There are times when vulnerability research can turn adversarial.
Affected vendors can become defensive about white-hat researchers poking around their networks or software, especially when there aren't adequate internal processes in place to triage and respond to bug reports.
Researchers can then become frustrated over mitigation delays and publicly threaten to disclose details, while some affected vendors have been known to then respond by taking legal action or attempting to discredit the researcher.
Customers, meanwhile, remain exposed to hackers as the two sides duke it out and vulnerabilities aren't addressed in a timely manner.
Thankfully security research has matured as a practice, vulnerability and patch management programs are standard inside enterprises, and those scenarios are increasingly few and far between. Claroty Team82's research partnership with AUVESY is one such success story.
Team82 last year disclosed critical vulnerabilities (spanning 17 different CVEs) in the AUVESY's flagship version-control and automation backup product, versiondog. The security flaws could have enabled an advanced attacker to remotely exploit these vulnerabilities to run code of their choice in order to establish a fully working remote shell that would allow for reading or writing files, executing database queries, and much more. AUVESY has patched all of the vulnerabilities as part of versiondog 8.1 and all later versions; ICS-CERT has also released an advisory with vulnerability and mitigation information.
Versiondog runs inside some of the largest industrial enterprises in the world to automatically store software versions, document them, and securely back up data that can be compared to current error-free versions in order to ensure plants run efficiently. Any disruption or manipulation of the information handled by the product could have devastating consequences to the safety and integrity of an industrial process.
Two-plus decades of software development inside enterprises has demonstrated that vulnerabilities are inevitable. A timely, coordinated response from an affected vendor indicates a level of responsibility to customers and the ICS domain to ensure that products are safe and reliable to use. Versiondog's level of diligence in its engagement with Claroty went beyond a one-time patching of a handful of vulnerabilities.
AUVESY management and engineers solved the problem by addressing the root cause of the issue by scanning its entire codebase and properly understanding the building blocks of its product to wipe out a class of vulnerabilities, rather than a one-off patching and mitigation exercise.
AUVESY was also prompted by this disclosure to examine and improve its product and development lifecycles in order to keep future vulnerabilities to a minimum and ultimately improve its overall security posture.
The company, a leader in data management for automated production environments, has a team of internal security experts working on testing and improving its products. In addition to effectively safeguarding customers data, customers benefit from high plant availability and keep downtime to an absolute minimum. AUVESY also relies on the input and feedback of external researchers in order to ensure product security is maintained at the highest level. In addition to a close strategic partnership with Claroty, a recognized security expert, AUVESY also relies on feedback from partners and customers.
AUVESY has patched or provided mitigations for all of the vulnerabilities privately disclosed by Team82. The vulnerabilities were found in the versiondog OS Server API, Scheduler, and WebInstaller in versiondog version 8.0. All vulnerabilities were fixed as part of versiondog 8.1 (released in October 2020) and all later versions. Some of the versiondog components affected by the vulnerabilities discovered by Team82 include:
versiondog's OS Server is a Windows service that processes versiondog API requests via a proprietary protocol. Team82 researchers discovered critical vulnerabilities in almost all mechanisms related to its message processing, including a lack of security checks, improper parameter sanitation, and unauthenticated remote interactions with a low-level Windows API.
This service enables the user to start and stop jobs. Team82 found a number of issues, including SQL injection vulnerabilities that allow an attacker to inject a query that contains a malicious payload.
The product's installer is a Golang web server executable that enables generation of an AUVESY image agent. Team82 found a resource consumption vulnerability that can be triggered by generating large numbers of installations that are saved in a temp folder and can consume all free space on the disk, preventing check in/out operations.
CVSS Score: 9.8 CWE-284 Improper Access Control The server permits communication without any authentication procedure, allowing the attacker to initiate a session with the server without providing any form of authentication.
CVSS Score: 7.3 CWE-732 Incorrect Permission Assignment for Critical Resource The database connection to the server is performed by calling a specific API, which could allow an unprivileged user to gain SYSDBA permissions.
CVSS Score: 8.2 CWE-321 Use of Hard-Coded Cryptographic Key The affected product uses a hard-coded blowfish key for encryption/decryption processes. The key can be easily extracted from binaries.
CVSS Score: 4.8 CWE-125 Out-of-Bounds Read The affected product's proprietary protocol CSC allows for calling numerous function codes. In order to call those function codes, the user must supply parameters. There is no sanitation on the value of the offset, which allows the client to specify any offset and read out-of-bounds data.
CVSS Score: 8.1 CWE-416 Use-After-Free A specific function code receives a raw pointer supplied by the user and deallocates this pointer. The user can then control what memory regions will be freed and cause use-after-free condition.
CVSS Score: 6.5 CWE-787 Out-of-Bounds Write Many API function codes receive raw pointers remotely from the user and trust these pointers as valid in-bound memory regions. An attacker can manipulate API functions by writing arbitrary data into the resolved address of a raw pointer
CVSS Score: 9.8 CWE-123 Write-What-Where Condition Some API functions permit by-design writing or copying data into a given buffer. Since the client controls these parameters, a local attacker could rewrite the memory in any location of the affected product.
CVSS Score: 8.0 CWE 119 Improper Restriction of Operations within the Bounds of a Memory Buffer The affected product's code base doesn't properly control arguments for specific functions, which could lead to a stack overflow.
CVSS Score: 9.1 CWE-434 Unrestricted Upload of File with Dangerous Type There are multiple API function codes that permit data writing to any file, which may allow an attacker to modify existing files or create new files.
CVSS Score: 9.8 CWE-73 External Control of File Name or Path There are multiple API function codes that permit reading and writing data to or from files and directories, which could lead to the manipulation and/or the deletion of files.
CVSS Score: 9.1 CWE-15 External Control of System or Configuration Setting Some API functions allow interaction with the registry, which includes reading values as well as data modification.
CVSS Score: 7.3 CWE-20 Improper Input Validation The affected product's OS Service does not verify any given parameter. A user can supply any type of parameter that will be passed to inner calls without checking the type of the parameter or the value.
CVSS Score: 7.3 CWE-400 Uncontrolled Resource Consumption The affected product does not properly control the allocation of resources. A user may be able to allocate unlimited memory buffers using API functions.
CVSS Score: 9.1 CWE-427 Uncontrolled Search Path Element Many of the services used by the affected product do not specify full paths for the DLLs they are loading. An attacker can exploit the uncontrolled search path by implanting their own DLL near the affected product's binaries, thus hijacking the loaded DLL.
CVSS Score: 8.1 CWE-294 Authentication Bypass by Capture-Replay The data of a network capture of the initial handshake phase can be used to authenticate at a SYSDBA level. If a specific .exe is not restarted often, it is possible to access the needed handshake packets between admin/client connections. Using the SYSDBA permission, an attacker can change user passwords or delete the database.
CVSS Score: 7.1 CWE-89 SQL Injection The scheduler service running on a specific TCP port enables the user to start and stop jobs. There is no sanitation of the supplied JOB ID provided to the function. An attacker may send a malicious payload that can enable the user to execute another SQL expression by sending a specific string
CVSS Score: 8.0 CWE-400 Uncontrolled Resource Consumption The webinstaller is a Golang web server executable that enables the generation of an Auvesy image agent. Resource consumption can be achieved by generating large amounts of installations, which are then saved without limitation in the temp folder of the webinstaller executable.
Team82's research partnership with AUVESY is an illustration of how coordinated disclosures between researchers and affected vendors can result in positive change. Not only did AUVESY promptly address numerous critical vulnerabilities in its flagship versiondog product, but it also was prompted to evaluate the security culture inside its organization.
Rather than merely push out important patches to its customers, the company decided to take the opportunity to examine its product and secure development practices, look for root causes for these and other security issues, and instill a new attitude and approach internally that focuses on security first.
This is a true success story we wanted to share. Given the results of our Biannual ICS Risk & Vulnerability Report for the 1H 2021, more eyes are looking for vulnerabilities in industrial control systems, SCADA equipment, and operational technology networks. In the first half of 2021 alone, 637 vulnerabilities were disclosed and patched, many of those in products sold by leading vendors in the ICS domain. Also, 42 new researchers disclosed vulnerabilities for the first time to affected vendors.
Those numbers are sure to continue to grow, and organizations must look at their vulnerability management programs, implement processes to accept, triage, and respond to bug reports, and assert themselves as responsible members of the ICS domain that put security first.
This report also appears on AUVESY's website.