For Versions 1.12+ This OpShield Vulnerability Signature Update contains 4 new signatures for products such as Ecava IntegraXor, Redlion Automation Direct, and G-Cam. It also contains 9 updated signatures for IBM Java, Apache Tomcat and HP Intelligent Management Center. To update your OpShield signatures: Log into the OpShield management console. 1. Navigate to the Policy page. Click the Signature tab. 2. Click the Import button to open the Import Signature File (.asg) dialog. 3. There are two ways to import signatures into the database: 4. Click Select files to browse for and select the file. 5. Drag and drop a file into the drop files here to upload area. 6. Once you have selected the Vulnerability Signature Update file, the Import Signature Files dialog will close and the OpShield will import the signatures into its database. Vulnerability Signature Update March 2017 - Document WST-0014-015 OpShieldSignature_0053-R1.12-2017-03.asg MD5 A0A246A65443E542358EE7B24859F90D SHA-1 6E1A9CB01AB043AB81FD4361B580535DF61C5FEA New Signatures ID Signature Name CVSS 2.0 Score 1091 Ecava IntegraXor getdata SQL Injection 7.5 1092 Red Lion, AutomationDirect Managed Switches Hard-coded TLS Key 10.0 1093 Red Lion, AutomationDirect Managed Switches Hard-coded SSH Key 10.0 1094 CVE-2017-5173 G-Cam Improper Neutralization of Special Character 10.0 Updated Signatures ID Signature Name CVSS 2.0 Score 832 IBM Java com.ibm.rmi.util.ProxyUtil Sandbox Breach 5.6 836 IBM Java Multiple Packages Sandbox Breach 5.6 710 Apache Tomcat FileUpload Content-Type Header Infinite Loop 5.0
Transcript
For Versions1.12+
This OpShield Vulnerability Signature Update contains 4new signatures for products such as Ecava IntegraXor,Redlion Automation Direct, and G-Cam. It also contains 9updated signatures for IBM Java, Apache Tomcat and HPIntelligent Management Center.
To update your OpShield signatures:
Log into the OpShield management console.1. Navigate to the Policy page. Click the Signaturetab.
2.
Click the Import button to open the ImportSignature File (.asg) dialog.
3.
There are two ways to import signatures into thedatabase:
4.
Click Select files to browse for and select the file.5. Drag and drop a file into the drop files here to uploadarea.
6.
Once you have selected the Vulnerability Signature Updatefile, the Import Signature Files dialog will close and theOpShield will import the signatures into its database.
CVSS Base 7.5CVSS Vector (AV:N/AC:L/Au:N/C:P/I:P/A:P)This signature detects the exploitation of a vulnerability described in ICSA-17-031-02.
A user-input field sent to the HTTP getdata endpoint is not sufficiently sanitized, which leads to SQL injection into theMicrosoft Access database of IntegraXor. Successful exploitation of this vulnerability would lead to unauthenticateddatabase read and write, with the possibility of ultimately being used to achieve remote code execution.
More Informationhttps://ics-cert.us-cert.gov/advisories/ICSA-17-031-02https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-8341http://www.zerodayinitiative.com/advisories/ZDI-17-058/http://www.zerodayinitiative.com/advisories/ZDI-17-059/
CVSS Base 10.0CVSS Vector (AV:N/AC:L/Au:N/C:C/I:C/A:C)This signature detects the exploitation of vulnerabilities outlined in ICSA-17-054-02.
The SSL/TLS certificate used for HTTP web access is static and hard-coded to all devices. A successful exploitationwould lead to the decryption of any encrypted web traffic, which leads to the disclosure of login credentials and othersensitive information.
More Informationhttps://ics-cert.us-cert.gov/advisories/ICSA-17-054-02https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-9335https://cwe.mitre.org/data/definitions/321.html
CVSS Base 10.0CVSS Vector (AV:N/AC:L/Au:N/C:C/I:C/A:C)This signature detects the exploitation of vulnerabilities outlined in ICSA-17-054-02.
The SSH keys used for remote console access are static and hard-coded to all devices. A successful exploitation wouldlead to the decryption of any encrypted console traffic, which leads to the disclosure of login credentials and othersensitive information.
More Informationhttps://ics-cert.us-cert.gov/advisories/ICSA-17-054-02https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-9335https://cwe.mitre.org/data/definitions/321.html
Signature 1094 - CVE-2017-5173 G-Cam Improper Neutralization of Special Character
CVSS Base 10.0CVSS Vector (AV:N/AC:L/Au:N/C:C/I:C/A:C)This signature detects the exploitation of a vulnerability described in ICSA-17-045-02.
Geutebrück's G-Cam is vulnerable to an improper neutralization of special character attack when certain HTTPrequests is sent. Certain POST requests are passed to the host operating system without filtering special characters,which then allows an attacker to append other operating system commands. A successful exploitation of this vulnerabilitywould allow an attacker to remote code execution.
Signature 832 - IBM Java com.ibm.rmi.util.ProxyUtil Sandbox Breach
CVSS Base 5.6CVSS Vector (AV:N/AC:M/Au:N/C:P/I:P/A:P/E:F/RL:OF/RC:C)This signature addresses a sandbox breach in older versions of IBM Java. An attacker could exploit this vulnerability bygetting the victim to open a malicious website with the issue embedded, and would allow them to execute Java codebeyond the intended limits of the sandbox.
More Informationhttp://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4820
Signature 836 - IBM Java Multiple Packages Sandbox Breach
CVSS Base 5.6CVSS Vector (AV:N/AC:M/Au:N/C:P/I:P/A:P/E:F/RL:OF/RC:C)This signature addresses a sandbox breach in older versions of IBM Java. An attacker could exploit this vulnerability bygetting the victim to open a malicious website with the issue embedded, and would allow them to execute Java codebeyond the intended limits of the sandbox.
More Informationhttp://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4822
CVSS Base 5.0CVSS Vector (AV:N/AC:L/Au:N/C:N/I:N/A:P)This signature address an infinite loop vulnerability in Apache Tomcat. Specifically malformed headers of multipartmessages can trigger a resource exhausting infinite loop, creating a denial of service attack against the server.
More Informationhttp://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0050http://secunia.com/advisories/56750
Signature 838 - Nagios XI Autodiscovery Arbitrary Command Execution
CVSS Base 8.5CVSS Vector (AV:N/AC:M/Au:S/C:C/I:C/A:C)This signature addresses a command execution vulnerability in Nagios XI. Insufficient sanitization and validation ofAutodiscovery requests. If an attacker successfully exploits this issue would allow an attacker to inject arbitrarycommands as root.
More Informationhttp://seclists.org/fulldisclosure/2013/Feb/10http://secunia.com/advisories/52011
Signature 743 - Apache Struts URL and Anchor tag includeParams OGNL Command Execution
CVSS Base 6.2CVSS Vector (AV:N/AC:L/Au:N/C:P/I:P/A:P/E:F/RL:OF/RC:C)This signature addresses a vulnerability in Apache Struts OGNL expressions. The way anchor and url tags are passedvia Struts creates a scenario where the tags will parse everything that is passed to them and allow OGNL expressions tobe evaluated when it is not intended.
More Informationhttp://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2115http://struts.apache.org/development/2.x/docs/s2-014.html
Signature 719 - HP LeftHand Virtual SAN Appliance hydra Diag Processing Buffer Overflow
CVSS Base 7.4CVSS Vector (AV:N/AC:L/Au:N/C:C/I:C/A:C/E:U/RL:OF/RC:C)This signature addresses a buffer overflow in HP LeftHand Virtual SAN Appliances. Insufficient validation of Diagrequests leads to a condition where an authenticated user could gain remote code execution on the appliance in thecontext of the user running the application (root).
More Informationhttp://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3283http://secunia.com/advisories/52110
Signature 726 - HP Intelligent Management Center Directory Traversal/Information Disclosure
CVSS Base 5.8CVSS Vector (AV:N/AC:L/Au:N/C:C/I:N/A:N/E:U/RL:OF/RC:C)This signature detects exploitation of issues described in ZDI-13-057, ZDI-13-058 and ZDI-13-061
These vulnerabilities allow remote attackers to obtain sensitive information on vulnerable installations of Hewlett-PackardIntelligent Management Center. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the acmServletDownload, SyslogDownloadServlet, and DownloadServlet servlets. Theseservlets contain directory traversal vulnerabilities that allows any file readable by SYSTEM to be disclosed. By abusingthis behavior an attacker can disclose administrative credentials and possibly leverage this situation to achieve remotecode execution.
More Informationhttp://www.zerodayinitiative.com/advisories/ZDI-13-057/http://www.zerodayinitiative.com/advisories/ZDI-13-058/http://www.zerodayinitiative.com/advisories/ZDI-13-061/https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-5206https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-5208https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-5211
CVSS Base 7.5CVSS Vector (AV:N/AC:L/Au:N/C:P/I:P/A:P)This signature addresses a vulnerability in Apache Struts OGNL expressions. Insufficient sanitization to particularexpressions (specifically action, redirect, or redirectAction) let an attacker inject code into a vulnerable system.
More Informationhttp://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2251http://www.securityfocus.com/bid/61189
Signature 733 - Apache HTTP Server mod_rewrite RewriteLog Command Execution
CVSS Base 5.0CVSS Vector (AV:N/AC:M/Au:N/C:P/I:P/A:P/E:U/RL:OF/RC:C)This signature addresses a command execution vulnerability in Apache HTTP webserver. Certain logfile interactions arenot sufficiently sanitized, allowing an attacker to inject commands when writing to the the file.
More Informationhttp://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1862http://www.apache.org/dist/httpd/CHANGES_2.2.25
Purpose-built security solution forindustrial and process control
environments
Turn it on today. Sleep well tonight.
The nature of OT security risk is changing. More devicesare connected, the air gap is disappearing, and thethreat landscape continues to expand. If continuousoperations are mission critical to your organization,Wurldtech can help.
OpShield is designed to support and protect your criticalprocesses and control strategy. Specifically designed foroperational technology (OT) environments, OpShieldprovides:
Visibility into what's happening on the OT networkEnforcement of OT policy across the controlsystems networkEasy system deployment into existingenvironmentsOpShield delivers defense-in-depth via a modularsolution that scales to accommodate complex andharsh ICS and SCADA environments.
It's easy to install in existing operational environments --no network re-engineering, no downtime required.
NEXT STEPSFor more information or a product trial,please contact Wurldtech sales:Toll Free: 1877 369 6674Email: [email protected]
