SCADA - EXPLOITING CVE-2015-0984 FOR SHELL ACCESS This post is a follow up detailing how to achieve control of the actual XLWEB SCADA controller. The vulnerability is assigned with reference CVE-2015-0984. Rather than the application level administrative access as discussed in the email regarding CVE-2014-2717, this focuses on issues with the FTP, default accounts which could not be changed, and high privileges of the web server user resulting in a simple shell on the server. In this case we are looking at CVE-2015-0984, or ICSA-15-076-02, but we expect to be back with a second disclosure soon when the vendor have had a chance to look at the latest finding, still pending a CVE, if one will be assigned. For those interested in a more readable version of this disclosure and additional information, see http://ift.tt/1EdUqyZ Please note that the CVE at NVD uses a different CVSS vector than the one in this disclosure or from ICS-CERT, stating partial confidentiality and no availability or integrity impact. As this gives shell access to the system, I am relatively certain the C:C/A:C/I:C is the correct evaluation. _________________________ *BACKGROUND* Honeywell is a US-based company that maintains offices worldwide. The affected products, XLWeb controllers, are web-based SCADA systems. According to Honeywell, XLWeb controllers are deployed across several sectors including Critical Manufacturing, Energy, Water and Waste water Systems, and others. Honeywell estimates that these products are used primarily in Europe and the Middle East. _________________________ *VULNERABILITY OVERVIEW* The vulnerability is defined as a PATH TRAVERSAL. By using a directory traversal vulnerability in the FTP server, it is possible to gain access to the web root directory. A CVSS v2 base score of 10.0 has been assigned; the CVSS vector string is (AV:N/AC:L/Au:N/C:C/I:C/A:C) That is; Access Vector – Network Access Complexity – Low Authentication – None
Source: Gmail -> IFTTT-> Blogger
No comments:
Post a Comment