Researcher discloses zero-day flaws in SCADA systems

Flaws disclosed in product from Rockwell, 5 alternative vendors

An Italian security researcher in the week disclosed details of many zero-day vulnerabilities he discovered in Supervisory management and information Acquisition (SCADA) product from multiple vendors, a disclosure that is seemingly to strengthen issues regarding crucial infrastructure weaknesses.

This is the second such disclosure by researcher Luigi Auriemma this year. In March, he disclosed similar vulnerabilities in SCADA product from Siemens, Iconics, 7-Technologies and Datac. His disclosure prompted the US-Computer Emergency Response Team (US-CERT) to issue four alerts warning regarding the vulnerabilities.

The most recent flaws discovered by Auriemma have an effect on SCADA product from six vendors, together with Rockwell Automation, Cogent Datahub, Measuresoft and Progea. many of the failings may enable remote execution attacks and denial-of-service attacks against the vulnerable systems.

In emailed comments, Auriemma said that nearly all of the vulnerabilities he discovered are remote code execution flaws that enable attackers to run code of their selection on the vulnerable systems. just one of the failings may be a denial-of-service vulnerability. It's still unclear whether or not the flaw in Rockwell's product may enable code execution, Auriemma said.