Most Vulns Exploited By Stuxnet Worm Remain Unpatched

← Back to Stories (view on slashdot.org)

Most Vulns Exploited By Stuxnet Worm Remain Unpatched

Posted by timothy on Wednesday June 8, 2011 @04:29AM from the leaping-into-the-mortar-crater dept.

chicksdaddy writes with this excerpt from ThreatPost: "The media storm over the Stuxnet worm may have passed, but many of the software holes that were used by the worm remain unpatched and leave Siemens customers open to a wide range of potentially damaging cyber attacks, according to industrial control system expert Ralph Langner. Writing on his personal blog, Langner said that critical vulnerabilities remain in Windows-based management applications and software used to directly manage industrial controllers by Siemens Inc., whose products were targeted by the Stuxnet worm, Threatpost reports."

27 of 44 comments (clear)

Min score:

Reason:

Sort:

Vulns? by Enderandrew · 2011-06-08 04:31 · Score: 4, Interesting

When did vulns become a word?
And is it really a new story that many companies don't patch immediately for every vulnerability out there?

--
http://blindscribblings.com - Tasty pop-culture in conceptual fashion.
1. Re:Vulns? by ArhcAngel · 2011-06-08 04:33 · Score: 2, Insightful
  
  First 23,000 filesharing Does and now Vulns...WTF? Did /. hire someone from gizmodo or engadget?
  
  --
  "A person is smart. People are dumb, panicky dangerous animals and you know it." - K
2. Re:Vulns? by Lunix+Nutcase · 2011-06-08 04:40 · Score: 2
  
  The first one is correct. It is 'Does' as in plural "John Doe".
3. Re:Vulns? by ArhcAngel · 2011-06-08 05:08 · Score: 1
  
  John Does is correct. Does is lazy and incorrect.
  
  --
  "A person is smart. People are dumb, panicky dangerous animals and you know it." - K
4. Re:Vulns? by chemicaldave · 2011-06-08 05:19 · Score: 2
  
  When did vulns become a word?
  Apparently, some years ago. Here's a vulnerability information site created in 2006.
  
  And is it really a new story that many companies don't patch immediately for every vulnerability out there?
  It is when we're talking about a high-profile vulnerability.
5. Re:Vulns? by catmistake · 2011-06-08 05:25 · Score: 1
  
  Whatever. I've been running my Siemann's centrifuge at home for years without AV or patches... I go online every day, and my system is still tight. Only idiots get viruses.
  
  --
  The Admin and the Engineer
6. Re:Vulns? by bberens · 2011-06-08 05:40 · Score: 2
  
  The plural of doe is doe. The plural of Doe is Does. Capitalization matters.
  
  --
  Check out my lame java blog at www.javachopshop.com
7. Re:Vulns? by dloose · 2011-06-08 06:10 · Score: 1
  
  When did vulns become a word?
  So happy this was the first reply. What an obnoxious headline.
8. Re:Vulns? by Bacon+Bits · 2011-06-08 07:33 · Score: 1
  
  'John and Jane Does' is correct. 'John Does' is lazy and sexist.
  
  --
  The road to tyranny has always been paved with claims of necessity.
Let's be hype and use stupid abbreviations. by pep939 · 2011-06-08 04:33 · Score: 2

Vulns sounds much cooler than Vulnerabilities anyway. Lulz.
Power plants by instagib · 2011-06-08 04:34 · Score: 1

Let's just hope such devices are not used in nuclear power plants. BTW, are power plants connected to the Internet?
1. Re:Power plants by Lunaritian · 2011-06-08 04:35 · Score: 1
  
  Wasn't the target of Stuxnet some nuclear power plant in Iran?
2. Re:Power plants by 228e2 · 2011-06-08 05:14 · Score: 1
  
  Nah, they are on their own network, aka "air-gaped". They are compromised when idiots dont use proper cross domain solutions like usb drives, or even worse intermingle computers on restricted networks and the internet.
  
  --
  Since when does being a Socialist mean 'someone who has a different opinion than me'?
3. Re:Power plants by idontgno · 2011-06-08 05:22 · Score: 1
  
  "air-gaped"
  <style voice="InigoMontoya">
  I do not think it means what you think it means.
  </style>
  Let's just say I'm not gonna google "gaped" at work. I'm just sayin'.
  
  --
  Welcome to the Panopticon. Used to be a prison, now it's your home.
4. Re:Power plants by grassy_knoll · 2011-06-08 06:08 · Score: 1
  
  According to this article original versions of stuxnet attempted to spread via USB and while it did apparently spread it didn't spread far enough to hit the targeted system. Seems like the "spread via infected laptop" is the most likely.
  
  --
  A Human Right
5. Re:Power plants by sjames · 2011-06-08 10:25 · Score: 1
  
  Hope springs eternal!
Not quite. Uranium enrichment plants. by mmell · 2011-06-08 04:46 · Score: 2

A place which makes fuel for a nuclear power plant - in this instance, a nuclear power plant designed to release terawatts of power over the course of a few milliseconds.
If you're firewalled the vuln is not a worry. by grink · 2011-06-08 04:52 · Score: 3, Informative

In the electric utility industry if you are considered bulk power and have critical assets your firewalls must be configured with DENY (http://www.nerc.com/files/CIP-005-3.pdf) as the default rule and only allow defined connections. All the big players in the US and Canada have their control networked segmented off and they don't have access to the Internet.
1. Re:If you're firewalled the vuln is not a worry. by biodata · 2011-06-08 05:45 · Score: 1
  
  It's one thing to set the defaults on the firewalls but another about who gets let inside? How many of these organisations employ oversees or offshore IT contractors with access inside the firewalls?
  
  --
  Korma: Good
2. Re:If you're firewalled the vuln is not a worry. by chuckugly · 2011-06-08 05:57 · Score: 1
  
  From what I recall the Iranians were pwned via thumb drives ......
3. Re:If you're firewalled the vuln is not a worry. by grassy_knoll · 2011-06-08 06:12 · Score: 2
  
  Firewall won't help you against a infected laptop connecting directly to a PLC.
  See this article or, even better, Ralph Langner's TED talk.
  
  --
  A Human Right
4. Re:If you're firewalled the vuln is not a worry. by betterunixthanunix · 2011-06-08 06:12 · Score: 1
  
  Security should not be based on a single system like that. Your firewall may be compromised, an attacker may access to a system behind the firewall, etc. It is just bad practice to leave critical vulnerabilities unpatched.
  
  --
  Palm trees and 8
5. Re:If you're firewalled the vuln is not a worry. by sjames · 2011-06-08 10:31 · Score: 1
  
  So, how many have deny by default and each port (udp and tcp) from 1-65532 individually permitted for any source address?
  How many have "no access to the internet" but wide open access to poorly protected machines that do have full internet access?
  Of course, Iran's downfall was the sneakernet connection between the red and black networks.
Blackhat by Anonymous Coward · 2011-06-08 05:01 · Score: 2, Interesting

The blackhat presentation that supposedly will happen, though i believe the presentation will be killed at the last minute if not sooner, will shed light on a system that NO ONE at the top wants people to know about.
These systems are EVERYWHERE. They are ALL broken.
This isn't "chicken little", the DHS has already put an end to full disclosure of SCADA vulnerabilities and that only happens when they're REALLY scared.
People deserve to know the truth about these systems. If they are attacked it's the direct responsibility of the people who implemented the systems which will turn out to be lowest bidder contracted help with little to no dedication to security.
WE DESERVE EVERYTHING WE GET!
1. Re:Blackhat by AB3A · 2011-06-08 06:25 · Score: 1
  
  Uh, no. DHS did not squelch anything. They made a request and NSS labs obliged.
  This is important: the issue here is not about the PLC, it is about the process it controls. Ultimately Siemens is the small fry here. The real problem are the utilities and other critical infrastructure that depend upon this stuff. They can't just throw a patch at it like you would do with a PC. They have to validate that patch and that means expensive down time and careful planning. There are literally months when logistics prevent me from patching. Divulging this stuff to the public so soon runs the risk of attacks against infrastructure that could not be patched in time.
  The problem is that most people do not understand the reality of what PLC networks are like. If you're on the same network as a PLC, regardless of OEM, you own it. End of story.
  The network where PLC gear works is not an office network. It was never designed to be compatible with office networks. The fact that they use commonplace protocols such as Ethernet and IP does not mean they're suitable for office computing. These choices were made primarily because these technologies are cheap, not because we were encouraging interconnection with offices. There is no technology available that can secure a PLC on a network. It inherently trusts the remote I/O it may have. It has to trust the programs it receives. Very few people, even among OEM companies, understand this.
  Nobody has yet built a key server system designed to work at the latencies and diversity needed for industrial networking. It is not nearly as trivial as it may look. I say this as someone who is participating on the committee that is doing this very sort of thing. DNP (IEEE 1815) has a secure authentication addition to the protocol, compatible with IEC 62351-5. We are working very hard to make sure that this works in an environment where things can afford to take a little extra time if needed (in a SCADA system).
  So far nobody has managed to do this with a PLC environment.
  Thus, saying "if you send this or that to a PLC, you can break it" is silly. You don't even have to break the PLC, you can break the process it controls. That's far worse.
  Meanwhile, with Siemens acting as if the WinCC compromise doesn't exist, I have to wonder if they understand what I have just written. They've known of this situation for over three years and what have they done? I'm glad our company doesn't use WinCC, and it will be a long time before we seriously consider using their PLC gear.
  
  --
  Nearly fifty percent of all graduates come from the bottom half of the class!
And so it begins... by Anonymous Coward · 2011-06-08 05:13 · Score: 1

What we're seeing here is the start of security considerations in these industries. This is as to facilities security as the "Green Card" email is to spam.
There is as close to no security in most of these facilities as makes no difference. If I can get on your network (disgruntled employee, WiFi leakage, worm, Trojan, etc. etc.) I can trash your system with software I can buy for $25 on eBay or from any of the factory automation vendors, or build it from available specs.
This is not a Siemens/Stuxnex problem, it's universal. All PLC vendors have a problem, all Windows SCADA/Factory Automation packages are vulnerable.
It's such an easy attack vector it's laughable.
The next step will be "security by obscurity", vendors locking down systems by not publishing information. Nothing will happen until there is a publicly visible attack, then we'll see a "Patriot Act" style response from the politicians, which will do nothing.
1. Re:And so it begins... by mlts · 2011-06-08 06:25 · Score: 1
  
  I can see laws being passed, but definitely nothing that actually will force companies to zip their flies up.
  We will see laws mandating DRM, squashing anonymity, demanding websites have a license for any accounts, root/Administrator taken away from computer users, DRM stacks in all Internet connected hardware with core/edge NAC enforcing it, and so on. Basically, everything on the *AA laundry list of wants.
  So, the next SCADA attack will likely result in the Internet ending up like Compuserve for everyone but the true blackhats... and I'm sure the ISPs will be more than willing to tack on the old Compuserve fees for hours on as well.