Assessing the security of SCADA devices has always been a challenging task. SCADA devices are used in several critical infrastructure industries, including power plants, manufacturing, chemical processing, and nuclear reactors. Thus, the high availability and security of these devices are of the utmost importance. The challenge lies in assessing the security of SCADA devices without causing any adverse effects. The special purpose-built systems often operate within a limited scope and use protocols that are specific to the tasks being performed, such as Modbus, OPC, and DNP3.

In 2006, Tenable Network Security released the first Nessus® vulnerability scanner and Tenable Passive Vulnerability Scanner (PVS) SCADA plugins (you can read the original release notes for PVS in a post titled "SCADA Network Monitoring" and the original release for Nessus titled "SCADA Checks For Nessus 3"). In April 2011, a new round of SCADA plugins were released for Nessus (covering devices from Movicon, 7-Technologies, and more).

Tenable is now pleased to announce the availability of additional SCADA plugins for Nessus ProfessionalFeed, Tenable SecurityCenter, and PVS users. Tenable's research team worked alongside SCADA experts from Digital Bond to test and identify a wide variety of common SCADA devices. The plugins were announced at Digital Bond’s S4 Conference on SCADA security held on January 19, 2012. Note: Digital Bond’s Dale Peterson joined us on the Tenable Network Security podcast episode 110 and spoke about the new plugins and SCADA security.

Below is a sample of some of the new SCADA plugins:

Note -- this blog was updated on Feb 2, 2012 to highlight detection of the Symantec advisory SYM12-002 as well as new additional Nessus local checks to audit pcAnywhere installations.

With the recent news from Symantec that their source code theft has left pcAnywhere open to attack, it makes sense to audit your network for instances of this desktop sharing software. 

Nessus has many checks that identify the presence of pcAnywhere, the type of network access supported by it, and some vulnerabilties in the application. A current list is shown below for reference:

• 10006   Symantec pcAnywhere Status Service Detection (UDP)
• 10794   Symantec pcAnywhere Detection (TCP)               
• 10798   Symantec pcAnywhere Service Unrestricted Access       
• 20743   Symantec pcAnywhere Launch with Windows Caller Properties Local Privilege Escalation
• 32133   Symantec pcAnywhere Access Server Detection Service
• 35976   Symantec pcAnywhere CHF File Pathname Format String Denial of Service
• 57795   Symantec pcAnywhere Installed (local check)
• 57796   Symantec pcAnywhere Multiple Vulnerabilitities (SYM12-002)

In addition, running a credentialed scan with Nessus plugin 20811 provides the ability to detect installed software on Windows computers, which can be useful to find instances of pcAnywhere that may be installed, but not actively running. Note that strings and versions vary from release to release. An example string as reported by a recent Nessus scan is “Symantec pcAnywhere [version 11.5.0]”.

Network traffic can also be monitored with the Passive Vulnerability Scanner to identify instances of pcAnywhere on the network. A current list of passive plugins to detect pcAnywhere is shown below. 

• 03306 Symantec pcAnywhere Detection
• 06087 Symantec pcAnywhere Detected

Finally, Tenable’s Log Correlation Engine, will normalize logs from the PVS for observed pcAnywhere sessions in real-time with an event name of “PVS-PCAnywhere_Detected”. These sessions are automatically detected and analyzed for anomalies and connections from known botnets.

External Nessus scans can be performed to determine if your network has any Internet facing instances of pcAnywhere. The Nessus PerimeterService is ideal for this type of scanning as it can scan an unlimited number of Internet-facing IP addresses very rapidly. Users of the Passive Vulnerability Scanner have automatic detection of any Internet-facing service, including pcAnywhere.

An in-depth Nessus Discussions Forum post details how SecurityCenter, Passive Vulnerabiltiy Scanner and Log Correlation Engine users can track pcAnywhere vulnerabilities and usage in realtime.  

The video below is part 6 in our series of the top ten things you didn't know about Nessus and covers information related to IPv6 scanning using Nessus:

Further Reading:

Nessus - IPv6 Scanning

Nessus has several different plugins and techniques for helping you with the fight against malware. The video below is part 7 in our series of the top ten things you didn't know about Nessus and covers 3 different ways Nessus can be used to help detect malware:

Below are a few more examples of how Nessus can detect malware:

1. Nessus Network Checks

Nessus plugins in the "Backdoor" plugin family detect certain types of generic behavior on listening services that are indicative of malware. For example, plugin #35322 detects the presence of an HTTP backdoor. Nessus detects the web server remotely and identifies a condition where the web server, regardless of the request, returns a Windows executable:

Welcome to the Tenable Network Security Podcast Episode 110

Hosts

• Paul Asadoorian, Product Evangelist
• Carlos Perez, Lead Vulnerability Researcher
• Ron Gula, CEO/CTO
• Jack Daniel, Product Manager

Announcements

• Check out our video channel on YouTube that contains the latest Nessus and SecurityCenter 4 tutorials. We recently added a 38-minute tutorial of Nessus, covering most of the basic features.
• We're hiring! - Visit the Tenable website for more information about open positions.
• You can subscribe to the Tenable Network Security Podcast on iTunes!
• Tenable Tweets - You can find us on Twitter at http://twitter.com/tenablesecurity where we make product and company announcements, provide Nessus plugin statistics, and more!
• Want to ask questions about Nessus, SecurityCenter, LCE, and PVS and get answers from the experts at Tenable? Join Tenable's Discussion Forum for custom scripts, announcements, and more!
• PVS 3.6.0 for Linux now Available - Added the "Strip VLAN tags" setting to ignore the VLAN header, Nessus V2 report output format support, Deprecated the "failure-threshold" configuration setting, Improved stability when parsing PASL scripts, New license format (Requires a new license)

New & Notable plugins

Welcome to the Tenable Network Security Podcast Episode 109

Hosts

• Paul Asadoorian, Product Evangelist
• Carlos Perez, Lead Vulnerability Researcher
• Ron Gula, CEO/CTO

Announcements

• Check out our video channel on YouTube that contains the latest Nessus and SecurityCenter 4 tutorials. We recently added a 38-minute tutorial of Nessus, covering most of the basic features.
• We're hiring! - Visit the Tenable website for more information about open positions.
• You can subscribe to the Tenable Network Security Podcast on iTunes!
• Tenable Tweets - You can find us on Twitter at http://twitter.com/tenablesecurity where we make product and company announcements, provide Nessus plugin statistics, and more!
• Want to ask questions about Nessus, SecurityCenter, LCE, and PVS and get answers from the experts at Tenable? Join Tenable's Discussion Forum for custom scripts, announcements, and more!
• Tenable has released Nessus plugin 57462 to detect that nasty FreeBSD TELNET bug we touched on last week.
• PVS plugin released to detect Google Chrome < 16.0.912.75 Multiple Vulnerabilities
• Nessus plugin 57558 detects unsupported MySQL and feeds right into this dashboard.

Welcome to the Tenable Network Security Podcast Episode 108

Hosts

• Paul Asadoorian, Product Evangelist
• Jack Daniel, Product Manager
• Carlos Perez, Lead Vulnerability Researcher
• Ron Gula, CEO/CTO

Announcements

• Check out our video channel on YouTube that contains the latest Nessus and SecurityCenter 4 tutorials. We recently added a 38-minute tutorial of Nessus, covering most of the basic features.
• We're hiring! - Visit the Tenable web site for more information about open positions.
• You can subscribe to the Tenable Network Security Podcast on iTunes!
• Tenable Tweets - You can find us on Twitter at http://twitter.com/tenablesecurity where we make product and company announcements, provide Nessus plugin statistics and more!
• Want to ask questions about Nessus, SecurityCenter, LCE, and PVS and get answers from the experts at Tenable? Join Tenable's Discussion Forum for custom scripts, announcements, and more!
• Tenable has released Nessus plugin 57462 to detect that nasty FreeBSD TELNET bug we touched on last week.
• Nessus plugin 57461 was recently added to scan for Apple iOS Lockdown services
• PVS can now detect systems reaching out to .xxx domains, enhanced OS identification.

The first round of security bulletins from Microsoft this year raises some interesting questions about the vulnerabilities being patched. I found the following three advisories particularly interesting:

From MS12-002:

The vulnerability could allow remote code execution if a user opens a legitimate file with an embedded packaged object that is located in the same network directory as a specially crafted executable file. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user.

MS12-002 is ranked by Microsoft as important. Sure, it does require that the user browse file systems, however users can be baited, or even forced, to browse to a network share. Social engineering attacks can lure victims to specific sites, and SMB share paths can be embedded inside web pages and URLS, forcing the user to browse to a share or even a specific file.

Welcome to the Tenable Network Security Podcast Episode 107

Hosts

• Paul Asadoorian, Product Evangelist
• Jack Daniel, Product Manager
• Carlos Perez, Lead Vulnerability Researcher

Announcements

• Check out our video channel on YouTube that contains the latest Nessus and SecurityCenter 4 tutorials. We recently added a 38-minute tutorial of Nessus, covering most of the basic features.
• We're hiring! - Visit the Tenable web site for more information about open positions.
• You can subscribe to the Tenable Network Security Podcast on iTunes!

• Tenable Tweets - You can find us on Twitter at http://twitter.com/tenablesecurity where we make product and company announcements, provide Nessus plugin statistics and more!
• Want to ask questions about Nessus, SecurityCenter, LCE, and PVS and get answers from the experts at Tenable? Join Tenable's Discussion Forum for custom scripts, announcements, and more!
• Tenable has released plugins to discover VMware Vsphere servers, check installed patches, and enumerate active and inactive virtual machines.
• PVS plugin 6125 will now passively discover the version information of Windows systems

Stories