Last Updated: 2008-09-08 23:45:34 UTC
by Raul Siles (Version: 5)
In June we talked about a SCADA buffer overflow vulnerability discovered by CORE that affected the CitectSCADA product. It could allow a remote un-authenticated attacker to force DoS or to execute arbitrary code on vulnerable systems. The patch was available at that time, so if you have not patched or taken extreme security precautions and countermeasures yet, you have another reason to do so today!
This weekend, Kevin Finisterre has published a working exploit in the form of a Metasploit (MSF) module that demosntrates how critical this vulnerability aginst the ODBC service is. The original CORE advisory details the vulnerability (CVE-2008-2639), the paper associated to the exploit summarizes all the details about the exploit and related research, and the working exploit publicly available for MSF provides access to a command prompt with the privileges of the currently running Citect process. In fact, our DShield service shows a peak in the wild associated to the target vulnerable port (TCP/20222).
Time to act!!
UPDATE 1: Kevin notified us that a Snort signature to detect the SCADACitect ODBC exploit has been released by Dale:
alert tcp $EXTERNAL_NET ANY -> $HOME_NET 20222 (msg:”CitectSCADA ODBC Overflowflow Attempt”; flow:established,to_server; dsize:4; byte_test:4,>,399,0; reference:cve,2008-2639; sid:1111601; rev:1; priority:1;)
Others may come in the next days from common sources.
UPDATE 2: Port TCP/20222 is on the top ranking of the Dshield trends.
UPDATE 3: Thanks to fellow handler Joel, signature above has been slightly modified to improve performance.