[ICS] Sierra Wireless Raven XE & XT ICS-CERT advisory published

Back in 2016, I released a report on multiple vulnerabilities in Sierra Wireless Raven XE & XT appliances:

https://ipositivesecurity.com/2016/06/25/ics-sierra-wireless-airlink-raven-xe-industrial-3g-gateway-multiple-vulnerabilities/

In response to it, ICS-CERT had posted an alert here:
https://ipositivesecurity.com/2016/07/01/ics-ics-alert-16-182-01-published-sierra-wireless-raven-xe-xt-vulnerabilities/

After almost an year, Sierra Wireless has resolved this report now, and a formal ICS-CERT advisory has been published:
https://ics-cert.us-cert.gov/advisories/ICSA-17-115-02

CVE-IDs
CVE-2017-6042
CVE-2017-6044
CVE-2017-6046

Read on for more details.

read more

[ICS] Satel SenNet ICS-CERT advisory released

Recently, I had posted about multiple security vulnerabilities in SenNet Data Logger appliances and Electricity Meters -
https://ipositivesecurity.com/2017/04/07/sennet-data-logger-appliances-and-electricity-meters-multiple-vulnerabilties/

ICS-CERT finally released the advisory on May 11, 2017:
https://ics-cert.us-cert.gov/advisories/ICSA-17-131-02

Read on for more details.

read more

Rapid7 AppSpider vulnerabilities

Recently, I checked out Rapid7's AppSpider Web Application Testing software. It is a Windows based application, and the demo version is available for anyone to play with.

I found 2 vulnerabilities in AppSpider - DLL Pre-loading & Buffer overflow - which I then reported privately to R7 team. The folks at Rapid7 confirmed my reports and released the CVE-ID# & fixed versions shortly after.

Here's the writeup from Rapid7 Release Announcement:

  1. Updated nginx.exe to utilize Microsoft Security Advisory on remote code execution. Windows 7, Windows Server 2008 R2, Windows Vista and Windows Server 2008: KB2533623 must be installed on the target platform. Resolves - CVE-2017-5236
  2. Resolved buffer over flow crash in the AppSpider command line tool for inputs. Resolves - CVE-2017-5240

Read on for more details.

read more

[ICS] Cambium ePMP SNMP Security Vulnerabilities

Cambium SNMP Security Vulnerabilities

Late last year, in 2016, I decided to take a look at SNMP implementation in Cambium ePMP appliances. After a few hours of checking out supported OIDs and corresponding device operations, the security issues stood out glaringly. The vendor, to the most part, attributed these (read: pass the ball) to SNMP v1/2c, which is inherently insecure; and IMO, still haven't actually fixed the core issues. Why is this significant? Because, simply put, anyone can easily exploit these flaws to take over ePMP devices, and gather sensitive information.

AFFECTED PRODUCTS

  1. Cambium ePMP 1000
  2. Cambium ePMP 2000
  3. Cambium PMP XXX
  4. Cambium ForceXXX models
  5. Potentially all other models


IMPACT
These vulnerabilities may can allow an attacker to access device configuration as well as make unauthorized changes to the device configuration.

Read on for details & poc.

read more

[ICS] SenNet Data Logger appliances and Electricity Meters Multiple Vulnerabilities

SenNet Data Logger appliances and Electricity Meters Multiple Vulnerabilities

About
SenNet is a trademark of Satel Spain that offers monitoring and remote-control solutions for businesses. Our engineers develop, integrate and test the products of SenNet in our facilities in Madrid (Spain).
http://www.sennetmonitoring.com/wp-content/uploads/2016/05/Datasheet_owa31I-.pdf

VULNERABILITY DETAILS
1. No access control on the remote shell
2. Shell services running with excessive privileges (superuser)
3. OS Command Injection
4. Insecure Transport

Read on for poc.

read more

Cambium ePMP Arbitrary Command Execution – Metasploit module landed

One more new Metasploit exploit module for Cambium ePMP devices is now available. This module exploits an OS Command Injection vulnerability in Cambium ePMP 1000 (<v2.5) device management portal. It requires any one of the following login credentials – admin/admin, installer/installer, home/home – to execute arbitrary system commands.

+++++

Cheers~

read more

3 New Metasploit Modules for Cambium ePMP Landed

Back in 2015, I had reported multiple vulnerabilities in Cambium ePMP 1000 appliances. I finally submitted Metasploit modules for testing ePMP devices and three (3) new Metasploit modules for Cambium ePMP devices have now landed:

  1. Cambium ePMP 1000 Login Scanner
  2. Cambium ePMP 1000 Password Hash Extractor
  3. Cambium ePMP 1000 Dump Device Config


Read on for details.

read more