Public Knowledge Updates
February 11th, 2013
Vulnerability Mitigation Details available for Schneider
Electric Accutech Manager and Ecava IntegraXor
ICS-CERT has published mitigation details for the
vulnerabilities found in the Schneider Electric Accutech Manager
and Ecava IntegraXor application.
Source
http://ics-cert.us-cert.gov/pdf/ICSA-13-036-02.pdf
http://ics-cert.us-cert.gov/pdf/ICSA-13-043-01.pdf
January 28th, 2013
Buffer Overflow vulnerability in multiple Beijer Electronics
Products
ICS-CERT has issued an advisory about a buffer overflow
vulnerability in Beijer Electronicsâ ADP and H-designer
products.
This vulnerability could allow an attacker to execute arbitrary
code and gain unauthorized access.
Source
http://ics-cert.us-cert.gov/pdf/ICSA-13-024-01.pdf
http://www.beijerelectronics.com
Multiple vulnerabilities in multiple Schneider Electric
Products
A remote execution, denial-of-service, loss-of-integrity and
a unauthorized-access vulnerability have been found in multiple
Schneider products according to ICS-CERT.
The vendor has been notified.
Source
http://ics-cert.us-cert.gov/pdf/ICS-ALERT-13-016-01.pdf
http://ics-cert.us-cert.gov/pdf/ICSA-13-018-01.pdf
http://www.schneider-electric.com/sites/corporate/en/support/cybersecurity/cyber-security-vulnerabilities-sorted.page
Siemens SIMATIC RF Manager Vulnerability Advisory
ICS-CERT has released an advisory about a buffer overflow
vulnerability in Siemens' SIMATIC RF Manager 2008 and Basic V3.0
or lower. An attacker could remotely exploit the vulnerability.
A patch has been made available by the vendor.
Source
http://ics-cert.us-cert.gov/pdf/ICSA-13-014-01.pdf
http://www.siemens.com/corporate-technology/pool/de/forschungsfelder/siemens_security_advisory_ssa-099741.pdf
January 13, 2013
Advantech WebAccess Vulnerability Alert
An alert was released by ICS-CERT which states that it is
aware of a public report of a cross-site scripting
vulnerability in Advantech WebAccess, a supervisory control
and data acquisition/human-machine interface. This could allow
a remote authenticated attacker to to execute arbitrary code
in a userâs browser session.
Source
http://www.us-cert.gov/control_systems/pdf/ICS-Alert-13-009-01.pdf
Vulnerabilities in Carlo Gavazzi EOS-Box Photovoltaic
Monitoring System
ICS-CERT has released an advisory about two vulnerabilities
in the Carlo Gavazzi EOS-Box firmware. The vulnerabilities can
be exploited remotely and the vendor has released a patch for
firmware versions prior to 1.0.0.1080_2.1.10.
Source
http://www.us-cert.gov/control_systems/pdf/ICSA-12-354-02.pdf
December 03, 2012
Vulnerability in Post Oakâs AWAM
Bluetooth Reader Traffic System
According to ICS-CERT a group of independent researchers have
identified a vulnerability in the authentication key
generation of Post Oakâs AWAM Bluetooth Reader Traffic System.
The vulnerability allows to obtain credentials of admin users
and to perform a Man-in-the-Middle-Attack. A patch has been
made available.
Source
http://www.us-cert.gov/control_systems/pdf/ICSA-12-335-01.pdf
http://www.postoaktraffic.com/
November 19, 2012
Vulnerability in the ABB AC500 PLC
ICS-CERT has released an advisory about a buffer overflow
vulnerability in the ABB AC500 PLC which could allow a remote
attacker to perform a Denial of Service (DoS) attack.
Exploits are known to be available in the public and the
vendor has made a patch available. The vulnerability is
related to the 3S Smart Software Solutions CoDeSys
Vulnerabilities (ICSA-12-006-01).
Source
http://www.us-cert.gov/control_systems/pdf/ICSA-12-320-01.pdf
http://www.abb.com/plc
http://www.us-cert.gov/control_systems/pdf/ICSA-12-006-01.pdf
November 05, 2012
Buffer Overflow in Siemens SiPass Server
ICS-CERT states that a buffer overflow has been found in
Siemens SiPass Integrated MP2.6 and earlier. The vulnerability
allows an attacker to perform a Denial of Service attack and
to remotely get access to the system.
A patch has been made available.
Sources
http://www.us-cert.gov/control_systems/pdf/ICSA-12-305-01.pdf
http://www.siemens.com/corporate-technology/en/research-areas/siemens-cert-security-advisories.htm
October 29, 2012
Vulnerabilities in CoDeSys 3S-Software
An alert has been issued by ICS-CERT after vulnerabilities
have been found by an independent researcher in the CoDeSys
3S-Software which is used on PLCs.
Exploits are known to be available and could allow shell
access or upload of arbitrary files to the system. A
mitigation plan is currently under coordination.
http://www.us-cert.gov/control_systems/pdf/ICS-ALERT-12-097-02A.pdf
http://www.3s-software.com/index.shtml?codesys_dev_dir
Hard-coded password in Korenix JetPort 5600
ICS-CERT has released an advisory about hard-coded
credentials in the firmware of Korenix JetPort 5600
system application. The vulnerability has been found by an
independent researcher and a successful exploitation could
lead to administrative access as well as access to attached
serial devices. A software update has been made available.
http://www.us-cert.gov/control_systems/pdf/ICSA-12-297-02.pdf
http://www.digitalbond.com/2012/06/13/korenix-and-oring-insecurity/
http://www.korenix.com
October 27, 2012
500K-Site Shodan Research Dataset
and Private Sector Followup
This week ICS-CERT updated an advisory to include
notification of a pool of approximately 500,000 industrial
systems connected to the public Internet (see link below).
ICS-CERT had contacted ICS-ISAC last week to provide a
heads-up on this research. During the intervening period we
have been in communication with ICS-CERT and both understand
and agree with their response to date.
The researchers involved show every indication of being
whitehats - there is no indication that they intend to publish
the dataset in public and they are working with authorities to
enable their research to be used to improve the overall
security of industrial facilities.
At present the public sector is being appropriately
circumspect with regards to this dataset and will be taking
this initial period of time to work through the range of
responses within their capability.
Regardless of the disposition of this particular dataset, the
work of these researchers raises known issues to a level which
will no doubt lead to productive actions within both the
public as well as private sectors.
While the scale of this research will not come as a surprise
to those who focus on the security of industrial systems it
does draw attention to specific aspects of the
responsibilities and capabilities of all involved in
maintaining and improving control system security.
- The public sector has access to significant resources that
are generally unavailable to the private sector. It is also
restricted by aspects of organization and mandate particular
to its roles and structures.
- The private sector owns and operates the vast majority of
industrial systems. As such, we own most of the information
and capacity necessary to address the risks represented
datasets such as that produced by these researchers.
More important than the content of this particular dataset is
the reality that the information contained is available in the
public domain. It is reasonable and diligent to assume that if
such a dataset can be compiled by these particular independent
researchers, similar and perhaps more comprehensive datasets
could be - and quite possibly have been - compiled by others
with less benevolent intentions.
The ICS-ISAC is working with private sector organizations
including asset owners, industry organizations, integrators,
knowledge centers and vendors to jointly develop a private
sector mechanism for addressing the risks represented by this
or similar datasets. Since the initial contact by ICS-CERT we
have contacted more than two dozen organizations who have
agreed to participate in this effort. Over the next several
weeks mechanisms will be put in place to enable these and
other interested private sector parties to work together to
establish appropriate means to mitigate the risks associated
with the reality of the volume of exposed systems and the
threats facing them.
ICS-ISAC members and non-members interested in participating
in this effort can contact the ICS-ISAC via this site or can
contact any ICS-ISAC staff directly.
ICS-CERT Advisory: http://www.us-cert.gov/control_systems/pdf/ICS-ALERT-12-046-01A.pdf?goback=%2Egde_4389851_member_179546037
October 15, 2012
Multiple vulnerabilities in GE
Intelligent Platforms Proficy Real-Time Information Portal
ICS-CERT has published an advisory about multiple
vulnerabilities in GE's Intelligent Platforms Proficy
Real-Time Information Portal which can be exploited
remotely.
The vendor has released a security patch.
Source
http://www.us-cert.gov/control_systems/pdf/ICSA-12-234-01.pdf
http://support.ge-ip.com/support/index?page=kbchannel&id=S:KB15050
Multiple vulnerabilities in Sinapsi eSolar Light
Photovoltaic System Monitor
An alert has been released by ICS-CERT after vulnerabilities
have been found in the SCADA monitoring product and an exploit
has been made publically available.
The hard-coded user credentials allows remote execution on the
system.
Source
http://www.us-cert.gov/control_systems/pdf/ICS-ALERT-12-284-01.pdf
http://www.exploit-db.com/exploits/21273/
http://www.sinapsitech.it/default.asp?active_page_id=81
Vulnerability in WellinTech KingView application
User credentials are not securely hashed in KingView V6.5.3
including previous versions and an exploit code is known to be
publically available.
ICS-CERT has issued an advisory which states that a successful
exploit of this vulnerability will allow an attacker complete
access of the targeted system.
A security patch has been released by the vendor.
Source
http://www.us-cert.gov/control_systems/pdf/ICSA-12-283-02.pdf
http://www.exploit-db.com/exploits/15957/
Vulnerabilities in Siemens S7-1200 PLC
ICS-CERT has issued an alert after a cross-site scripting
(XSS) vulnerability has been identified in Siemens' S7-1200
Programmable Logic Controllers V2.x, V3.0.0 and V3.0.1.
A successful exploit allows to run run malicious
JavaScript code on the target machine.
Source
http://www.us-cert.gov/control_systems/pdf/ICSA-12-283-01.pdf
http://www.siemens.com/corporate-technology/en/research-areas/siemens-cert-security-advisories.htm
October 08, 2012
Vulnerability in Sielco Sistemi
WinLog Lite SCADA HMI
ICS-CERT has issued an alert after a vulnerability with
exploit code was found in WinLog Lite SCADA HMI version
2.06.17.
The vulnerability which has been found and released by an
independent researcher allows insertion and execution of shell
code
Source
http://www.us-cert.gov/control_systems/pdf/ICS-ALERT-12-277-01.pdf
http://packetstormsecurity.org/files/116013/Winlog-Lite-SCADA-HMI-System-2.06.17-SEH-Overwrite.html
http://www.sielcosistemi.com
October 01, 2012
Buffer Overflow vulnerability in
Emerson DeltaV application
A remotely exploitable buffer overflow vulnerability has
been identified in Emerson's DeltaV application V9.3.1, V10.3.1,
V11.3 and V11.3.1.
The ICS-CERT advisory states that a public exploit doesn't
currently exists. A hotfix has beem made available by Emerson.
Source
http://www.us-cert.gov/control_systems/pdf/ICSA-12-265-01.pdf
http://www2.emersonprocess.com/en-us/brands/deltav/pages/index.aspx
Vulnerabilities in Optimalogâs Optima PLC
According to ISC-CERT an independent researcher has
identified two vulnerabilities in Optima PLC V1.5.2 and prior
that could be exploited by a Denial-of-Service-Attack.
While an exploit has been released, Optimalog has addressed the
vulnerabilities and issued an update.
Source
http://www.us-cert.gov/control_systems/pdf/ICSA-12-271-01.pdf
http://www.us-cert.gov/control_systems/pdf/ICSA-12-271-02.pdf
http://aluigi.altervista.org/adv/optimalog_1-adv.txt
http://www.optimalog.com/optimaplc_versions_en.html
September 24, 2012
Cyber espionage campaign targeting
energy companies with "Mirage" malware/trojan
Energy, military and other targets around the globe have
been targeted by a remote access trojan called "Mirage".
The trojan spreads through spearphishing emails containing an
attachment with malicious payload. According to Dell Secureworks
the Mirage trojan collects system data and phones home to its
Command-And-Control servers based in China.
Among the many targets are an oil company in the Phillipines and
an energy company in Canada. The campaign is still ongoing.
Source
http://www.secureworks.com/research/threats/the-mirage-campaign
Insecure storage of private CA key in Siemens' SIMATIC
S7-1200 Programmable Logic Controller (PLC)
Siemens and ICS-CERT have published a security advisory about a
vulnerability in the S7-1200 V2.x PLC.
According to Siemens "a researcher has demonstrated the ability
to obtain the private key" which allows to generate his own
certificate and therefore to spoof the server's SSL certificate
for Man-in-the-Middle attacks.
Source
http://www.us-cert.gov/control_systems/pdf/ICSA-12-263-01.pdf
http://www.siemens.com/corporate-technology/pool/de/forschungsfelder/siemens_security_advisory_ssa-240718.pdf
Hardcoded credentials in ORing Industrial DIN-Rail Device
Server
ICS-CERT published a security advisory about hard-coded
credentials in the operating system of the ORing Industrial
DIN-Rail Device Server 5042/5042+ systems, allowing
administrative access to the system.
Exploits for this vulnerability have been reported as publicly
available.
Source:
http://www.us-cert.gov/control_systems/pdf/ICSA-12-263-02.pdf
http://www.digitalbond.com/2012/06/13/korenix-and-oring-insecurity
http://www.oring-networking.com
September 17, 2012
Multiple vulnerabilities in Siemens
WinCC/Web Navigator
Multiple vulnerabilities have been found in Siemens WinCC/Web
Navigator that could be exploited remotely according to an alert
from ICS-CERT.
WinCC is a SCADA/HMI software and an updated version with
security fixes has been made available.
A WinCC database has been specifically targeted by Stuxnet in
2010, the first malware targeting a SCADA system.
Source
http://www.us-cert.gov/control_systems/pdf/ICSA-12-256-01.pdf
http://www.siemens.com/corporate-technology/pool/de/forschungsfelder/siemens_security_advisory_ssa-864051.pdf
http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_stuxnet_dossier.pdf
Multiple vulnerabilities in IOServer OPC Server
ICS-CERT reports that IOServer OPC Server, a program to
exchange data between HMI and PLCs, has multiple
vulnerabilities.
Known exploits are known to be publically available and an
attackers are able to download any file without authentication.
An updated software version is available.
Source
http://www.us-cert.gov/control_systems/pdf/ICSA-12-258-01.pdf
http://www.ioserver.com/index.html
September 10, 2012
Buffer Overflow found in InduSoft
ISSymbol
According to ICS-CERT a buffer overflow vulnerability has been
identified in InduSoft ISSymbol ActiveX control which is used in
SCADA systems.
Successful exploitation of this vulnerability could allow remote
execution of arbitrary code.
Source
http://www.us-cert.gov/control_systems/pdf/ICSA-12-249-03.pdf
http://www.indusoft.com/hotfixes/hotfixes.php
Denial of Service (DoS) vulnerability in Arbiter Systems
ICS CERT has issued an alert about a remotely exploitable DoS
vulnerability in Arbiter Systems Power Sentinel Phasor
Measurement Unit.
The affected products are Model 1133A Power Sentinel, firmware
versions 09Jun2012 and earlier.
Source
http://www.us-cert.gov/control_systems/pdf/ICSA-12-249-01.pdf
Buffer Overflow found in Honeywell HMIWeb
In cooperation with the Zero Day Initiative (ZDI) and
ICS-CERT a report has been issued about a Buffer Overflow
Vulnerability in Honeywell HMIWeb, affecting a number of
products.
Source
http://www.us-cert.gov/control_systems/pdf/ICSA-12-150-01.pdf
https://extranet.honeywell.com/ecc/TheBuildingsForum
DLL hijack vulnerability in RealFlex RealWinDemo
ICS-CERT reports that an independent researcher has discovered a
weakness in RealFlex RealWinDemo which allows to place a
malicious DLL in a directory where it could be loaded before the
valid DLL. This could allows execution of arbitrary code if
exploited and when using a version that is not up to date.
Source
http://realflex.com/download/
http://www.us-cert.gov/control_systems/pdf/ICSA-12-251-01.pdf
September 03, 2012
Privilege-escalation vulnerability in the GarrettCom Magnum
MNS-6K Management Software
ICS-CERT reports that independent security researcher Justin W.
Clarke has found a hard-coded password in the GarrettCom Magnum
MNS-6K Management Software application that is used for Ethernet
switches device management. The vulnerability allows privilege
escalation if an attacker has access to an existing account.
Source
http://www.us-cert.gov/control_systems/pdf/ICSA-12-243-01.pdf
http://www.garrettcom.com/techsupport/6k_dl/6k440_rn.pdf
August 27, 2012
Early Alert from ICS-CERT regarding vulnerability in
RuggedCom products / Exploit in the public
ICS-CERT has raised an alert because of a public report of
hard-coded RSA SSL private key within Rugged Operating System
(ROS). A potential attacker may use the key in order to create
malicious communication to RuggedCom network devices. RuggedCom
is a SIEMENS business. Specialists from SIEMENS and RuggedCom
are investigating this issue and will provide information
updates as soon as they become available.
Source
http://www.us-cert.gov/control_systems/pdf/ICS-ALERT-12-234-01.pdf
http://www.ruggedcom.com/productbulletin/ros-security-page/
August 20, 2012
Virus hit Saudi Arabian Oil Co. (Saudi Aramco)
Saudi Arabian Oil Co. (Saudi Aramco), the worlds largest crude
exporter, has isolated all its electronic systems from outside
access as an early precautionary measure that was taken
followinga sudden disruption that affected some of the sectors
of its electronic network.
The disruption was suspected to be the result of a virus that
had infected personal workstations without affecting the primary
components of the network. Saudi Aramco confirmed the integrity
of all of its electronic network that manages its core business
and that the interruption has had no impact whatsoever on any of
the companys production operations.
Sources:
https://www.facebook.com/Saramcopage/posts/474783089213183
http://www.businessweek.com/news/2012-08-15/aramco-says-virus-attacks-network-oil-output-unaffected
SIEMENS reports new vulnerability
SIEMENS reported a vulnerability in their software solution for
integrated plant management (COMOS) on August 10th 2012 which
allows privilege escalation for authenticated users.
This is an advisory which followed after the recent SIEMENS
default password vulnerability in the Synco OZW Webservice and
the SIMATIC WinCC insecure SQL server authentication
vulnerability.
Sources:
http://www.siemens.com/corporate-technology/pool/de/forschungsfelder/siemens_security_advisory_ssa-312568.pdf
http://www.us-cert.gov/control_systems/pdf/ICSA-12-227-01.pdf
Security patch for Niagara AX 3.5 and 3.6 released after
Tridium Security alert
Tridium has issued a security alert after independent
security researchers Billy Rios and Terry McCorkle have
identified multiple vulnerabilities in the Tridium Niagara AX
Framework software. As the ICS-CERT reports the vulnerabilities
include directory traversal, weak credential storage, session
cookie weaknesses, and predictable session IDs. Successfully
exploiting these vulnerabilities will lead to data leakage and
possible privilege escalation.
Sources:
http://www.us-cert.gov/control_systems/pdf/ICSA-12-228-01.pdf
https://www.niagara-central.com/ord?portal:/dev/wiki/Niagara_AX_3.5_and_3.6_Security_Patches
