Wednesday, January 22, 2014

Gleg releases Ver 1.31 of the SCADA+ Exploit Pack for Immunity Canvas

Gleg announced last week (January 16) the release of version 1.31 of the SCADA+ Exploit Pack for the Immunity Canvas framework.

A summary of recent releases includes:
  • Version 1.30 was released on December 13, 2013
  • Version 1.29 was released on November 22, 2013
  • Version 1.28 was released on October 7, 2013
  • Version 1.27 was released on September 6, 2013
  • Version 1.26 was released on August 14, 2013
  • Version 1.25 was released on July 5, 2013
  • Version 1.24 was released on May 14, 2013
  • Version 1.23 was released on April 22, 2013
  • Version 1.22 was released on February 27, 2013
  • Version 1.21 was released on February 7, 2013
  • Version 1.20 was released on December 21, 2012
  • Version 1.19 was released on November 8, 2012
SCADA+ 1.31 includes 2 new DoS 0-days targeting Eaton and Inductive Automation!

SCADA+ 1.31 modules include:
  • ABB MicroSCADA - Remote Code Execution [public exploit] 
  • Eaton Network Shutdown Module - DoS [0-day]
  • Eaton Network Shutdown Module - Remote Code Execution with Credential Stealing [public]
  • Inductive Automation Ignition! Gateway OPC-UA Server - DoS [0-day]
The  MicroSCADA vulnerability was initially reported to ABB by ZeroDayInitiative with an official release by ABB in April 2013.  Public disclosure occurred in November 2013 through standard channels (Security Focus, Packet Storm, Secunia, etc.) with public exploit modules available for the Metasploit framework. Details for this vulnerability do NOT appear to have been communicated via ICS-CERT (probably because they were too busy working all those DNP3 advisories!). Complete details with additional links are available via OSVDB ID 100324.

There is little information available regarding the DoS 0-day (if you find anything, please share). The Remote Code Execution vulnerability was publicly disclosed in June 2012, with public exploit code available for Metasploit with an alternative Python script available at Packet Storm. Disclosure with PoC occurred through many of the standard channels (Exploit-DB, Secunia, Security Focus, and Packet Storm), with OSVDB logging this under three IDs 83199, 83200, and 83201. It should be noted that these vulnerabilities have NOT been tagged as SCADA related by OSVDB, as they are general IT products. Neither of the Eaton vulnerabilities appear to have made their way through the ICS-CERT communication channels as well.

The vulnerability and exploit for Inductive Automation's Ignition! server does not appear to be logged or recorded by anyone, so this could represent increased risk to those users who have deployed this particular ICS software. If anyone finds anything, please share details.

What is most disturbing about these disclosures is the mysterious absence of ICS-CERT in this process. I was under the impression that they were taking the lead role in terms of information sharing and disclosure. This does not appear to be the case, as several of these vulnerabilities were available via separate mechanisms in early 2013!  I guess that is more incentive for me to create a threat intelligence page for the website, in order to consolidate and present information such as this in a timely manner.  The site has recently been updated to include more "active" and "dynamic" content - check it out if you have a chance.

Information on the Gleg SCADA+ Exploit Pack can be found here, as well as information on Immunity's CANVAS here.

As always, please post your comments or suggestions to improve the usefulness of this information.

1 comment:

  1. SCADA software basically is a combination of multiple computerized control systems to monitor and control infrastructure, and industrial and facility processes.