Thursday, September 13, 2012

All your PLC are belong to us

Siemens has published advisory “SSA-240718: Insecure storage of HTTPS CA certificate inS7-1200 V2.x”  about bug, discovered by our team. Very funny one, because PLC have built-in CA and generates valid certificates based on IP. So you can trust to CA certificate and you will have security SSL sessions with all PLCs. But as you understand all PLC have same private/public key pair for CA and private key hardcoded into firmware.
Not easy bug to fix, but we hope Siemens will do it.

Tuesday, September 11, 2012

New vulnerabilities in Siemens SIMATIC WinCC

Siemens has fixed vulnerabilities in SIMATIC WinCC 7.0 and SIMATIC PCS7 V8 discovered by SCADAStrangeLove team. There are very different one, from trivial XSS and CSRF (last one still unfixed) to arbitrary file reading and awesome username and password disclosure.
ShortList of bugs addresed in SSA-864051:

  • Lot of XSS and CSRF (CVE-2012-3031, CVE-2012-3028)
  • Lot of to arbitrary file reading (CVE-2012-3030)
  • SQL injection over SOAP (CVE-2012-3032)
  • Username and password disclosure via ActiveX abuse (CVE-2012-3034)

Thanks to Denis Baranov Sergey Bobrov, Artem Chaykin, Vladimir Kochetkov, Timur Yunusov.

Now we had more info for our speech at power of community. The world has become safer! Hurray!