Full Disclosure mailing list archives
CVE-2014-3110 SCADA XSS and patch review of Honeywell Falcon XLWEB
From: Martin Jartelius <mj () outpost24 com>
Date: Thu, 02 Oct 2014 17:53:48 +0200
Hello list, This post is a follow up on the one made a few days ago on Honeywell SCADA controllers. On Tuesday Outpost24 released information regarding the CVE-2014-2717 affecting the Honeywell XLWEB Falcon SCADA controllers. In the original ICS CERT publication a second security researchers work is also mentioned, Juan Francisco Bolivar, a security researcher from Spain. His findings concerned XSS (Cross Site Scripting) vulnerabilities in the SCADA controller. Earlier we did not have access to the disclosure, and had not tested the controller for any injection or output validation deficiencies. The original CVE have a relatively low impact score, but after Mr Bolivar got in contact we had the possibility of jointly reviewing our findings. As the Outpost24 security team also had reached elevated privileges the extra insights meant that we today verified both non-authenticated XSS attacks as well as a form of attack which is executed once a user following the link have authenticated. This later attack means it is possible to perform requests in the context of an authenticated user via directed attacks. Reviewing the exposure of those devices on the Internet reveals that roughly 800 devices remain accessible over the internet, and from the sample of 50 a total of 0 were patched to safe version. The split between versions, and an unauthenticated test to see what version a device is currently at, are provided in the new blog post, also together with a full disclosure on three different XSS attacks against the platform. Blog with disclosure: http://www.outpost24.com/update-to-advisory-on-honeywell-scada/ NVD: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3110 As mentioned, unresolved issues remain and the devices should be isolated from public networks, just as the vendor recommends. /*Written by Martin Jartelius, CSO at Outpost24 in collaboration with Francisco Bolivar, IT Security Engineer*/ -- Best Regards, ------------------------------------------------------------------------------------------ Martin Jartelius CSO Outpost24 AB Bastionsgatan 6A | 371 32 Karlskrona | Sweden E: mj () outpost24 com W: outpost24.com B: blog.outpost24.com Outpost24 - Vulnerability Management Made Easy! _______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Current thread:
- CVE-2014-2717 SCADA Privilege Escalation in Honeywell Falcon XLWEB Martin Jartelius (Sep 30)
- CVE-2014-3110 SCADA XSS and patch review of Honeywell Falcon XLWEB Martin Jartelius (Oct 02)