More links on the GE Fanuc iFIX vulnerabilities

 SCADA, vulnerabilities  1 Response »
Feb 122009
 

Yesterday, I posted a link to the advisory in GE Fanuc’s knowledge base.  For today, here’s some more links of interest regarding these vulnerabilities:

The latter two links actually credit us with discovering and reporting the vulnerability.

 Posted by wesley at 9:13 am

GE Fanuc releases info on iFIX vulnerabilities VU# 310355

 SCADA, vulnerabilities  2 Responses »
Feb 102009
 

If you’ve been looking for my slides from the SCADA Summit that included information on the GE Fanuc iFIX vulnerabilities that I discovered and reported, then you’re still out of luck, but this is just as good, really.  If you’re an end-user of iFIX, or a penetration tester/red-team member testing installations of iFIX products, this is really all the info you need:

It’s a pretty good prose description of the vulnerabilities, in more detail than I was expecting from them.  Boiling it down to a couple of bullet points, these vulnerabilities encompass the following issues (trying not to put it in more detail than their write-up):

  • Password storage is done in an easily reversible manner
  • “Network” authentication involves passing the file over Windows shares without additional encryption/protection
  • Authentication of users can be bypassed, as iFIX’s security measures for managing users’ access run in the context of the currently-logged-in Windows user that is running the iFIX system.
  • Features that prevent operators from exiting the HMI screen can be bypassed with an auto-run capable USB drive (such as U3).

There are some excellent suggestions for end-users that would allow them to mitigate the impact of these vulnerabilities until they are fixed in a future release of iFIX.  There’s good advice in there, even if you’re running something other than iFIX for your HMI.

Enjoy!

Edit: Quick edit for clarity.

 Posted by wesley at 11:05 pm

Ethan Frome macro virus at Disney

 malware  4 Responses »
Feb 022009
 

Hopefully I won’t be asked to take this one down:

I was just looking for hours of operation for the Picabu buffet/cafeteria here at Disney’s Dolphin resort while I’m here for the SANS SCADA Summit.  I just can’t do anything anymore without stumbling across something security related, I guess.

If you haven’t spotted what’s “wrong” in the above image, don’t feel bad.  It’s an oldie but goodie:

This is a Word 97 (yeah, the nineties) macro virus that will randomly change the names of documents you create to “Ethan Frome”.  The computer used to create the document is infected with it.  Don’t panic though, because:

  • The document above has been exported to PDF, so it‘s safe isn’t spreading the Ethan Frome macro virus.
  • There only seems to be one malicious variant of this macro virus, and it modifies your autoexec.bat (lol) to format your C: drive…

Not much more than a curiosity :) .  I have a friend who had the misfortune of having his resume retitled “Ethan Frome” from this same macro virus several years ago.  He didn’t realize it till I pointed it out.  Funny stuff.

I met some great people at the Summit today (or rather, yesterday.  It’s late.), and I’m looking forward to attending some more talks in the morning.

 Posted by wesley at 11:39 pm

Sorry for those trying to get at the slides

 Uncategorized  No Responses »
Feb 022009
 

I’ve had to (at least temporarily) remove the slides from my previous post.  

Hopefully they’ll be back in at least some form at some point.

Edit: A few folks have asked: SANS did not ask for the slides to be removed.  They’re totally cool, and have been great to me and the other speakers during this conference.

 Posted by wesley at 1:53 pm

SCADA/HMI Security: Vulnerabilities in GE Fanuc iFIX

 SANS, SCADA  4 Responses »
Feb 012009
 

I’m all settled in at the Walt Disney Dolphin resort hotel, registered for the SANS SCADA Summit, and just finished up going over my slides one more time.

I’m going to go ahead and make the slides available now, so anyone interested in attending the talk tomorrow can go ahead and get them.  If you’re not at the Summit, then here’s your little slice of it:

  • Sorry, not here anymore (right-click, save as)

It’s about 3 megs (pictures :) , and they compressed ugly when I tried).

<redacted>

Edit: A few folks have asked: SANS did not ask for the slides to be removed.  They’re totally cool, and have been great to me and the other speakers during this conference.

 Posted by wesley at 10:47 pm
© 2012 McGrew Security Suffusion theme by Sayontan Sinha