March 2017

View all on this date written articles further down below.
29 Mar 2017

3 New Metasploit Modules for Cambium ePMP Landed

Back in 2015, I had reported multiple vulnerabilities in Cambium ePMP 1000 appliances. I finally submitted Metasploit modules for testing ePMP devices and three (3) new Metasploit modules for Cambium ePMP devices have now landed:

  1. Cambium ePMP 1000 Login Scanner
  2. Cambium ePMP 1000 Password Hash Extractor
  3. Cambium ePMP 1000 Dump Device Config


Read on for details.

Read more

25 Mar 2017

[ICS] Sielco Sistemi Winlog SCADA Software – Insecure Library Loading Allows Code Execution

ICS-CERT published an advisory on one of my reports last month –
https://ics-cert.us-cert.gov/advisories/ICSA-17-038-01

Sielco Sistemi Winlog SCADA Software Insecure Library Loading Allows Code Execution
Vendor: Sielco Sistemi
Equipment: Winlog SCADA Software
Vulnerability: Uncontrolled Search Path Element

CVE-ID
CVE-2017-5161

Read on for details and poc.

Read more

25 Mar 2017

[ICS] LAquis SCADA Path Traversal Vulnerability

ICS-CERT published a new advisory on one of my reports recently –
https://ics-cert.us-cert.gov/advisories/ICSA-17-082-01

LCDS – Leão Consultoria e Desenvolvimento de Sistemas LTDA ME LAquis SCADA Access Control Vulnerability
Vendor: LCDS – Leão Consultoria e Desenvolvimento de Sistemas LTDA ME
Equipment: LAquis SCADA
Vulnerability: Path Traversal

ICS-CERT Advisory
https://ics-cert.us-cert.gov/advisories/ICSA-17-082-01

CVE-ID
CVE-2017-6020

Read on for details.

Read more

20 Mar 2017

[ICS] LAquis SCADA Advisory Access Control Vulnerability

ICS-CERT published an advisory on one of my reports recently -
https://ics-cert.us-cert.gov/advisories/ICSA-17-075-01

CVE-ID
CVE-2017-6016

Vendor: LCDS - Leão Consultoria e Desenvolvimento de Sistemas LTDA ME
Equipment: LAquis SCADA
Vulnerability: Improper Access Control

ICS-CERT Advisory
https://ics-cert.us-cert.gov/advisories/ICSA-17-075-01

AFFECTED PRODUCTS

The following versions of LAquis SCADA, an industrial automation software, are affected:
LAquis SCADA software, Versions 4.1 and prior versions released before January 20, 2017.

Read on for details and poc.

Read more