In SCADA+ 1.8 there are modules for several fresh public SCADA/ICS vulnerabilities, most of which were recently disclosed by Luigi Auriemma. Many of these exploits appear to be denial-of-service (DoS) exploits, so this really is not something that I think is worth the money at this time.
SCADAhacker has noticed that the vulnerabilities included with Gleg SCADA+ 1.8 regarding the Optima APIFTP Server SCADA HMI application have not yet been disclosed by ICS-CERT. I will be posting an out-of-band advisory on this vulnerability set within the next 24 hours, and will update this blog accordingly.
The Gleg Step Ahead customers receive some additional exploit modules, including one which allows them to decrypt users credentials in Promotic SCADA and an additional SCADA-related ActiveX exploit.
SCADA+ 1.8 modules include:
- Beckhoff TwinCAT <= 2.11.0.2004
- Optima <= 1.5.2.13 Denial of Service
- OPC Systems.NET <= 4.00.0048 Denial of Service
- Data Archiver service in GE Intelligent Platforms Proficy Historian <= 3.5 SIM 17 and 4.x <= 4.0 SIM 12 Stack Overflow Proof of Concept & Denial of Service
- Atvise webMI2ADS <= 1.0 Denial of Service
- another Atvise webMI2ADS <= 1.0 Denial of Service
- Atvise webMI TestServer Directory Traversal
- PcVue <= 10.0, SVUIGrd.ocx <= 1.5.1.0 Code Execution
- PROMOTIC <= 8.1.3 Directory Traversal leveraged to user credentials disclosure
- Beckhoff TwinCAT "TCATSysSrv.exe" Network Packet Denial of Service Vulnerability
- atvise webMI Web Server Multiple Remote Vulnerabilities
- Open Automation Software OPC Systems.NET Denial-of-Server Vulnerability
- Microsys Promotic Directory Traversal and ActiveX Control Buffer Overflow Vulnerabilities
- General Electric Intelligent Platforms (GE-IP) Proficy Plant Applications Buffer Overflow Vulnerabilities
- General Electric Intelligent Platforms (GE-IP) Proficy Historian Data Archiver Buffer Overflow Vulnerability
- ARC Informatique PcVue Multiple ActiveX Vulnerabilities
As always, please post your comments or suggestions to improve the usefulness of this information.
that list of "modules" is exactly the same available for free on my website (they admitted it too).
ReplyDeletenothing new as usual, so I don't understand why someone should waste money for something already publicly available.
I have checked all their previous "releases" and everytime I notice that:
- 85% of time it's just my stuff, this time it's 100%
- 10% are other known public bugs with a public PoC or a trivial to code PoC (easy protocol/bug)
- 5% are simple DoS bugs found by them often in unknown products
that's what I noticed, maybe I'm wrong.
so why giving them all this importance (advertising?) and space everytime if they try to sell something already known and public?
if there is something new and good from them it's ok but this is not the case in my opinion.
what you think about this Joel?
Luigi Auriemma
They stated on their website - "effort towards 100 % public bugs coverage, along with 0days"... so this is not strange that they write modules for Luigi's things. of course if copyright is in place.
ReplyDeleteGood post.Thank you for this information. There are different kinds of SCADA systems and software available in the market. From the standard, free solutions to customizable and scalable ones, you can have different systems as per the nature of the industrial processes you would run.
ReplyDelete