*The product; * "The RUGGEDCOM RS900 is a 9-port utility-grade, fully managed Ethernet switch, specifically designed to operate reliably in electrically harsh and climatically demanding environments." Source: http://w3.siemens.com/mcms/industrial-communication/en/rugged-communication/ruggedcom-portfolio/switches-routers-layer-2/compact-switches/Pages/rs900.aspx *Devices affected:* RUGGEDCOM RS900 (however, other models of RUGGEDCOM switches may be affected as well) *Firmware/configuration affected:* RS900 Order Code RS900-HI-D-MT-MT-MT-XX Boot version v3.0.2 Main version 4.2.1 Required Boot 2.20.0 Hardware ID RS900 (v2, 40-00-0066) *Vulnerability type: Denial of Service.* Successful exploiting this vulnerability are very simple - by sending a limited numbers of ICMP packages does the CPU max to 65% load and stop responding during the attack. Via a serial connection to the router diagnostic page, it can be seen that the router CPU max up to 65% and stop responding to e.g. a running ping command. *Overall CVSS Score:* 7.5 (Version3) CVSS Vector CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H **Mitigation/workaround;* None know at the moment. *EXPLOITABILITY* These vulnerabilities could be exploited remotely. *EXISTENCE OF EXPLOIT* No known public exploits specifically target these vulnerabilities. *DIFFICULTY* An attacker with a low skill would be able to exploit these vulnerabilities. *Credits:* This vulnerability was found by Carsten Borup Andersen and Mikael Vingaard, based on the work of the other researchers, who found the Black Nurse vulnerability. For details pls see www.blacknurse.dk
Using trivial reversing of firmware, it possible to retrieve a undocumented backdoor (username/password) from
below mentioned 3G/4G Wimax Cpe Router models. This credential gives - in most cases - full access to the router.
Each firmware are 'service provider centric', and I has even discovered that some providers allows control
with the device with a blank password from a non-rfc 1918 IP address (aka. inside the provider network).
Based on public available firmware, it is found that the following models are affected; (Other HUAWEI models may also be affected.)
Based on the firmware investigated, and general deployment of above models, this vulnerability
most likely affects one (or more) service provider(s) in the following countries;
Indonesia (Confirmed, based on available firmware)
Iran (Confirmed, based on available firmware)
Madagascar (Confirmed, based on available firmware)
Nigeria (Confirmed, based on available firmware)
Ukraine (Confirmed, based on available firmware)
It is most likely that other countries are affected as well, as above models are used, at least, in these countries:
Bahrain,Cote d'Ivoire,Libya, Philippines
Above products has reached "End-of-life" and are not supported by the vendor.
Devices should be decommissioned and replaced with new supported devices.
Communication: This was reported to CERT.org , and the following reference was given: VU#226671
Before starting researching, some credentials was found in a SCADA honeypot.
09. Feb 2016; several different hardcoded credentials found in various firmware versions, multiple device models affected.
09. Feb Initial email, with technical details send to Huawei PSIRT (firstname.lastname@example.org)
10. Feb Confirmation of email received from Huawei PSIRT asking not to disclose issue before they had time to investigate (possible delay due to Chinas new year)
14. Feb Huawei PSIRT writes back and informs that the credential are not undocumented, they are just in a undisclosed documentation strictly for vendors, hence they are closing the case.
14. Feb Notified CERT.org of issue, and advised I was in dialogue with Huawei PSIRT.
14. Feb Wrote Huawei PSIRT with further technical information for additional findings and asked if I could be allowed to see the documentation.
15. Feb Cert.org assigns vulnerabilities to VU#226671
24. Feb wrote a kind reminder to Huawei PSIRT asking for status.
25. Feb Huawei PSIRT advises that I am not allowed to see the documentation (only for vendors) and technical staff investigates other findings.
29. Feb Huawei PSIRT advise that items are "not to worry". I replies and thanks for the assistance, and that I will make a blog entry.
As alway in my findings, I will encourage people to change devices from "End-Of-Life" to newer supported devices.
02. Mar Blog entry published.
It has been a time since I have posted, Life has been busy and I have just returned from the EnergySec conference.
I am now getting ready for the 4SICS (4 SCADA, Industrial Control System) in Stockholm , where I am looking forward
to present another SCADA research project "Who controls your industrial control systems?”,
Qouting from the website 4SICS.se - home of 4SICS:
"4SICS – Stockholm international summit on cyber-security in SCADA and Industrial Control Systems.
4SICS is an annual summit that gather the most important ICS/SCADA cyber security stakeholders across critical industries (i.e.
energy, oil & gas, water, transportation and smartgrid etc).
I am so trilled to see a SCADA conference in the Nordics and do hope to see you there - it an amazing lineup of speakers :-)
I am very happy to have been invited to speak at EnergySec's 11th Anniversary Security Summit
To qoute from the website: " Since 2005, there have been many security conferences established in the energy sector tackling everything from technical SCADA security topics to security legislation and compliance to plant physical security. We believe we are one of the oldest and most mature summits, bringing the most relevant and timely security topics to the forefront of discussion."
The Presentation are titled "Please, Come and Hack my SCADA System!" and will deals with HoneyPot's in the Energy sector.
University of Michigan - SCADA Scanning -
I noticed a interesting trend in the log files of the honeypot networks I am handling.
A /24 network range belonging to University of Michigan, showed a interest for e.g ModBus (port 502/TCP) The scans was found across many of my different honeypots placed in Europe/US.
In reply to my abuse rapport, i did receive the following;
"These connections are part of an Internet-wide research study being conducted by computer scientists at the University of Michigan. The research involves making benign connection attempts to every public IP address. By measuring the entire public address space, we are able to analyze global patterns and trends in protocol deployment and security.
If our scans are causing problems, we would be happy to exclude your host or network from future research scans from the University of Michigan. Simply send us your IP address or CIDR prefix.
Alternatively, you can configure your firewall to drop traffic from the subnets we use for scanning:
220.127.116.11/24 and 18.104.22.168/24"
My suggestion: You might consider to block above network ranges, unless you (and your SCADA equipment) want to participate in University of Michigan's SCADA Research.
During the last weeks, I have seen an interesting trend in my network of honeypot servers.
The logs shows an increasing numbers of failed SSH (TCP:port 22) logins attempts.
The attacker first tries the following combination of password and user name:
username: PlcmSpIp password: PlcmSpIp
Above combination are the factory default access for many Polycom.com's products
e.g. the SoundPoint SIP (VOIP) phones.
Immediately afterwards the attacker tries the combination of root:TANDBERG
This happens to be the default password/user name on Tandberg/Cisco boardroom
videoconferencing systems. The attackers comes from a few network ranges based
in China ('home based/private users' ISP), but the behavior has been spotted on several honeypots
spread over several geographical locations (both in the US and in Europe).
The best way to avoid this types of compromises are to change the default password(s)
before putting such system on-line.