U.S. Flag Official website of the Department of Homeland Security
U.S. Department of Homeland Security Seal. ICS-CERT. Industrial Control Systems Cyber Emergency Response Team.
TLP:WHITE

Advisory (ICSA-11-173-01)

ClearSCADA Remote Authentication Bypass

Original release date: August 25, 2011 | Last revised: August 29, 2013

Legal Notice

All information products included in http://ics-cert.us-cert.gov are provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see http://www.us-cert.gov/tlp/.



Overview

ICS-CERT originally released Advisory ICSA-11-173-01P “ClearSCADA Remote Authentication Bypass”, on the US-CERT Portal on June 22, 2011. This web page release was delayed to allow users sufficient time to download and install this update.

Independent security researcher Jeremy Brown has identified an authentication bypass vulnerability in the Control Microsystems ClearSCADA application. Control Microsystems has produced a new version that mitigates this vulnerability. ICS-CERT has tested the new version to validate that it is fixed.

Affected Products

The following ClearSCADA versions are affected:

  • ClearSCADA 2010 R1.0
  • ClearSCADA 2009
  • ClearSCADA 2007
  • ClearSCADA 2005

This Advisory applies to all versions of SCX (from Serck UK or Serck Aus) that are older than the following (these SCX versions contain ClearSCADA in the bundle):

  • SCX Version 67 R4.5
  • SCX Version 68 R3.9

Impact

Successful exploitation of this vulnerability allows an attacker access to diagnostic information without proper authentication.

Background

Control Microsystems, a Schneider Electric company, is a global supplier of SCADA hardware and software products.1 The company’s products are used in water and wastewater automation, natural gas and crude oil production and pipeline automation,2 and substation automation and power applications.

ClearSCADA is an integrated SCADA host platform that includes a polling engine, real-time database, historian, web server, alarm processor, and a reporting package. The client applications function as the human-machine interface.3  While ClearSCADA is optimized for use with Control Microsystems SCADAPack field devices, it has built-in drivers for most major third-party controllers.

Serck UK and Serck AUS sell a bundle called SCX that includes ClearSCADA.

Vulnerability Characterization

Vulnerability Overview

ClearSCADA provides a web interface for remote connections. When an exception occurs in the dbserver.exe file during the authentication process, ClearSCADA enters the “Safe Mode” of operation. This exposes its diagnostic functions to remote users without requiring a valid login.

Vulnerability Details

Exploitability

This vulnerability could allow a remote attacker to view sensitive information and possibly modify functions of the server running on the affected host.

Existence of Exploit

No publicly available exploits are known to exist for this vulnerability.

Difficulty

An attacker with intermediate level skills could develop code to exploit this vulnerability.

Mitigation

Control Microsystems has corrected this vulnerability in its regular maintenance release.

Control Microsystems recommends the following to all users of ClearSCADA:

  • Limit server and server network access to only trusted networks and users.
  • Disable logons on ClearSCADA non-secure ports. This setting can be found under System Configuration ->WebX in the server configuration window.
  • Install a WebX security certificate from a trusted authority.
  • Upgrade the ClearSCADA server to ClearSCADA 2010 R1.1 or newer. ClearSCADA 2009 and earlier will not be patched.

Contact the Regional Sales Manager or Control Microsystems representative for additional information. Users can also contact the factory directly at 1-888-267-2232.

ICS-CERT encourages asset owners to minimize network exposure for all control system devices. Critical devices should not directly face the Internet. Locate control system networks and remote devices behind firewalls and isolate them from the business network. When remote access is required, use secure methods such as Virtual Private Networks (VPNs), recognizing that VPN is only as secure as the connected devices.

Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to ICS-CERT for tracking and correlation against other incidents. ICS-CERT reminds organizations to perform proper impact analysis and risk assessment prior to taking defensive measures.

The Control Systems Security Program (CSSP) also provides a recommended practices section for control systems on the CSSP web page. Several recommended practices are available for reading or download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.


Contact Information

For any questions related to this report, please contact the NCCIC at:

Email: NCCICCUSTOMERSERVICE@hq.dhs.gov
Toll Free: 1-888-282-0870

For industrial control systems cybersecurity information:  http://ics-cert.us-cert.gov 
or incident reporting:  https://ics-cert.us-cert.gov/Report-Incident?

The NCCIC continuously strives to improve its products and services. You can help by choosing one of the links below to provide feedback about this product.

Was this document helpful?  Yes  |  Somewhat  |  No

Back to Top