The recent Siemens WinCC SCADA targeted malware packages an zero day application vulnerability with a zero day OS vulnerability. The OS vulnerability in Windows creates a worm capability to get to the target and once on the target the application vulnerability allows compromise of the application's data. The vulnerabilities are used in stages: Stage 1: Use a Windows OS vulnerability for wormable spread. This is the zero day .LNK file attack. Stage 2: If the malware lands on a computer running Siemens WinCC software it uses an application vulnerability to access the database containing sensitive information and exfiltrates the data Stage 1 is an OS vulnerability. This effects everyone running Windows. Stage 2 is an application vulnerability. This effects only those running Siemens WinCC which the attack is targeted for. Siemens software has a critical severity vulnerability that is also easy to exploit: a hard coded password. Once hard coded passwords are discovered it is trivial for the attacker to access systems using that password, in this case a database. Hard Coded password (also known as CWE-798: Use of Hard-coded Credentials) is #11 on the CWE/SANS Top 25 Most Dangerous Software Errors, an industry standard list that CA Veracode contributed to. It is a very common problem and is found in a lot of software that has not undergone proper security testing before shipping to customers. CA Veracode commonly finds this vulnerability in the software we test for our customers. This is what the CWE/SANS Top 25 Most Serious Software Errors has to say about hard coded passwords:
“Hard-coding a secret password or cryptograpic key into your program is bad manners, even though it makes it extremely convenient - for skilled reverse engineers. While it might shrink your testing and support budgets, it can reduce the security of your customers to dust. If the password is the same across all your software, then every customer becomes vulnerable if (rather, when) your password becomes known. Because it's hard-coded, it's usually a huge pain for sysadmins to fix. And you know how much they love inconvenience at 2 AM when their network's being hacked - about as much as you'll love responding to hordes of angry customers and reams of bad press if your little secret should get out. Most of the CWE Top 25 can be explained away as an honest mistake; for this issue, though, customers won't see it that way. Another way that hard-coded credentials arise is through unencrypted or obfuscated storage in a configuration file, registry key, or other location that is only intended to be accessible to an administrator. While this is much more polite than burying it in a binary program where it can't be modified, it becomes a Bad Idea to expose this file to outsiders through lax permissions or other means.”
Siemens has put their customers at risk with this egregious vulnerability in their software. Worse, in my book however, is all the customers who purchased the software not knowing of its risk. Software customers that are operating SCADA systems on critical infrastructure or their factories with the WinCC Software had a duty to their customers and shareholders to not purchase this software without proper security testing. We should ask the question, "Why didn't Siemens fix the hard coded password vulnerability when it was first publicly disclosed?" They waited 2+ years and started to fix it only after a worm exploited it. We should also ask the question, "Is it negligence when you don't fix a critical known vulnerability and wait for your customers to get exploited?" The way to solve the problem of vulnerable software in critical infrastructure is to have independent security tests for at least the vulnerabilities listed in the CWE/SANS Top 25 Most Dangerous Software Errors before the software is deployed. Otherwise, customers are just hoping that someone discovers that someone else’s systems are compromised, and alerts the media, and there is a patch deployed, before their systems are compromised. With the sophistication shown through this multi-stage USB attack, it is clear that hope is not a viable option.