Saturday, January 26, 2013

Comments on ICS CERT ICS-ALERT-13-016-02

There is a flame in media about our S7 bruteforce tool

Just for instance:  "...and have unfortunately made the code available before the Siemens had the opportunity patch the flaw or offer mitigations..." (src = http://www.net-security.org/secworld.php?id=14303).
C'mon, guys, you serious? Mitigation against offline bruteforce in password-based authentication? Maybe you should take a lessen or two on information security?

1.    There are no any security vulnerability disclosed by released tool. SHA-1 and HMAC-SHA-1 crypto implementation in S7 according our analysis strong enough. No salt? May be...
2.    Issue related to S7 password known for a while and documented on Siemens site. Prooflink: http://support.automation.siemens.com/WW/llisapi.dll?func=cslib.csinfo&objid=51401544&nodeid0=10805148&switchLang;51401544;2.x=34&switchLang;51401544;2.y=4&lang=en&siteid=cseus&aktprim=0&objaction=csopen&extranet=standard&viewreg=WW
3.    Published tool (and JtR plug-in) require valid challenge-response packets, so risk of potential abuse is very low because attacker need to intercept communications before.
4. It's hard to use Rainbow Tables. Because of challenge-response attacker need to spoof challenge, e.g. to mount MITM attack in adjacent network.

Thus we agree with Siemens, they don't need to release a patch (src = http://www.darkreading.com/vulnerability-management/167901026/security/news/240146748/scada-password-cracking-tool-for-siemens-s7-plcs-released.html)

PS. Yes, we know a bit about SSL. Prooflink: http://scadastrangelove.blogspot.com/2012/09/all-your-plc-belong-to-us.html

PPS. Yes, there are situations where  you don't need to brute HMAC-SHA-1 to get S7 password. But...






1 comment:

  1. Hello Everybody,
    My name is Mrs Sharon Sim. I live in Singapore and i am a happy woman today? and i told my self that any lender that rescue my family from our poor situation, i will refer any person that is looking for loan to him, he gave me happiness to me and my family, i was in need of a loan of $250,000.00 to start my life all over as i am a single mother with 3 kids I met this honest and GOD fearing man loan lender that help me with a loan of $250,000.00 SG. Dollar, he is a GOD fearing man, if you are in need of loan and you will pay back the loan please contact him tell him that is Mrs Sharon, that refer you to him. contact Dr Purva Pius, call/whats-App Contact Number +918929509036 via email:(urgentloan22@gmail.com) Thank you.

    ReplyDelete