SDG Hole Exploit Code Released

Thursday, October 15, 2015 @ 05:10 PM gHale

There is a public disclosure of a cross-site scripting vulnerability with proof-of-concept (PoC) exploit code affecting SDG Technologies Plug and Play SCADA, a supervisory control and data acquisition/human-machine interface (SCADA/HMI) product, according to a report on ICS-CERT.

The vulnerability is exploitable by inserting malicious script in the HTML request to web servers, according to the report. This report released without coordination with neither the vendor nor ICS-CERT.

Nordex Fixes Wind Farm SCADA App
Omron Fixes Multiple Vulnerabilities
Pump Infusion System Holes Mended
Mitsubishi Fixes Controller DoS

ICS-CERT has notified the affected vendor of the report and has asked the vendor to confirm the vulnerability and identify mitigations. ICS-CERT issuing an alert to provide early notice of the report and identify baseline mitigations for reducing risks to these and other attacks.

The report included vulnerability details and PoC exploit code for the remotely exploitable cross site scripting (XSS) that could result in remote code execution.

Cross-site scripting vulnerabilities allow a malicious party to insert malicious code into pages viewed by others. When others view these pages, their browsers execute the code believing it to have originated from the web server. Until the vendor addresses the vulnerability, ICS-CERT recommends asset owners using SDG Technologies Plug and Play SCADA take the steps listed in the mitigation section. This disclosure went out on Pastebin and attributed to Kelvin Security. ICS-CERT researchers said they feel the exploit code is valid.

SDG Technologies Plug and Play SCADA (PnPSCADA) is a web-based SCADA HMI used primarily within the energy sector. SDG Technologies is a manufacturer of hardware and software for Automatic Meter Reading systems. SDG’s headquarters is in Kempton Park, South Africa.

ICS-CERT has been unable to reach a representative of SDG Technologies.