ics_scada

28 Jun 2017

[ICS] Schneider Electric Pro-Face WinGP – Insecure Library Loading Allows Code Execution

[ICS] Schneider Electric Pro-Face WinGP - Runtime.exe – Insecure Library Loading Allows Code Execution Vendor: Schneider Electric
Equipment: Pro-Face WinGP
Vulnerability: Uncontrolled Search Path Element (DLL side-loading)
AFFECTED PRODUCTS
Schneider Electric Pro-Face WinGP - Packaged version with GP Pro Server EX -> current version
IMPACT
Successful exploitation of this vulnerability could allow an authenticated user to escalate his or her privileges. Read on for details.

Read more

15 Jun 2017

[ICS] Digital Canal Structural Wind Analysis Stack Buffer Overflow

ICS-CERT published an advisory on one of my reports this week –
https://ics-cert.us-cert.gov/advisories/ICSA-17-157-02 Vendor: Digital Canal Structural
Equipment: Wind Analysis
Vulnerability: Stack-Based Buffer Overflow
AFFECTED PRODUCTS
The following versions of Wind Analysis, a structural engineering software platform, are affected:
Wind Analysis versions 9.1 and prior. IMPACT
Successful exploitation of this vulnerability could cause the device that the attacker is accessing to become unavailable, resulting in a denial of service. Read on for details.

Read more

15 Jun 2017

[ICS] Trihedral VTScada Multiple Vulnerabilities

ICS-CERT published an advisory on one of my reports this week –
https://ics-cert.us-cert.gov/advisories/ICSA-17-164-01
Vendor: Trihedral
Equipment: VTScada
Vulnerability: Resource Consumption, Cross-Site Scripting, Information Exposure
AFFECTED PRODUCTS
The following versions of VTScada, an HMI SCADA software, are affected:
VTScada Versions prior to 11.2.26 Read on for details.

Read more

18 May 2017

[ICS] BLF-Tech LLC VisualView HMI Software – Insecure Library Loading Allows Code Execution

ICS-CERT published an advisory on one of my reports last month –
https://ics-cert.us-cert.gov/advisories/ICSA-17-115-01

BLF-Tech LLC VisualView HMI Insecure Library Loading Allows Code Execution

Vendor: BLF-Tech LLC
Equipment: VisualView HMI Software
Vulnerability: Uncontrolled Search Path Element

Read on for details.

Read more

18 May 2017

[ICS] Schneider Electric Interactive Graphical SCADA System Software – Insecure Library Loading Allows Code Execution

ICS-CERT published an advisory on one of my reports last month –
https://ics-cert.us-cert.gov/advisories/ICSA-17-094-01

Schneider Electric Interactive Graphical SCADA System Software – Insecure Library Loading Allows Code Execution

Vendor: Schneider Electric
Equipment: Interactive Graphical SCADA System Software [IGSS]
Vulnerability: Uncontrolled Search Path Element

Read on for details.

Read more

16 May 2017

[ICS] Sierra Wireless Raven XE & XT ICS-CERT advisory published

Back in 2016, I released a report on multiple vulnerabilities in Sierra Wireless Raven XE & XT appliances:

https://ipositivesecurity.com/2016/06/25/ics-sierra-wireless-airlink-raven-xe-industrial-3g-gateway-multiple-vulnerabilities/

In response to it, ICS-CERT had posted an alert here:
https://ipositivesecurity.com/2016/07/01/ics-ics-alert-16-182-01-published-sierra-wireless-raven-xe-xt-vulnerabilities/

After almost an year, Sierra Wireless has resolved this report now, and a formal ICS-CERT advisory has been published:
https://ics-cert.us-cert.gov/advisories/ICSA-17-115-02

CVE-IDs
CVE-2017-6042
CVE-2017-6044
CVE-2017-6046

Read on for more details.

Read more

16 May 2017

[ICS] Satel SenNet ICS-CERT advisory released

Recently, I had posted about multiple security vulnerabilities in SenNet Data Logger appliances and Electricity Meters -
https://ipositivesecurity.com/2017/04/07/sennet-data-logger-appliances-and-electricity-meters-multiple-vulnerabilties/

ICS-CERT finally released the advisory on May 11, 2017:
https://ics-cert.us-cert.gov/advisories/ICSA-17-131-02

Read on for more details.

Read more

07 Apr 2017

[ICS] Cambium ePMP SNMP Security Vulnerabilities

Cambium SNMP Security Vulnerabilities

Late last year, in 2016, I decided to take a look at SNMP implementation in Cambium ePMP appliances. After a few hours of checking out supported OIDs and corresponding device operations, the security issues stood out glaringly. The vendor, to the most part, attributed these (read: pass the ball) to SNMP v1/2c, which is inherently insecure; and IMO, still haven't actually fixed the core issues. Why is this significant? Because, simply put, anyone can easily exploit these flaws to take over ePMP devices, and gather sensitive information.

AFFECTED PRODUCTS

  1. Cambium ePMP 1000
  2. Cambium ePMP 2000
  3. Cambium PMP XXX
  4. Cambium ForceXXX models
  5. Potentially all other models


IMPACT
These vulnerabilities may can allow an attacker to access device configuration as well as make unauthorized changes to the device configuration.

Read on for details & poc.

Read more

07 Apr 2017

[ICS] SenNet Data Logger appliances and Electricity Meters Multiple Vulnerabilities

SenNet Data Logger appliances and Electricity Meters Multiple Vulnerabilities

About
SenNet is a trademark of Satel Spain that offers monitoring and remote-control solutions for businesses. Our engineers develop, integrate and test the products of SenNet in our facilities in Madrid (Spain).
http://www.sennetmonitoring.com/wp-content/uploads/2016/05/Datasheet_owa31I-.pdf

VULNERABILITY DETAILS
1. No access control on the remote shell
2. Shell services running with excessive privileges (superuser)
3. OS Command Injection
4. Insecure Transport

Read on for poc.

Read more