Wednesday, July 25, 2012

WinCC default password: 7 years long story

Siemens recently published advisory about vulnerability in WinCC. Default hardcoded MS SQL passwords ('WinCCConnect/2WSXcder', 'WinCCAdmin/2WSXcde.')was used by StuxNet worm for infection. This vulnerability was fixed long time ago in SIMATIC WinCC V7.0 SP2 Update 1 (V Current patchlevel for WinCC is V7.0 SP3 Update 2. Looks like this is kindly reminder.
JFYI, this vulnerability wide known for 7 years from May 2005. First time it published on Siemens forum and publicly disclosed in April 2008.

Link and screenshot for history:

So correct credits for advisory: Max Prilepsky & Cyber.

PS. Mikko - perfect Cyrillic screen for you slides!

PPS. AC/DC? No way!

No comments:

Post a Comment