security advisory

[ICS] Schneider Electric Wonderware InduSoft Web Studio Privilege Escalation

Schneider Electric Wonderware InduSoft Web Studio – Privilege Escalation

Vendor: Schneider Electric
Equipment: Wonderware InduSoft Web Studio
Vulnerability: Incorrect Default Permissions

ICS-CERT Advisory
https://ics-cert.us-cert.gov/advisories/ICSA-17-138-02

Read on for details.

security advisory

[ICS] BLF-Tech LLC VisualView HMI Software – Insecure Library Loading Allows Code Execution

ICS-CERT published an advisory on one of my reports last month –
https://ics-cert.us-cert.gov/advisories/ICSA-17-115-01

BLF-Tech LLC VisualView HMI Insecure Library Loading Allows Code Execution

Vendor: BLF-Tech LLC
Equipment: VisualView HMI Software
Vulnerability: Uncontrolled Search Path Element

security advisory

[ICS] Schneider Electric Interactive Graphical SCADA System Software – Insecure Library Loading Allows Code Execution

ICS-CERT published an advisory on one of my reports last month –
https://ics-cert.us-cert.gov/advisories/ICSA-17-094-01

Schneider Electric Interactive Graphical SCADA System Software – Insecure Library Loading Allows Code Execution

Vendor: Schneider Electric
Equipment: Interactive Graphical SCADA System Software [IGSS]
Vulnerability: Uncontrolled Search Path Element

Read on for details.

security advisory

[ICS] Sierra Wireless Raven XE & XT ICS-CERT advisory published

Back in 2016, I released a report on multiple vulnerabilities in Sierra Wireless Raven XE & XT appliances:
https://ipositivesecurity.com/2016/06/25/ics-sierra-wireless-airlink-raven-xe-industrial-3g-gateway-multiple-vulnerabilities/

In response to it, ICS-CERT had posted an alert here:
https://ipositivesecurity.com/2016/07/01/ics-ics-alert-16-182-01-published-sierra-wireless-raven-xe-xt-vulnerabilities/

After almost an year, Sierra Wireless has resolved this report now, and a formal ICS-CERT advisory has been published:
https://ics-cert.us-cert.gov/advisories/ICSA-17-115-02

CVE-IDs
CVE-2017-6042
CVE-2017-6044
CVE-2017-6046

Read on for more details.

security advisory

[ICS] Satel SenNet ICS-CERT advisory released

Recently, I had posted about multiple security vulnerabilities in SenNet Data Logger appliances and Electricity Meters – https://ipositivesecurity.com/2017/04/07/sennet-data-logger-appliances-and-electricity-meters-multiple-vulnerabilties/

ICS-CERT finally released the advisory on May 11, 2017:
https://ics-cert.us-cert.gov/advisories/ICSA-17-131-02

Read on for more details.

security advisory

Rapid7 AppSpider vulnerabilities

Recently, I checked out Rapid7’s AppSpider Web Application Testing software. It is a Windows based application, and the demo version is available for anyone to play with.

I found 2 vulnerabilities in AppSpider – DLL Pre-loading & Buffer overflow – which I then reported privately to R7 team. The folks at Rapid7 confirmed my reports and released the CVE-ID# & fixed versions shortly after.

Here’s the writeup from Rapid7 Release Announcement:

* Updated nginx.exe to utilize Microsoft Security Advisory on remote code execution. Windows 7, Windows Server 2008 R2, Windows Vista and Windows Server 2008: KB2533623 must be installed on the target platform. Resolves -CVE-2017-5236
* Resolved buffer over flow crash in the AppSpider command line tool for inputs. Resolves -CVE-2017-5240

Read on for more details.

security advisory

[ICS] Cambium SNMP Security Vulnerabilities

Cambium SNMP Security Vulnerabilities

AFFECTED PRODUCTS

Cambium ePMP 1000
Cambium ePMP 2000
Cambium PMP XXX
Cambium ForceXXX models
Potentially all other models

IMPACT

These vulnerabilities may can allow an attacker to access device configuration as well as make unauthorized changes to the device configuration.

Read on for the details.

security advisory

[ICS] SenNet Data Logger appliances and Electricity Meters Multiple Vulnerabilities

VULNERABILITY DETAILS

1. No access control on the remote shell
2. Shell services running with excessive privileges (superuser)
3. OS Command Injection
4. Insecure Transport

Read on for details and poc.