ICS-CERT: Koyo Ecom100 Brute Force Cracking Tool

Wednesday, February 15, 2012

Headlines

69dafe8b58066478aea48f3d0f384820

This Alert Update is a follow-up to the original ICS-CERT Alert titled “ICS-ALERT-12-020-05— Koyo Ecom100 multiple vulnerabilities” that was published January 20, 2012, on the ICS-CERT web page.

ICS-CERT is aware of a public report of multiple vulnerabilities with proof-of-concept (PoC) exploit code affecting the Koyo ECOM100 Ethernet Module. This module is used to communicate between a PLC and the control system.

This report is based on information presented by Reid Wightman during Digital Bond’s SCADA Security Scientific Symposium (S4) on January19, 2012. Vulnerability details were released without coordination with either the vendor or ICS-CERT.

A brute force password cracking tool has been released that targets the weak authentication vulnerability in the ECOM series modules. This tool may greatly reduce the time and skill level required to attack a vulnerable system.

ICS-CERT is attempting to notify the affected vendor of the report to ask the vendor to confirm the vulnerabilities and identify mitigations. ICS-CERT is issuing this alert to provide preliminary notice of the reported vulnerable products and to begin identifying baseline mitigations that can reduce the risk of cybersecurity attacks exploiting these vulnerabilities.

The report included vulnerability details and PoC exploit code for the following vulnerabilities:

Vulnerability Type:  Weak Authentication - Uses 8-byte passcode
Exploitability:  Remote
Impact: Loss of Integrity

Vulnerability Type:  Replay Attack
Exploitability:  Remote
Impact: Loss of Integrity

Vulnerability Type:  Web Server - No Authentication
Exploitability:  Remote
Impact: Open Authentication / Loss of Integrity

Vulnerability Type:  Web Server Buffer Overflow
Exploitability:  Remote
Impact: Denial of Service

Vulnerability Type:  Web Server Cross-Site Scripting (XSS)
Exploitability:  Remote
Impact: Loss of Integrity

Vulnerability Type:  Resource Exhaustion
Exploitability:  Remote
Impact: Denial of Service and Web Server Crash

Please report any issues affecting control systems in critical infrastructure environments to ICS-CERT.

MITIGATION

ICS-CERT is currently coordinating with Koyo and the security researcher to identify useful mitigations.

The full ICS-CERT advisory can be found here:

Source:  http://www.us-cert.gov/control_systems/pdf/ICS-ALERT-12-020-05A.pdf

Possibly Related Articles:
15016
SCADA
Industrial Control Systems
Denial of Service SCADA cracking Authentication Vulnerabilities Proof of Concept Replay Attack Buffer Overflow Brute Force Programmable Logic Controllers Advisory ICS ICS-CERT Industrial Control Systems Reid Wightman Koyo ECOM100 Ethernet Module
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.