Symposium Releases Vulnerabilities

Monday, January 23, 2012 @ 07:01 PM gHale


Vulnerabilities from major players in the manufacturing automation sector are now out in the public awaiting fixes.

Koyo
There are multiple vulnerabilities with proof-of-concept (PoC) exploit code affecting the Koyo ECOM100 Ethernet Module, which communicates between a PLC and the control system.

RELATED STORIES
Wago, Wellintech Vulnerabilities
GE Hit by Vulnerability
Schneider: More Patches for Module Hole
Certec DoS Hole Patched
Rockwell FactoryTalk Vulnerability

This report comes from information presented by Reid Wightman during Digital Bond’s SCADA Security Scientific Symposium (S4). Wightman released the vulnerability details without coordination with either the vendor or ICS-CERT.

ICS-CERT is attempting to notify the affected vendor of the report for confirmation and to identify mitigations. ICS-CERT is issuing this alert to provide preliminary notice of the reported vulnerable products and to begin identifying baseline mitigations that can reduce the risk of attacks exploiting these vulnerabilities.

The report included vulnerability details and PoC exploit code for the following vulnerabilities: Weak Authentication Uses 8-byte passcode; Replay Attack; Web Server No Authentication; Web Server Buffer Overflow, and Web Server Cross-Site Scripting (XSS). All vulnerabilities are remotely exploitable and could lead to loss of integrity, open authentication, denial of service or a webserver crash.

ICS-CERT is currently coordinating with Koyo and the security researcher to identify useful mitigations.

Modicon
There are multiple vulnerabilities affecting Schneider Electric’s Modicon Quantum PLC. These vulnerabilities are exploitable through backdoor accounts (previously disclosed), malformed HTTP or FTP requests, or cross-site scripting (XSS).

This report comes from information presented by the Project Basecamp team during Digital Bond’s SCADA Security Scientific Symposium (S4). The vulnerability information comes from research by Rubén Santamarta. They released the information without coordination with either the vendor or ICS-CERT.

ICS-CERT notified Schneider Electric of the report and has asked the vendor to confirm the vulnerability and identify mitigations.

The presentation summarized the following remotely exploitable vulnerabilities: No authentication between Unity software and PLC; backdoor accounts; HTTP Server buffer overflows; FTP Server buffer overflows, and XSS. The impact of the vulnerabilities could range from a denial of service, possible remote code execution, and access the system as a user administrator.

In addition, the Project Basecamp team identified two hundred instances of Modicon Quantum PLCs directly facing the Internet. ICS-CERT said the use of readily available and generally free search tools (such as SHODAN and ERIPP) significantly reduces time and resources required to identify Internet facing control systems.

In turn, hackers can use these tools combined with the exploit modules to identify and attack vulnerable control systems. Conversely, owners and operators can also use these same tools to audit their assets for unsecured Internet facing devices.

Schneider Electric is a manufacturer and integrator of energy management equipment and software. Its systems are in the energy, manufacturing, building automation, and information technology industries, with operations in over 100 countries worldwide. The Schneider Electric Modicon PLC line contains different devices designed for different uses and environments.

Rockwell
There are multiple vulnerabilities with PoC exploit code affecting Rockwell ControlLogix, a controller product, which is exploitable by transmitting arbitrary commands from the PLC to the control system.

This report comes from information presented by the Project Basecamp team during Digital Bond’s SCADA Security Scientific Symposium (S4). The vulnerability comes from research conducted by Rubén Santamarta. He released the information without coordination with either the vendor or ICS-CERT.

ICS-CERT has notified Rockwell of the report and has asked the vendor to confirm the vulnerabilities and identify mitigations.

The report included details and PoC exploit code for the following vulnerabilities: For the improper input validation, there is a malformed request that is remotely exploitable that could lead to a denial of service and or a physical reboot.

The report also included details of methods for using legitimate commands maliciously.

Again, all these holes are remotely exploitable including the command for interface control, stop, Dump 1756- ENBT’s module boot code, reset, and a firmware upgrade. The impact for the vulnerabilities range from denial of service and or a possible man in the middle and a physical reboot requirement to a data leakage and a data integrity, and an arbitrary code execution.

ICS-CERT is currently coordinating with the vendor and security researcher to identify useful mitigations.

Schweitzer Engineering
There are multiple vulnerabilities PoC exploit code affecting Schweitzer Engineering Laboratories’ SEL-2032 Communications Processor SCADA remote terminal unit (RTU).

This report is from research conducted by Dillon Beresford and presented by the Project Basecamp team during the Digital Bond SCADA Security Scientific Symposium (S4).

The RTU uses plaintext protocol for password authentication, according to the report. In addition, the researchers were able to cause an intermittent crash to an unknown service through Telnet and Port 1024/TCP.

They released vulnerability details without prior coordination with either the vendor or ICS-CERT.

ICS-CERT has coordinated with Schweitzer Engineering Laboratories and has asked the vendor to confirm the vulnerability and identify mitigations.

The report included details and PoC exploit code for the following vulnerabilities: Plaintext authentication, which is locally exploitable and termination of the software which is remotely exploitable. The plaintext vulnerability has the potential to allow unauthorized access to the system, which the termination of the software could lead to a denial of service.



Leave a Reply

You must be logged in to post a comment.