ICL ScadaFlex II SCADA Controllers SC-1/SC-2 1.03.07 Remote File CRUD

Title: ICL ScadaFlex II SCADA Controllers SC-1/SC-2 1.03.07 Remote File CRUD
Advisory ID: ZSL-2022-5698
Type: Local/Remote
Impact: System Access, DoS, Cross-Site Scripting, Manipulation of Data
Risk: (4/5)
Release Date: 22.02.2022
Summary
Scadaflex II controllers are 100% web based for both configuration and user interface. No applications are required other than any standard web browser. They are easily supported by remote access over the Internet or a cellular link. Scadaflex II controllers support industry standard wired communications using Modbus, DF1, SNP, and Ethernet IP protocols along with Ethernet-Serial bridging for Modbus or any other protocol. Each Scadaflex II controller has both analog and digital, inputs and outputs, sufficient for pumping stations, irrigation controls, and other similar process monitoring and control applications. They can also serve as communications concentrators and protocol converters that enhance the operation of existing PLCs and process equipment.
Description
The SCADA controller is vulnerable to unauthenticated file write/overwrite and delete vulnerability. This allows an attacker to execute critical file CRUD operations on the device that can potentially allow system access and impact availability.
Vendor
Industrial Control Links, Inc. - http://www.iclinks.com
Affected Version
SW: 1.03.07 (build 317), WebLib: 1.24
SW: 1.02.20 (build 286), WebLib: 1.24
SW: 1.02.15 (build 286), WebLib: 1.22
SW: 1.02.01 (build 229), WebLib: 1.16
SW: 1.01.14 (build 172), WebLib: 1.14
SW: 1.01.01 (build 2149), WebLib: 1.13
Tested On
SCADA HTTP Server
Vendor Status
[06.11.2021] Vulnerability discovered.
[16.01.2022] Vendor contacted.
[21.02.2022] No response from the vendor.
[22.02.2022] Public security advisory released.
PoC
sflex.py
Credits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>
References
[1] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25359
[2] https://nvd.nist.gov/vuln/detail/CVE-2022-25359
[3] https://packetstormsecurity.com/files/166103
[4] https://cxsecurity.com/issue/WLB-2022020117
[5] https://exchange.xforce.ibmcloud.com/vulnerabilities/220156
[6] https://vulners.com/zeroscience/ZSL-2022-5698
[7] https://www.exploit-db.com/exploits/50783
[8] https://www.cisa.gov/uscert/ncas/bulletins/sb22-059
[9] https://www.cisa.gov/news-events/ics-advisories/icsa-23-096-01
[10] https://industrialcyber.co/cisa/string-of-ics-vulnerabilities-detected-in-hardware-deployed-across-critical-infrastructure-sectors/
Changelog
[22.02.2022] - Initial release
[23.02.2022] - Added reference [5], [6] and [7]
[05.03.2022] - Added reference [8]
[10.04.2023] - Added reference [9]
[28.03.2024] - Added reference [10]
Contact
Zero Science Lab

Web: https://www.zeroscience.mk
e-mail: lab@zeroscience.mk