This week there were three public control system security vulnerability disclosures; two published on the Full Disclosure web site and one on SecurityWeek.com. The affected devices include data loggers, network connection devices and PLCs.
On Wednesday Eduard Kovacs published an article about twin vulnerabilities in the Schneider Electric Modicon programmable logic controllers (PLCs) that were reported by Simon Heming, Maik Brüggemann, Hendrik Schwartke, Ralf Spenneberg of OpenSource Security. The reported vulnerabilities were:
• Hardcoded encryption key; and
• Password sent in clear text
Schneider received notification of the vulnerabilities back in December, but some snafu occurred and no action was taken. OpenSource published the vulnerabilities on their web site (here and here) on Tuesday.
NOTE: I tweeted about this vulnerability on Wednesday.
On Thursday Karn Ganeshen announced multiple vulnerabilities in data loggers, meter monitors and electric meters from SenNet. The reported vulnerabilities are:
• No access control on the remote shell;
• Shell services running with excessive privileges;
• OS command injection (with POC); and
• Insecure transport
Ganeshen reported that the vendor has fixed the vulnerabilities and ICS-CERT will be issuing an advisory.
Network Connection Devices
On Thursday Karn Ganeshen announced SNMP vulnerabilities in network communication equipment from Cambium. The reported vulnerabilities are:
• SNMP community strings privileges are not enforced correctly;
• Device configuration backups – access control issues; and
Ganeshen also reports that the Cambium devices are also subject to the following design flaws that magnify the above vulnerabilities:
• It is possible to access full device configuration using SNMP. Device configuration includes usernames, passwords, SSIDs, keys, certificates, syslog config, and other network & wifi specific details.
• It is possible to trigger configuration backups, which can then be retrieved using SNMP.
• It is possible to wipe out and / or make changes to the device configuration remotely.
Ganeshen reports that ICS-CERT was notified on September 12th, 2016 and on April 5th Cambium announced that the vulnerabilities would be fixed in 2nd Quarter 2017.