This new release contains the following updates:
- Broadwin\Advantech WebAccess - Blind-Error based SQL Injection with Filters Bypass (this was available via the Step Ahead program from Gleg about 1.5 months ago) (zero day)
- Labview (version 6 and possibly others) - DoS via IPv6 Query. Based on an old bug, but commonly used Labview version.
- Progea Movicon 11 - Remote DoS crashing the server.
- Carel PlantVisor Pro vulnerability - Used on nuclear plants (e.g. in Canada). Exploit allows credentials steal. (zero day)
[SH comment: don't be alarmed here! Carel PlantVisor Pro is used for HVAC building control, and is not used as a primary safety or controls system]
- Sunway ForceControl and pNetPower - Buffer Overflow vulnerability is known to exist (but details are not public), patch available. thousands of installations in Turkey and China (http://gleg.net/httpsrv_shodan.png shows some representative installations by country - Thanks Shodan!)
Details on the SCADA+ pack can be found on the Gleg website. Pricing was previously available on-line, and my past investigation showed a three-month subscription for Agora SCADA+ costs US$2,250, which includes updates to the exploit pack and a single license for the Canvas framework. A one-year subscription costs $5,400 and also comes with one Canvas license. For current pricing, contact email@example.com.