In performing my daily rounds on news feeds and websites, I noticed a
lot of recent developments in open-source exploit modules targeting
industrial control systems. One very important part of a well-rounded
ICS Security Management System (IACS-SMS per ISA 62443
terminology) is situational awareness of the actual risks facing
industrial systems in terms of both vulnerabilities disclosed and the
ease in converting these proof-of-concept (PoC) disclosures into
workable exploit modules.
Showing posts with label Exploits. Show all posts
Showing posts with label Exploits. Show all posts
Tuesday, March 18, 2014
Monday, December 24, 2012
Gleg releases Ver 1.20 of the SCADA+ Exploit Pack for Immunity Canvas
In keeping with their previous record of releasing updates on a regular basis, Gleg announced on December 24 the release of version 1.20 of the SCADA+ Exploit Pack for the Immunity Canvas framework.
Version 1.19 was released on November 8, 2012.
Thursday, November 8, 2012
Gleg releases Ver 1.19 of the SCADA+ Exploit Pack for Immunity Canvas
On November 8, reference on the Gleb website indicates that they will be releasing version 1.19 of the SCADA+ Exploit Pack for the Immunity Canvas framework offer by Gleg. On November 9, the Immunity Inc. listserver provided confirmation that the update is now available.
Gleg remains active and devoted to continuing to release SCADA+ Exploit Pack modules on a regular basis, with this release coming just 4 weeks after v1.18!
All of the SCADA exploits included in this release cover 0-day vulnerabilities that have not been previously disclosed, including any published advisories or alerts from ICS-CERT. Both ICS systems included in this release represent reasonable risk to critical infrastructure and manufacturing facilities within the USA.
Gleg remains active and devoted to continuing to release SCADA+ Exploit Pack modules on a regular basis, with this release coming just 4 weeks after v1.18!
All of the SCADA exploits included in this release cover 0-day vulnerabilities that have not been previously disclosed, including any published advisories or alerts from ICS-CERT. Both ICS systems included in this release represent reasonable risk to critical infrastructure and manufacturing facilities within the USA.
Wednesday, October 10, 2012
Gleg releases Ver 1.18 of the SCADA+ Exploit Pack for Immunity Canvas
On October 10, Gleg released version 1.18 of the SCADA+ Exploit Pack for the Immunity Canvas framework, along with a corresponding version 2.17 of the Agora Exploit Pack.
Gleg remains active and devoted to continuing to release SCADA+ Exploit Pack modules on a regular basis, at approximately 4-8 week intervals!
All of the SCADA exploits included in this release cover 0-day vulnerabilities that have not been previously disclosed, including any published advisories or alerts from ICS-CERT. Two of the systems included in this release do not appear to be high-risk to most critical infrastructure and manufacturing facilities within the USA; however, these products do have references within these industries in other countries so due diligence should be performed if you own a potentially vulnerable system. A third system, which is actually one of the leading RTOS used by many embedded devices, could pose elevated risk to ICS users.
Gleg remains active and devoted to continuing to release SCADA+ Exploit Pack modules on a regular basis, at approximately 4-8 week intervals!
All of the SCADA exploits included in this release cover 0-day vulnerabilities that have not been previously disclosed, including any published advisories or alerts from ICS-CERT. Two of the systems included in this release do not appear to be high-risk to most critical infrastructure and manufacturing facilities within the USA; however, these products do have references within these industries in other countries so due diligence should be performed if you own a potentially vulnerable system. A third system, which is actually one of the leading RTOS used by many embedded devices, could pose elevated risk to ICS users.
Sunday, November 27, 2011
Gleg releases Ver 1.8 of the SCADA+ Exploit Pack for Immunity Canvas
On November 24, Gleg released version 1.8 of the SCADA+ Exploit Pack for the Immunity Canvas framework, along with a corresponding version 2.7 of the Agora Exploit Pack.
In SCADA+ 1.8 there are modules for several fresh public SCADA/ICS vulnerabilities, most of which were recently disclosed by Luigi Auriemma. Many of these exploits appear to be denial-of-service (DoS) exploits, so this really is not something that I think is worth the money at this time.
In SCADA+ 1.8 there are modules for several fresh public SCADA/ICS vulnerabilities, most of which were recently disclosed by Luigi Auriemma. Many of these exploits appear to be denial-of-service (DoS) exploits, so this really is not something that I think is worth the money at this time.
Thursday, October 20, 2011
Gleg releases Ver 1.7 of the SCADA+ Exploit Pack for Immunity Canvas
On October 20, Gleg released version 1.7 of the SCADA+ Exploit Pack for the Immunity Canvas framework, though this time around, I do not see a lot of unique value in the code updates.
Monday, September 26, 2011
Gleg releases Ver 1.6 of the SCADA+ Exploit Pack for Immunity Canvas
On September 26, Gleg released version 1.6 of their SCADA+ exploit pack for Immunity Canvas. This release includes several new modules including many found by Luigi Auriemma. Note that Metasploit has also incorporate a large number of these exploit modules in their free framework.
Thursday, August 25, 2011
Gleg releases Ver 1.5 of the SCADA+ Exploit Pack for Immunity Canvas
Today (August 25, 2011), Gleg announced the availability of Version 1.5 of the SCADA+ add-on exploit pack for Immunity's CANVAS exploitation framework (much like the Metasploit Framework). As we have seen over the past few months, this release contains several new automated SCADA exploits, including several zero days.
Monday, August 22, 2011
Gleg releases Version 1.4 of the SCADA+ Pack for Canvas
On July 21, Gleg Ltd. annouced the availability of Release 1.4 of the SCADA+ pack for Immunity's Canvas. This confirms a trend by which Gleg appears to be offering an updated SCADA+ pack about every month. Details of v1.2 - 1.3 are also provided below.
ICS-CERT also released an alert ICS-ALERT-11-230-01 on August 18 which provides some additional details on the SCADA+ Pack. Though there were no alerts or updates for SCADA+ Versions 1.2 and 1.3, the ICS-CERT update and this blog should provide good revision control.
ICS-CERT also released an alert ICS-ALERT-11-230-01 on August 18 which provides some additional details on the SCADA+ Pack. Though there were no alerts or updates for SCADA+ Versions 1.2 and 1.3, the ICS-CERT update and this blog should provide good revision control.
Friday, April 22, 2011
Gleg releases Ver 1.1 of the SCADA+ Pack for Canvas
Gleg Ltd. annouced the availability of Release 1.1 of the SCADA+ pack for Immunity's Canvas.
Here are the details of the release contents:
Here are the details of the release contents:
Wednesday, January 12, 2011
UPDATED: Nearly Instant Exploit when MS Releases Patch
I teach my SCADA security students that we always are faced with a double-edged sword when dealing with the patching of security holes within a common platform. In the days of the SQL Slammer worm (2003), an exploit could take up to six (6) months to develop using reverse engineering techniques once Microsoft released their security hotfixes.
Today, that time is now on the order of hours! Take, for example, MS11-002 (Microsoft Data Access Components Vulnerability - [CVE: 2011-0027]) which was just released this morning (January 12, 2011) by Microsoft. It was just a matter of hours before an exploit was available for download for script kiddies and experienced pen testers to begin using (http://www.exploit-db.com/exploits/15984/).
When we consider control systems, and the fact that at best, security patches are approved by the vendor within 7-14 days, we have a pretty wide window of opportunity to exploit these critical systems. Using my "think like a hacker" approach to security, the best time to exploit a targeted control system is during the first few days following the publication of the MS Security Advisories (which are released on the second Tuesday of each month). In reality, we have even longer, as many control systems do not utilize any form of automated patch management system that deploys these updates as soon as they are approved by the vendor.
If I was planning an attack, I would complete my reconnaissance phase, and wait until the days immediately following the MS announcement to commence the actual attack using the latest vulnerabilities that will be sure to evade both the OS and the security protections that are in place.
I also thought that it would be useful to share the updated schedules from a few of the other major vendors. Of course, vendors are free to release out-of-cycle updates for vulnerabilities which they feel are too critical to wait for the normal cycle.
"The increase in the number of flaws being discovered comes at a time when attackers are getting much faster at exploiting them. A survey by security vendor Qualys earlier this year [2009] showed that 80% of vulnerability exploits are available within 10 days of the vulnerability's disclosure. Nearly 50% of the vulnerabilities patched by Microsoft in its security updates for April [2009] already had known exploits by the time the patches were available."
As you can see, we all need to be diligent in addressing patch management within our control system networks. Next month (February 2011), I will be asking the wider community to participate in a survey to collect some real-world data regarding patch management implementations.
If you are interested in exploring any of the Stuxnet exploits that have been published, a list is available at http://www.stuxnetcure.com.
Today, that time is now on the order of hours! Take, for example, MS11-002 (Microsoft Data Access Components Vulnerability - [CVE: 2011-0027]) which was just released this morning (January 12, 2011) by Microsoft. It was just a matter of hours before an exploit was available for download for script kiddies and experienced pen testers to begin using (http://www.exploit-db.com/exploits/15984/).
When we consider control systems, and the fact that at best, security patches are approved by the vendor within 7-14 days, we have a pretty wide window of opportunity to exploit these critical systems. Using my "think like a hacker" approach to security, the best time to exploit a targeted control system is during the first few days following the publication of the MS Security Advisories (which are released on the second Tuesday of each month). In reality, we have even longer, as many control systems do not utilize any form of automated patch management system that deploys these updates as soon as they are approved by the vendor.
If I was planning an attack, I would complete my reconnaissance phase, and wait until the days immediately following the MS announcement to commence the actual attack using the latest vulnerabilities that will be sure to evade both the OS and the security protections that are in place.
I also thought that it would be useful to share the updated schedules from a few of the other major vendors. Of course, vendors are free to release out-of-cycle updates for vulnerabilities which they feel are too critical to wait for the normal cycle.
- Microsoft
Monthly
2nd Tuesday - Oracle
Quarterly (Jan, Apr, Jul, Oct)
Tuesday closest to 17th of the Month - Cisco (Internetwork Operating System)
Bi-Annual (Mar, Sep)
4th Wednesday - Adobe
Quarterly (Feb, May, Aug, Nov)
2nd Tuesday
- MS10-046 (Propagation)
SecurityFocus releases exploit July 15
Metasploit releases exploit July 19
Microsoft releases patch August 2 (out-of-band)
Immunity releases exploit September 27 - MS10-061 (Propagation)
Microsoft releases patch September 14
SecurityFocus releases exploit September 14
Metasploit releases exploit September 17 - MS10-073 (EoP)
SecurityFocus releases proof-of-concept July 1
Immunity releases exploit October 5
Microsoft releases patch October 12
SecurityFocus releases exploit October 12 - MS10-092 (EoP)
Immunity releases exploit October 5
SecurityFocus releases exploit October 18
Microsoft releases patch December 14
"The increase in the number of flaws being discovered comes at a time when attackers are getting much faster at exploiting them. A survey by security vendor Qualys earlier this year [2009] showed that 80% of vulnerability exploits are available within 10 days of the vulnerability's disclosure. Nearly 50% of the vulnerabilities patched by Microsoft in its security updates for April [2009] already had known exploits by the time the patches were available."
As you can see, we all need to be diligent in addressing patch management within our control system networks. Next month (February 2011), I will be asking the wider community to participate in a survey to collect some real-world data regarding patch management implementations.
If you are interested in exploring any of the Stuxnet exploits that have been published, a list is available at http://www.stuxnetcure.com.
Monday, November 8, 2010
[Canvas] Agora 1.21. point release
1.21 point release with bugfixes and modules is available for download.
Two modules for SCADA systems and two web exploits this time.
While one SCADA module is unpatched in current official version, the
other is patchable, but we think is still usefull.
The exact list by now:
- Invensys Wonderware InFusion SCADA (and other products) Ax exploit.
- DATAC RealWin SCADA 1.06 Buffer Overflow Exploit. unpatched as of
07.11.2010
- DNET Live-Stats 0.8 Local File Inclusion. unpatched as of 07.11.2010
- OvBB v0.16a Local File Inclusion. unpatched as of 07.11.2010
Two modules for SCADA systems and two web exploits this time.
While one SCADA module is unpatched in current official version, the
other is patchable, but we think is still usefull.
The exact list by now:
- Invensys Wonderware InFusion SCADA (and other products) Ax exploit.
- DATAC RealWin SCADA 1.06 Buffer Overflow Exploit. unpatched as of
07.11.2010
- DNET Live-Stats 0.8 Local File Inclusion. unpatched as of 07.11.2010
- OvBB v0.16a Local File Inclusion. unpatched as of 07.11.2010
Subscribe to:
Posts (Atom)