Deadly combo: zero day application vulnerability + OS vulnerability = attacker wins!

Just a few comments on the Siemens WinCC SCADA targeted malware packages (zero day application vulnerability with a zero day OS vulnerability). The OS vulnerability in Windows creates a "worm" capability to get to the target and once on the target the application vulnerability allows compromise of the application’s data. The vulnerabilities are used in stages:

Stage 1: Use a Windows OS vulnerability for wormable spread. This is the zero day .LNK file attack. Stage 2: If the malware lands on a computer running Siemens WinCC software it uses an application vulnerability to access the database containing sensitive information and exfiltrates the data. Stage 1 is an OS vulnerability. This effects everyone running Windows. Stage 2 is an application vulnerability. This effects only those running Siemens WinCC which the attack is targeted for. Siemens software has a critical severity vulnerability that is also easy to exploit: a hard coded password. Once hard coded passwords are discovered it's child's play for the attacker to access systems using that password, in this case a database. Hard Coded passwords (CWE-798: Use of Hard-coded Credentials) is #11 on the CWE/SANS Top 25 Most Dangerous Software Errors, an industry standard list. It's a very common problem and is found in a lot of software that has not undergone proper security testing before shipping to customers. This is what CWE/SANS Top 25 Most Serious Software Errors has to say about hard coded passwords:

“Hard-coding a secret password or cryptograpic key into your program is bad manners, even though it makes it extremely convenient – for skilled reverse engineers. While it might shrink your testing and support budgets, it can reduce the security of your customers to dust. If the password is the same across all your software, then every customer becomes vulnerable if (rather, when) your password becomes known. Because it’s hard-coded, it’s usually a huge pain for sysadmins to fix. And you know how much they love inconvenience at 2 AM when their network’s being hacked – about as much as you’ll love responding to hordes of angry customers and reams of bad press if your little secret should get out. Most of the CWE Top 25 can be explained away as an honest mistake; for this issue, though, customers won’t see it that way. Another way that hard-coded credentials arise is through unencrypted or obfuscated storage in a configuration file, registry key, or other location that is only intended to be accessible to an administrator. While this is much more polite than burying it in a binary program where it can’t be modified, it becomes a Bad Idea to expose this file to outsiders through lax permissions or other means.”

Siemens basically put their customers at risk with this vulnerability in their software. Well, I guess the obvious question is, “Why didn’t Siemens fix the hard coded password vulnerability when it was first publicly disclosed?” They waited 2+ years and started to fix it "only after" a worm exploited it. Is that negligence when you don’t fix a critical known vulnerability and wait for your customers to get exploited?”..Hmm!

The solution to the problem of vulnerable software in critical infrastructures is to have independent security tests for all the vulnerabilities listed in the CWE/SANS Top 25  before the software is deployed. Otherwise, your customers are just sitting around  hoping that someone discovers that someone else’s systems are compromised, and alerts the media, and there is a patch deployed, before their systems are compromised. With the sophistication shown in this latest multi-stage USB attack, it is clear that hope is not a viable option.