problem of vulnerable software in critical infrastructure is to have independent security tests for at least the vulnerabilities listed in the CWE/SANS Top 25 Most Dangerous Software Errors before the software is deployed. Otherwise, customers are just hoping that someone discovers that someone else’s systems are compromised, and alerts the media, and there is a patch deployed, before their systems are compromised. With the sophistication shown through this multi-stage USB attack, it is clear that hope is not a viable option.

Veracode Security Solutions
Veracode Security Threat Guides

links for 2010-07-22 (Jarrett House North) | July 22, 2010 10:01 pm

[...] Deadly combo: zero day application vulnerability + OS vulnerability = attacker win Just because your application is "behind the firewall" doesn't mean it's secure. (tags: security) [...]

Internet-guy | July 25, 2010 9:41 am

Hard coded credentials? Is that the “back-door” you hear about in the movies?

kme | July 25, 2010 10:08 am

As you point out, the hardcoded passwords in WinCC were first disclosed 2 years ago – so does that really count as a “zero day application vulnerability”? More like “unpatched 750+ day application vulnerability” ;)

dbmuse | July 25, 2010 9:13 pm

obviously done on purpose. a backdoor left for someone special to use someday. and someday is today.

poo gainess | July 26, 2010 4:50 am

firewalls only protect wat shouldnt be allowed through. if u allow access through the firewall, then its like having a lock on the door, but leaving it unlocked.

Daniel Clemens | July 26, 2010 9:13 am

When will software assurance be an expected business norm for some of the larger software companies?
What has trusted computing achieved if anything in the last 10 years?

Sheesh,
-Daniel Clemens

Frank | August 2, 2010 9:28 am

My experience has been that such hardcoded back doors are often left in place for on-site support engineers to perform maintenance and/or recovery tasks the vendor may prefer not to advertise to the customer.

For example, a sloppy database app that leaves unreconciled or bad records lying around following a system failure of some kind.

The single largest problem I’ve observed writing enterpise software for 20 years is the difficulty and/or unwillingness of vendors to scale app testing to levels comparable to what the customer plans to use. I could write a book full of excuses.

Of course it’s a challenge but we’ve been at this game for long enough. Too many of the techies who grew up with a “can’t be done” mindset are now the managers perpetuating that view.

Chris Wysopal | August 2, 2010 5:08 pm

Hard coded password definitely falls into the vulnerability category of backdoor. Hard coded passwords are often put in with no malicious intent or sometimes just out of secure coding naivety. They are often conscious design decisions by the developer for easy of maintenance or support. But no matter what the intent is, once the hard coded password is known by attackers it is a trivial vulnerability to exploit. This is why hard coded passwords are so dangerous. Software should be tested for them before it is deployed.

-Chris

Doomed by default passwords - HackerMuslim.com | HackerMuslim.com | November 29, 2011 12:46 pm

[...] information acquisition) systems with hard-coded passwords. Legacy systems are mostly a culprit, but as a Stuxnet worm showed final year, even complicated SCADA systems are vulnerable. More recently, a hacker going by a hoop of prOF [...]

Please Post Your Comments & Reviews

Your email address will not be published. Required fields are marked *

RSS feed for comments on this post