Thursday, June 6, 2013

Invensys ICS/SCADA fixes

Invensys published updates to fix CVE-2013-0688/CVE-2013-0684/CVE-2013-0686/CVE-2013-0685 discovered by SCADA StrageLove team during assesment of ICS/SCADA based on ArchestrA System Platform. There are several trivial and some interesting bugs in Invensys Wonderware Information Server (WIS).
Patches (limited access): https://wdn.wonderware.com/sites/WDN/Pages/Downloads/Software.aspx
ICS-CERT advisory ICSA-13-113-01: https://ics-cert.us-cert.gov/advisories/ICSA-13-113-01\


  • SQLi ~10 instances
  • XSS ~30 instances
  • XXE/XXE OOB/“ADSI Injection” and other interesting stuff…


    Credits: 
    Gleb Gritsai
    Nikita Mikhalevsky
    Timur Yunusov
    Denis Baranov
    Ilya Karpov
    Vyacheslav Egoshin
    Dmitry Serebryannikov
    Alexey Osipov
    Ivan Poliyanchuk
    Evgeny Ermakov
     

      Enjoy...

    Thanks to Invensys security team for collaboration and rapid fixes.
    Posted by at
    Labels: , , ,
    Location: Saint Petersburg, Russia

    No comments:

    Post a Comment

    Subscribe to: Post Comments (Atom)