SNOsoft/Netragard’s Kevin Finisterre recently released an Exploit, not Attack Code, to demonstrate that a critical vulnerability does exist in Citect‘s CitectSCADA product. This code was released so that users of the product could accurately determine their own level of risk and exposure as well as determine the seriousness of the risk it creates as it relates to their infrastructure. This code was released after the vendor, Citect, had created a fix for the vulnerability and after people had been given sufficient time to implement the fix.
It is important to understand that the risk to Infrastructural businesses existed well before Kevin released his exploit code and well before Core Security released their advisory. The risk was born the moment the programming error in the CitectSCADA product happened. When Core Security identified the risk and notified the vendor they began the process of defending Infrastructural businesses against attack.
Citect responded very rapidly and appropriately to Core’s discovery and released a fix for the issue. Shortly thereafter, Kevin created a working Proof of Concept (“Exploit”) that enabled users of the CitectSCADA technology to test their own networks to see if in fact they were vulnerable to attack. In addition, Kevin worked with other security experts to help get an Intrusion Detection Signature developed that would detect any attempt at attacking a vulnerable system. That signature is available here.
In all reality Kevin’s exploit code was very unlikely the first version. Chances are very high that other hackers had already created an exploit to penetrate into the CitectSCADA computer systems. Kevin’s release of his version of an exploit for this vulnerability has a powerful negative impact on the value of the exploit to malicious hackers. When a malicious hacker attacks a network it is important that they are not detected. As such they tend to attack vulnerabilities that are unknown to the general public. Once a vulnerability is disclosed to the public it is detectable and it looses its appeal to malicious hackers very quickly.
Not only is the value of the exploit diminished by disclosure, but now the chances of the exploit working against a target are also diminished. This is because network and system administrators can test their own networks using Kevin’s tool and build defenses to defeat the attack even if they do not apply the Citect patch.
In closing, I would like to commend Citect for doing such a good job at dealing with this issue. Likewise I’d like to commend the researchers and the people that pushed so hard to get this issue the attention that it needed. This is the first major step in the right direction to protecting our Infrastructural businesses, and those businesses are the most critical to our survival. Also please remember, Citect’s vulnerability is not unique. All software is vulnerable at one point or another.
Here are the articles: