With our Pretty Shiny Sparkly™ ICS/SCADA/PLC Google/Shodanhq Cheat Sheet you will become real SCADAHacker and search for SCADA with Shodan for free!
Forget about "effective" CVSS score - only Google, only hardcore! Get Siemens S7 PLCs, Scalance S, WinCC, Emerson DeltaV and Schneider Electric PowerLogic in one click!
Special #29C3 release by Gleb Gritsai, Alexander Timorin, Yuri Goltsev, Roman Ilin.
Our team will participate 29th Chaos Communication Congress. Sergey Gordeychik, Gleb Gritsai and Denis Baranov will talk about our new researches in ICS security and vulnerabilities in SCADA and PLC systems.
In early November 2012, the SCADAStrangeLove striking force was thoughtless enough to accept an offer to speak at the Power of Community (POC) conference held in Seoul, South Korea. While I am still under the impression, I want to tell you how they do security in the Land of the Morning Freshness.
Many photos are under the cut.
The number of detected vulnerabilities has increased by 20 times since 2010. It takes more than a month to fix each fifth vulnerability. 50% of vulnerabilities allow a hacker to execute code. There are exploits for 35% of vulnerabilities. 41% of vulnerabilities are critical. More than 40% of systems available from the Internet can be hacked by unprofessional users. The third part of systems available from the Internet is located in the USA. The fourth part of vulnerabilities is related to the lack of necessary security updates. 54% and 39% of systems available from the Internet in Europe and North America respectively are vulnerable.
published advisory “SSA-240718: Insecure storage of HTTPS CA certificate inS7-1200 V2.x” about bug, discovered by our team. Very funny
one, because PLC have built-in CA and generates valid certificates based on IP.
So you can trust to CA certificate and you will have security SSL sessions with
all PLCs. But as you understand all PLC have same private/public key pair for
CA and private key hardcoded into firmware.
bug to fix, but we hope Siemens will do it.
Siemens has fixed vulnerabilities in SIMATIC WinCC 7.0 and SIMATIC PCS7 V8 discovered by SCADAStrangeLove team. There are
very different one, from trivial XSS and CSRF (last one still unfixed) to arbitrary
file reading and awesome username and password disclosure.
ShortList of bugs addresed in SSA-864051:
Lot of XSS
and CSRF (CVE-2012-3031, CVE-2012-3028)
Lot of to arbitrary
file reading (CVE-2012-3030)
injection over SOAP (CVE-2012-3032)
and password disclosure via ActiveX abuse (CVE-2012-3034)
Thanks to Denis
Baranov Sergey Bobrov, Artem Chaykin, Vladimir Kochetkov, Timur Yunusov.
Siemens recently published advisory about vulnerability in WinCC. Default hardcoded MS SQL passwords ('WinCCConnect/2WSXcder', 'WinCCAdmin/2WSXcde.')was used by StuxNet worm for infection. This vulnerability was fixed long time ago in SIMATIC WinCC V7.0 SP2 Update 1 (V 188.8.131.52). Current patchlevel for WinCC is V7.0 SP3 Update 2. Looks like this is kindly reminder.
JFYI, this vulnerability wide known for 7 years from May 2005. First time it published on Siemens forum and publicly disclosed in April 2008.
"...I received a series of emails from Iran. ... Atomic Energy Organization of Iran (AEOI)....
I am writing you to inform you that our nuclear program has once again been compromised and attacked by a new worm with exploits which have shut down our automation network at Natanz and another facility Fordo near Qom.
According to the email our cyber experts sent to our teams, they believe a hacker tool Metasploit was used. The hackers had access to our VPN. The automation network and Siemens hardware were attacked and shut down...I believe it was playing 'Thunderstruck' by AC/DC..."
Looks like somebody know our secret and can pwn nuclear plant with metasploit.
Mikko, we know, you likes Russian guys, but this totally different case. It's not our fault. Really.
- X-Path Injection in WinCC DiagAgent and WebNavigator
- Directory Traversal in WinCC DiagAgent and WebNavigator
- Buffer overflow ain WinCC DiagAgent web server
- Reflected Cross-Site Scripting in WinCC DiagAgent and WebNavigator