GLEG Agora SCADA+ Exploit Pack
All information products included in http://ics-cert.us-cert.gov are provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see http://www.us-cert.gov/tlp/.
On March 15, 2011, GLEG Ltd. announced the Agora SCADA+ Exploit Pack for Immunity’s CANVAS system. CANVAS is a penetration testing framework that is extensible using CANVAS Exploit Packs. On March 25, 2011, GLEG announced it would be adding exploits for the 35 vulnerabilities released by Luigi Auriemma on March 21, 2011. The ICS-CERT has not received any reports of this tool being used for an unauthorized compromise of an actual control system installation.
ICS-CERT has prepared this advisory to provide an initial summary of the possible vulnerabilities contained in this exploit pack. Please note that at this time, the information contained in this report is not conclusive, nor is it comprehensive. This report represents a cursory and credible snapshot of the vulnerabilities that are likely contained in the pack, based on the analysis conducted by ICS-CERT.
Immunity’s CANVAS is a penetration framework similar to the popular Metasploit tool. GLEG is a small company based in Moscow, Russia, that produces add-on exploit packages for Canvas. On March 22, 2011, GLEG’s CEO, Yuriy Gurkin, announced that its website was under a distributed denial-of-service (DDoS) attack with traffic exceeding 100 Gb per day. The source and intent of this traffic is unknown at this time.
ICS-CERT contacted Immunity and obtained a general list of the targeted products and exploits (with very limited vulnerability details) contained in the Agora SCADA+ Exploit Pack. ICS-CERT has analyzed the data and surmises that of the 24 vulnerabilities, 18 are previously known and patched. One product could not be identified from the information provided. After consultation with the affected vendors, it appears that the remaining five may be true zero-day vulnerabilities. However, because the technical details of the vulnerabilities are not known, ICS-CERT’s analysis is not conclusive and vendors may have a difficult time addressing and patching these suspected vulnerabilities.
ICS-CERT contacted each of the identified vendors to inform them of the GLEG product. Some vendors have reached out to GLEG directly for additional information. ICS-CERT is also attempting to work with GLEG to obtain additional information and will update this reporting it as it becomes available.
ICS−ALERT-11-080-01 Multiple Vulnerabilities in Siemens Tecnomatix Factorylink
ICS−ALERT-11-080-02 Multiple Vulnerabilities in Iconics Genesis (32 & 64)
ICS−ALERT-11-080-03 Multiple Vulnerabilities ion 7-Technologies IGSS
ICS−ALERT-11-080-04 Multiple Vulnerabilities in Realflex RealWin
Table 1. Known vulnerabilities likely included in the Agora SCADA+ Pack
Indusoft SCADA web studio 7.0 heap corruption
SCADA Trace Mode Data Center
IGSS SCADA odbc server
OPC Modbus Ethernet
Demo website according to vendor, no ICS Product produced
Remote Heap Corruption
BACnet OPC client before 1.0.25
Arbitrary code execution
Advantech Studio 6.1 Web server
ICONICS Dialog Wrapper Module ActiveX control
BECK GMBH, INDUSTRIAL PC -
BECK GMBH, INDUSTRIAL PC -
IPC@CHIP credentials stealing
SafeNet Sentinel Protection Server <= 22.214.171.124 +
SCADA MOXA Device Manager Tool 2.1
Web directory traversal
GE Fanuc Real Time Information Portal 2.6.
Citect SCADA ODBC
Invensys Wonderware InFusion SCADA (and other products) ActiveX.
ICSA-10-208-01-Wonderware ArchestrA ActiveX Controla
DATAC RealWin SCADA 1.06
Buffer Overflow Exploit
* Vulnerability predates ICS-CERT, therefore no Advisory was published
** Vulnerability is known, but technical details are currently unknown
Five vulnerabilities appear to be true zero-day vulnerabilities. Because the technical details of the vulnerabilities are unknown, ICS-CERT’s analysis is not conclusive and vendors may have a difficult time addressing and patching these suspected vulnerabilities. ICS-CERT has contacted the affected vendors and provided them with the available information. Some vendors have reached out to GLEG directly for additional information. ICS-CERT will continue to work with the affected vendors and will provide analysis support as needed. Also, ICS-CERT will update this report as needed.
ICS-CERT recommends that asset owners and operators routinely audit their systems and apply updates as they become available or when possible. As with all system changes, administrators should consult their control systems vendor prior to making any control system changes.
Organizations observing suspected malicious activity should follow their established internal procedures and report their findings to ICS-CERT for tracking and correlation against other incidents. ICS-CERT reminds organizations that proper impact analysis and risk assessment should be performed prior to taking defensive measures.
The Control System Security Program provides numerous recommended practices ICS-CERT CONTACT for control systems on the US-CERT website. Several relevant recommended practices are available for reading or download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
- a. There is no URL for this document because it was released exclusively on the US-CERT portal.
For any questions related to this report, please contact the NCCIC at:
Toll Free: 1-888-282-0870
The NCCIC continuously strives to improve its products and services. You can help by choosing one of the links below to provide feedback about this product.