Date: 23 September 2008
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AA-2008.0204 AUSCERT Advisory
[Win]
CitecSCADA FTP updates and advice
23 September 2008
- ---------------------------------------------------------------------------
AusCERT Advisory Summary
------------------------
Product: CitectSCADA versions prior to 7.1 (Q4 2008)
Publisher: Citect
Operating System: Windows
Impact: Denial of Service
Access: Remote/Unauthenticated
Member content until: Tuesday, October 21 2008
Original Bulletin:
http://knowledgebase.citect.com/SafetyandSecurity/article.aspx?id=1001
OVERVIEW:
Citect Corporation have released patch information and additional
advice [1] relating to the use of the FTP server in the CitectSCADA
product. The FTP server is an integral component for the Internet
Display Client (IDC) functionality.
IMPACT:
According to Citect's Knowledge Base Article [1], the FTP server
included in CitectSCADA "... may be open to a Denial of Service or
memory leak attack should an attacker supply invalid format
specifiers during login. This would cause the FTP server to fail and
render the IDC's unable to operate until the FTP server was brought
back up."
The article also highlights the risks associated with using
protocols (such as FTP) which do not offer encryption of
authentication credentials and/or the exchanged data.
MITIGATION:
According to the information released by Citect, the following
mitigation activities warrent consideration relating to these risks:
o Utilise CitectSCADA Web Client instead of IDC (Internet Display
Clients, which requires FTP). According to the Citec [1] this
requires activating a 3rd party web server (Apache or IIS).
This document does not give any specific guidance on best
practice for web server authentication and encryption.
o Encrypt FTP traffic (and other insecure communication) via a VPN
or SSH tunnel and limit access to FTP via firewall rules.
o Upgrade to 7.1 CitectSCADA (Q4 2008) which fixes the memory leak.
REFERENCES:
[1] Citect - IDC & FTP security recommendations
http://knowledgebase.citect.com/SafetyandSecurity/article.aspx?id=1001
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQCVAwUBSNl70Sh9+71yA2DNAQKY2QP/ZSBOVf7hGd68ZKcUmCb6yVKuSeV9T1q8
cZgldgW5KgjRCWUYzbK6wgx+fcZfUgycySQ3w+bDJRtdk12qwZNjJyn+kF8vTTM9
RCOE1ESdpGfIUooD2q0h3frv9crvtXmxwMWBpnW7bJprA2Z5uCrgVdx+DWJlep0w
MFkh4kwt3Cg=
=kfG7
-----END PGP SIGNATURE-----
|