6.2 Medium
AI Score
Confidence
Low
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
0.822 High
EPSS
Percentile
98.4%
On March 15, 2011, GLEG Ltd. announced the Agora SCADA+ Exploit Pack for Immunity’s CANVAS system. CANVAS is a penetration testing framework that is extensible using CANVAS Exploit Packs. On March 25, 2011, GLEG announced it would be adding exploits for the 35 vulnerabilities released by Luigi Auriemma on March 21, 2011. The ICS-CERT has not received any reports of this tool being used for an unauthorized compromise of an actual control system installation.
ICS-CERT has prepared this advisory to provide an initial summary of the possible vulnerabilities contained in this exploit pack. Please note that at this time, the information contained in this report is not conclusive, nor is it comprehensive. This report represents a cursory and credible snapshot of the vulnerabilities that are likely contained in the pack, based on the analysis conducted by ICS-CERT.
Immunity’s CANVAS is a penetration framework similar to the popular Metasploit tool. GLEG is a small company based in Moscow, Russia, that produces add-on exploit packages for Canvas. On March 22, 2011, GLEG’s CEO, Yuriy Gurkin, announced that its website was under a distributed denial-of-service (DDoS) attack with traffic exceeding 100 Gb per day. The source and intent of this traffic is unknown at this time.
ICS-CERT contacted Immunity and obtained a general list of the targeted products and exploits (with very limited vulnerability details) contained in the Agora SCADA+ Exploit Pack. ICS-CERT has analyzed the data and surmises that of the 24 vulnerabilities, 18 are previously known and patched. One product could not be identified from the information provided. After consultation with the affected vendors, it appears that the remaining five may be true zero-day vulnerabilities. However, because the technical details of the vulnerabilities are not known, ICS-CERT’s analysis is not conclusive and vendors may have a difficult time addressing and patching these suspected vulnerabilities.
ICS-CERT contacted each of the identified vendors to inform them of the GLEG product. Some vendors have reached out to GLEG directly for additional information. ICS-CERT is also attempting to work with GLEG to obtain additional information and will update this reporting it as it becomes available.
ICS−ALERT-11-080-01 Multiple Vulnerabilities in Siemens Tecnomatix Factorylink
ICS−ALERT-11-080-02 Multiple Vulnerabilities in Iconics Genesis (32 & 64)
ICS−ALERT-11-080-03 Multiple Vulnerabilities ion 7-Technologies IGSS
ICS−ALERT-11-080-04 Multiple Vulnerabilities in Realflex RealWin
Table 1. Known vulnerabilities likely included in the Agora SCADA+ Pack
P****roduct |
Exploit
|
CVE
|
ICS-CERT Advisory
—|—|—|—
Indusoft SCADA web studio 7.0 heap corruption
|
Heap corruption
|
|
**
SCADA Trace Mode Data Center
|
File
disclosure
|
None
|
**
IGSS SCADA odbc server
|
DoS
|
None
|
ICSA-11-018-02 − IGSS ODBC Server Remote Heap Corruption
OPC Modbus Ethernet
OPC Server
|
DoS
|
|
ICSA-10-322-02A - Automated Solutions OPC Server Vulnerability
ITS scada
|
SQL
Injection
|
None
|
Demo website according to vendor, no ICS Product produced
Automated Solutions
Modbus/TCP OPC Server
|
Remote Heap Corruption
|
|
ICSA-10-322-02A - Automated Solutions OPC Server Vulnerability
BACnet OPC client before 1.0.25
|
Arbitrary code execution
|
|
ICSA-10-264-01 - SCADA Engine BACnet OPC Client Buffer Overflow
Advantech Studio 6.1 Web server
|
DoS
|
|
ICSA-10-337-01 − Advantech_Studio_Buffer_Overflow
ICONICS Dialog Wrapper Module ActiveX control
|
Exploit
|
|
BECK GMBH, INDUSTRIAL PC -
|
IPC@CHIP DoS
|
|
BECK GMBH, INDUSTRIAL PC -
|
IPC@CHIP credentials stealing
|
|
SafeNet Sentinel Protection Server <= 7.4.1.0 +
Sentinel Keys Server <= 1.0.4.0
DATARATE SCADA <= 2.5
|
Directory Traversal
|
|
SCADA MOXA Device Manager Tool 2.1
|
Buffer Overflow
|
|
ICSA-10-301-01 - Moxa Device Manager Buffer Overflow
Ecava IntegraXor
|
Web directory traversal
|
|
GE Fanuc Real Time Information Portal 2.6.
|
|
|
Citect SCADA ODBC
|
Buffer
Overflow
|
|
Invensys Wonderware InFusion SCADA (and other products) ActiveX.
|
|
|
ICSA-10-208-01-Wonderware ArchestrA ActiveX ControlThere is no URL for this document because it was released exclusively on the US-CERT portal.
DATAC RealWin SCADA 1.06
|
Buffer Overflow Exploit
|
|
ICSA-10-313-01 - RealWin Buffer Overflows
** Vulnerability is known, but technical details are currently unknown
Five vulnerabilities appear to be true zero-day vulnerabilities. Because the technical details of the vulnerabilities are unknown, ICS-CERT’s analysis is not conclusive and vendors may have a difficult time addressing and patching these suspected vulnerabilities. ICS-CERT has contacted the affected vendors and provided them with the available information. Some vendors have reached out to GLEG directly for additional information. ICS-CERT will continue to work with the affected vendors and will provide analysis support as needed. Also, ICS-CERT will update this report as needed.
ICS-CERT recommends that asset owners and operators routinely audit their systems and apply updates as they become available or when possible. As with all system changes, administrators should consult their control systems vendor prior to making any control system changes.
Organizations observing suspected malicious activity should follow their established internal procedures and report their findings to ICS-CERT for tracking and correlation against other incidents. ICS-CERT reminds organizations that proper impact analysis and risk assessment should be performed prior to taking defensive measures.
The Control System Security Program provides numerous recommended practices ICS-CERT CONTACT for control systems on the US-CERT website. Several relevant recommended practices are available for reading or download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2001-1340
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2001-1340
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2001-1340
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2001-1341
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2001-1341
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2001-1341
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-6488
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-6488
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-6488
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-0175
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-0175
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-0175
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-0760
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-0760
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-0760
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-2639
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-2639
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-2639
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-2974
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-2974
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-2974
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-4142
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-4142
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-4142
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-4598
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-4598
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-4598
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-4709
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-4709
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-4709
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-4709
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-4709
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-4709
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-4740
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-4740
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-4740
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-4741
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-4741
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-4741
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-0488
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-0488
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-0488
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-0488
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-0488
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-0488
public.govdelivery.com/accounts/USDHSCISA/subscriber/new?topic_id=USDHSCISA_138
twitter.com/CISAgov
twitter.com/intent/tweet?text=GLEG%20Agora%20SCADA%2B%20Exploit%20Pack+https://www.cisa.gov/news-events/ics-advisories/icsa-11-096-01
www.dhs.gov
www.dhs.gov/foia
www.dhs.gov/performance-financial-reports
www.facebook.com/CISA
www.facebook.com/sharer/sharer.php?u=https://www.cisa.gov/news-events/ics-advisories/icsa-11-096-01&title=GLEG%20Agora%20SCADA%2B%20Exploit%20Pack
www.instagram.com/cisagov
www.linkedin.com/company/cybersecurity-and-infrastructure-security-agency
www.linkedin.com/sharing/share-offsite/?url=https://www.cisa.gov/news-events/ics-advisories/icsa-11-096-01
www.oig.dhs.gov/
www.surveymonkey.com/r/CISA-cyber-survey?product=https://www.cisa.gov/news-events/ics-advisories/icsa-11-096-01
www.usa.gov/
www.whitehouse.gov/
www.youtube.com/@cisagov
mailto:?subject=GLEG%20Agora%20SCADA%2B%20Exploit%20Pack&body=www.cisa.gov/news-events/ics-advisories/icsa-11-096-01