By Dan Goodin in San Francisco
8th September 2008
Gasoline refineries, manufacturing plants and other critical facilities
that rely on computerized control systems just became more vulnerable to
tampering or sabotage with the release of attack code that exploits a
security flaw in a widely used piece of software.
The exploit code, published over the weekend as a module to the
Metasploit penetration testing tool kit, attacks a vulnerability that
resides in CitectSCADA, software used to manage industrial control
mechanisms known as SCADA, or Supervisory Control And Data Acquisition,
systems. In June, the manufacturer of the program, Australia-based
Citect, and Computer Emergency Response Teams (CERTs) in the US,
Argentina and Australia warned the flawed software could put companies
in the aerospace, manufacturing and petroleum industries at risk from
outsiders or disgruntled employees .
The exploit was created by Kevin Finisterre, the director of penetration
testing at security firm Netragard. He said he decided to release the
code following conflicting statements by Citect about the severity of
the flaw. As a result, he said, organizations that use CitectSCADA were
confused about whether they were truly vulnerable.
"In reality, I would be willing to wager a small fortune that most of
the folks that received the Citect advisory were not inspired to take
immediate action," Finisterre wrote in this paper  published to the
Milw0rm website. "In general, no one should be more knowledgeable about
a software product than the vendor, so if the vendor pulls an Alfred E.
Newman and says 'What, me worry?' you can rest assured the userbase will
do the same."
Register now for HITBSecConf2008 - Malaysia! With
a new triple-track conference featuring 4 keynote
speakers and over 35 international experts, this
is the largest network security event in Asia and
the Middle East!