[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <542D750C.6020801@outpost24.com>
Date: Thu, 02 Oct 2014 17:53:48 +0200
From: Martin Jartelius <mj@...post24.com>
To: fulldisclosure@...lists.org
Subject: [FD] CVE-2014-3110 SCADA XSS and patch review of Honeywell Falcon
XLWEB
Hello list,
This post is a follow up on the one made a few days ago on Honeywell
SCADA controllers.
On Tuesday Outpost24 released information regarding the CVE-2014-2717
affecting the Honeywell XLWEB Falcon SCADA controllers.
In the original ICS CERT publication a second security researchers work
is also mentioned, Juan Francisco Bolivar, a security researcher from Spain.
His findings concerned XSS (Cross Site Scripting) vulnerabilities in the
SCADA controller.
Earlier we did not have access to the disclosure, and had not tested the
controller for any injection or output validation deficiencies. The
original CVE have a relatively low impact score, but after Mr Bolivar
got in contact we had the possibility of jointly reviewing our findings.
As the Outpost24 security team also had reached elevated privileges the
extra insights meant that we today verified both non-authenticated XSS
attacks as well as a form of attack which is executed once a user
following the link have authenticated. This later attack means it is
possible to perform requests in the context of an authenticated user via
directed attacks.
Reviewing the exposure of those devices on the Internet reveals that
roughly 800 devices remain accessible over the internet, and from the
sample of 50 a total of 0 were patched to safe version. The split
between versions, and an unauthenticated test to see what version a
device is currently at, are provided in the new blog post, also together
with a full disclosure on three different XSS attacks against the platform.
Blog with disclosure:
http://www.outpost24.com/update-to-advisory-on-honeywell-scada/
NVD: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3110
As mentioned, unresolved issues remain and the devices should be
isolated from public networks, just as the vendor recommends.
/*Written by Martin Jartelius, CSO at Outpost24 in collaboration with
Francisco Bolivar, IT Security Engineer*/
--
Best Regards,
------------------------------------------------------------------------------------------
Martin Jartelius
CSO
Outpost24 AB
Bastionsgatan 6A | 371 32 Karlskrona | Sweden
E: mj@...post24.com W: outpost24.com B: blog.outpost24.com
Outpost24 - Vulnerability Management Made Easy!
_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists