Gleg remains active and devoted to continuing to release SCADA+ Exploit Pack modules on a regular basis, at approximately 4-8 week intervals!
All of the SCADA exploits included in this release cover 0-day vulnerabilities that have not been previously disclosed, including any published advisories or alerts from ICS-CERT. Two of the systems included in this release do not appear to be high-risk to most critical infrastructure and manufacturing facilities within the USA; however, these products do have references within these industries in other countries so due diligence should be performed if you own a potentially vulnerable system. A third system, which is actually one of the leading RTOS used by many embedded devices, could pose elevated risk to ICS users.
SCADA+ 1.18 includes 3 new SCADA related 0-days and a new version 1.1 of the automated network device exploitation tools.
SCADA+ 1.18 modules include:
- Elipse E3 ActiveReports Remote Arbitrary File Replace [0-day]
Elipse is a software company based in Brazil that offers two primary ICS monitoring and control products (E3 and SCADA), as well as other supplemental application packages. Information on Elipse can be found at http://www.elipse.com.br.
- Carel PlantVisor v.2.4.4 (possibly others) directory traversal vulnerability [0-day]
Carel is a company based in Italy with other regional offices and subsidiaries. Their products, including the targetted PlantVisor application is developed for refrigeration and air-conditioning systems. This appears to be similar to one disclosed by Luigi Auriemma with an initial publication date of September 13, 2011 documented as BID-49601 and CVE-2011-3487. This is yet to be confirmed, however, Luigi's PoC is provided at the Mitre link. Additional information on Carel can be found at http://www.carel.com.
- QNX FTPD Denial-of-Service [0-day]
As many may already know, QNX is one of the real-time operating systems (RTOS) used in many embedded devices, including (though not important to ICS but more for general information) the BlackBerry Playbook and Colt. Of more relevance to the ICS world, QNX can be found in ICS suppliers including Emerson Process Management (Ovation and DeltaV), General Electric (Mark VI Turbine Controller), Tridium (JACE 600), as well as most major automative manufacturers! This DoS could represent significant risk to ICS systems installed in CIKR and other critical sectors. A complete list of references, and other useful information on QNX can be found at their website http://www.qnx.com.
- Ubiquiti Networks AirOS Directory Traversal Vulnerability for AirOS 5, 4.0, 3.6.1
- Alpha Networks ADSL2/2+ Wireless Router ASL-26555 Password Disclosure
- QLogic SANsurfer FC HBA Manager Directory Traversal vulnerability
As always, please post your comments or suggestions to improve the usefulness of this information.