31C3: Too Smart Grid in da Cloud ++

This year we want to discuss Green Energy. Our hackers' vision of Green Energy, SmartGrids and Cloud IoT technology.  Our latest research was devoted to the analysis of the architecture and implementation of the most wide spread platforms for wind and solar energy generation which produce many gigawatts of it. It may seem (not) surprising but the systems which manage huge turbine towers and household PhotoVoltaic plants are not only connected to the internet but also prone to many well known vulnerabilities and low-hanging 0-days. Even if these systems cannot be found via Shodan, fancy cloud technologies leave no chances for security.

SOS! Secure Open SmartGrids!

Dear all,

After our 31C3 Too SmartGrid in da Cloud talk we get many questions about Solar and Wind plants vulnerabilities, Internet connected SmartGrid devices. Guys, sorry, but we don’t know yet.

There are dozens of platforms, hundreds of vendors, thousands of SmartGrid devices… Millions of them connected to Internet without any protection. But you can change the situation.

Join our SCADASOS project to make the world safer!

Well, Honeywell

New knowledge about Honeywell Experion Process Knowledge System. Yes, you must patch it.
Yes, it's all about grep +1 SSRF.

Thanks to Alexander Tlyapov, Gleb Gritsai, Kirill Nesterov, Artem Chaykin and Ilya Karpov

Honeywell advisory/patch:
https://www.honeywellprocess.com/library/support/Public/Documents/ExperionPKS.R311.Server.Patch282.PAR1-2VNCSKZ_SCN.pdf

Sorry for the delay. It can wait.

BootKit via SMS

One of demo from PacSec and ZeroNights.

Short FAQ

Different type of SCADA...

+Update http://blog.ptsecurity.com/2015/01/hacking-atm-with-raspberry-pi.html

Slides and demo from Olga and Alex report on ATM hacking at Black Hat. MS08-067 strikes again. Now ATM.
There are a lot of different kinds of SCADA...

What is my encryption key?

Update for update for WinCC <7.3. Now for Siemens SIMATIC PCS 7 <8.1.

Details: https://ics-cert.us-cert.gov/advisories/ICSA-14-205-02A

Few bugs in Wonderware Information Server

Vulnerabilities/fixes in Schneider Electric/Invensys Wonderware Information Server (WIS) to support tradition.

The following Schneider Electric WIS versions are affected:

• Wonderware Information Server 4.0 SP1 Portal,
• Wonderware Information Server 4.5 Portal,
• Wonderware Information Server 5.0 Portal, and
• Wonderware Information Server 5.5 Portal.

Not by SCADA alone: ATM hack @BH Europe

Alexey and Olga gonna speak @BlackHat 2014 EU on ATM security.

Siemens SIMATIC WinCC 7.3: Vulnerabilities/Fixes

New version of WinCC/new features/new advisories/new vulnerabilities. Kudos Gleb Gritsai, Dmitry Nagibin and Alexander Tlyapov .

CVE-2014-4682/HTTP/sensitive data (session) leakage
CVE-2014-4683/HTTP/remote privileges escalation (useful with CVE-2014-4682 and CVE-2013-3958)
CVE-2014-4685/Local/lot of funny stuff with Windows IPC objects
CVE-2014-4686/RPC/hardcoded key in authentication sequence/our new favorite slide

Details in SSA-214365.

Enjoy!

Confidence 2014 slides and releases

Nice update by @atimorin.
Slides and tools:

http://www.slideshare.net/AlexanderTimorin/scada-deep-inside-protocols-and-security-mechanisms

https://github.com/atimorin/scada-tools

Hint from Code Monkey Hate Bug also: https://twitter.com/jadamcrain/status/476098591816450048

Positive Hack Days IV

At Positive Hack Days IV (www.phdays.com) we have a lot of fun.
First of all we released more details about new vulnerabilities in Siemens WinCC OA, S7 1200 and S7 1500 PLC, ABB, SmartGrid and SCADA In the cloud.

Please check out slides.

Emerson DeltaV Vulnerabilities/Fixes

DeltaV Versions 10.3.1, 11.3, 11.3.1, and 12.3
Can be related to Emerson AMS Device Management version, Emerson AMS Wireless SNAP-ON also.

CVE-2014-2349 - World writable system folder
CVE-2014-2350 - Hardcoded credentials

Please find fixes in KBA NK-1400-0031.

Kudos: Kirill Nesterov, Alexander Tlyapov, Dmitry Nagibin, Alexey Osipov and Timur Yunusov

Emerson has assigned CVSS v2 base score of 2.4; the CVSS vector string is (AV:L/AC:H/Au:S/C:N/I:P/A:P).

Hmmm, 2.4? BTW

Details

Enjoy

Too Smart Grid in da Cloud

Vulnerabilities/fixes in SolarLog Solar Plant Data Loger (http://www.solar-log.net/).


PT-2014-08: Password Access in Solar-Log
PT-2014-07: Sensitive Information Disclosure in Solar-Log
PT-2014-06: Arbitrary File Upload in Solar-Log

Time is compressing...

Update for previous post. New fixes for Siemens S7 1200 PLC.



http://www.siemens.com/innovation/pool/de/forschungsfelder/siemens_security_advisory_ssa-654382.pdf 

Enjoy. 

All your PLC are belong to us (2)

Fixes for Siemens S7 1500 PLC are published.
Thanks to Yury Goltsev, Ilya Karpov, Alexey Osipov, Dmitry Serebryannikov and Alex Timorin.
There are a lot of, but combination of Authentication bypass (INSUFFICIENT ENTROPY/CVE-2014-2251) and Hardcoded SNMP community string (once again)/NO-CVE/Unfixed is the best.

Links



http://www.siemens.com/innovation/pool/de/forschungsfelder/siemens_security_advisory_ssa-456423.pdf

http://ics-cert.us-cert.gov/advisories/ICSA-14-073-01

Some good stuff for 1200/TIA portal in queue.

Enjoy...

Fixes for SIMATIC WinCC Open Architecture (SSA-342587/ICSA-14-035-01)

Good news! The Large Hadron Collider more safe now! Published fixes for several vulnerabilies in SIMATIC WinCC OA all versions prior to 3.12 P002.

Preauth RCE CVE-2014-1697
Path Traversal CVE-2014-1698
Preauth DoS CVE-2014-1699
Weak password "encryption" CVE-2014-1696

Kudos Gleb Gritsai, Ilya Karpov, and Kirill Nesterov.


Fixes and info

http://www.siemens.com/innovation/pool/de/forschungsfelder/siemens_security_advisory_ssa-342587.pdf

https://ics-cert.us-cert.gov/advisories/ICSA-14-035-01

Enjoy

PS. It's all about slide 50 there. 

30C3 releases: all in one

Thank you everybody for the awesome Chaos Communication Congress.

Just a collection of our 30C3 releases in one post.


ICS/SCADA/PLC Google/Shodan Cheat Sheet

http://scadastrangelove.blogspot.com/2013/12/internet-connected-icsscadaplc30c3.html

THC Hydra with Siemens S7-300 support

http://scadastrangelove.blogspot.com/2013/12/hydra-vs-siemens-s7-30030c3-release.html



Slides and video from SCADA Strangelove 2 talk. Passen Sie auf! Russischen Akzent!