工控安全

对欧姆龙设备的一次全球统计报告(Omron fins protocol Global Census Report)

概述

欧姆龙是来自日本的知名电子和自控设备制造商,其中小型PLC在国内市场有较高的市场占有量,有CJ、CM等系列,PLC可以支持Fins,Host link等协议进行通信。

关于扫描识别

支持以太网的欧姆龙PLC CPU、以太网通信模块根据型号的不同,一般都会支持fins协议,一些模块也会支持EtherNet/IP协议,Omron fins协议使用TCP/UDP的9600端口进行通信,fins协议封装在TCP/UDP上进行通信,需要注意的是TCP模式下组包和UDP模式下在头部上有所差异。具体协议包的构造可以参考欧姆龙官方的协议文档。如下图可以使用fins命令中0501命令去请求PLC当前CPU的信息:
Omron_fins_Command
实现的基于NMAP的nse插件如下图:
fins_enumerate

扫描情况简介

针对欧姆龙fins协议的第一次扫描探测完成于1月30号,探测范围为全网IPv4地址,首轮发现有923套欧姆龙各种型号的PLC接入了公网。

全网扫描统计 Top20(2015/1/30)

图形化统计分布如下图:
Omron_fins_ICSMAP_2015_01_30

后记

1、欧姆龙作为日本领先的自控设备生产企业,而从得到的数据来看日本暴露的数量都不算太多,不知道这背后是不是还有其他深层次的原因?
2、还有一点值得提的是此类型PLC通讯端口一旦暴露在公网就意味是可以通过协议、软件等直接操作该PLC的所有功能(如果他没有设置等级存取密码),如果PLC需要跨地域进行远程通讯,在配置路由的端口映射时,建议同时还是给PLC设置权限密码,或者在防火墙添加可信的基于源地址的过滤,用来消减暴露在互联网的安全风险。
3、本博客用于进行工控设备安全风险态势统计和研究的扫描器目前已经设置了DNS反解标注(Reverse DNS record),使用域名为icsresearch1.plcscan.org,欢迎继续关注之后的更多工控设备统计报告或来信与我交流。

Hack For Fun

点我轻松一刻

omron_plc_exposed

About Z-0ne

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

最新工业控制系统漏洞

ICS-CERT Advisory Feed
Advantech WebAccess

This advisory includes mitigations for stack-based buffer overflow, external control of file name or path, improper privilege management, and path tra. . . read more Tue, 23 Oct 2018 10:10:09 EDT

GAIN Electronic Co. Ltd SAGA1-L Series

This advisory includes mitigations for authentication bypass by capture-relay, improper access control, and improper authentication vulnerabilities in. . . read more Tue, 23 Oct 2018 10:05:48 EDT

Telecrane F25 Series

This advisory includes mitigations for an authentication bypass by capture-replay vulnerability in the Telecrane F25 Series software.. . . read more Tue, 23 Oct 2018 10:00:54 EDT

Omron CX-Supervisor

This advisory includes mitigations for improper restriction of operations within the bounds of a memory buffer, out-of-bounds read, use-after-free, an. . . read more Wed, 17 Oct 2018 08:55:45 EDT

LCDS – Leão Consultoria e Desenvolvimento de Sistemas Ltda ME LAquis SCADA

This advisory includes mitigations for untrusted pointer dereference, out-of-bounds read, integer overflow to buffer overflow, path traversal, out-of-. . . read more Tue, 16 Oct 2018 14:44:39 EDT

NUUO NVRmini2 and NVRsolo

This advisory includes mitigations for stack-based buffer overflow and leftover debug code vulnerabilities in NUUO's NVRmini2 and NVRsolo network. . . read more Thu, 11 Oct 2018 10:10:11 EDT

NUUO CMS

This advisory includes mitigations for use of insufficiently random values, use of obsolete function, incorrect permission assignment for critical res. . . read more Thu, 11 Oct 2018 10:05:11 EDT

Delta Industrial Automation TPEditor

This advisory includes mitigations for out-of-bounds write and stack-based buffer overflow vulnerabilities in the Delta Industrial Automation TPEditor. . . read more Thu, 11 Oct 2018 10:00:20 EDT

GE iFix

This advisory includes mitigations for an unsafe ActiveX control marked safe for scripting vulnerability in a Gigasoft component affecting GE’s iFix. . . read more Tue, 09 Oct 2018 10:30:34 EDT

Siemens SCALANCE W1750D

This advisory includes mitigations for a cryptographic issues vulnerability in Siemens' SCALANCE W1750D direct access point hardware.. . . read more Tue, 09 Oct 2018 10:25:37 EDT

Siemens ROX II

This advisory includes mitigations for improper privilege management vulnerabilities in the Siemens ROX II products.. . . read more Tue, 09 Oct 2018 10:20:19 EDT

Siemens SIMATIC S7-1200 CPU Family Version 4

This advisory includes mitigations for a cross-site request forgery vulnerability in the Siemens SIMATIC S7-1200 CPU products.. . . read more Tue, 09 Oct 2018 10:15:18 EDT

Siemens SIMATIC S7-1500, SIMATIC S7-1500 Software Controller and SIMATIC ET 200SP Open Controller

This advisory includes mitigations for a denial of service from improper input validation vulnerability in the Siemens SIMATIC S7-1500, SIMATIC S7-150. . . read more Tue, 09 Oct 2018 10:10:22 EDT

Hangzhou Xiongmai Technology Co., Ltd XMeye P2P Cloud Server

This advisory includes information on the predictable from observable state, hidden functionality, and missing encryption of sensitive data vulnerabil. . . read more Tue, 09 Oct 2018 10:05:48 EDT

Fuji Electric Energy Savings Estimator

This advisory includes mitigations for an uncontrolled search path element (DLL Hijacking) vulnerability in the Fuji Electric Energy Savings Estimator. . . read more Tue, 09 Oct 2018 10:00:12 EDT

Carestream Vue RIS

This advisory includes mitigations for an information exposure through an error message vulnerability in the Carestream Vue RIS, a web-based radiology. . . read more Thu, 04 Oct 2018 10:10:11 EDT

Change Healthcare PeerVue Web Server

This advisory includes mitigations for an information exposure through an error message vulnerability in the Change Healthcare PeerVue Web Server.. . . read more Thu, 04 Oct 2018 10:05:49 EDT

WECON PI Studio

This advisory includes information on stack-based buffer overflow, out-of-bounds write, and out-of-bounds read vulnerabilities in WECON’s PI Studio. . . read more Thu, 04 Oct 2018 10:00:35 EDT

Delta Electronics ISPSoft

This advisory includes mitigations for a stack-based buffer overflow vulnerability in the Delta Electronics ISPSoft software.. . . read more Tue, 02 Oct 2018 10:10:16 EDT

GE Communicator

This advisory includes mitigations for a heap-based buffer overflow vulnerability in GE's Communicator, an application for programming and monito. . . read more Tue, 02 Oct 2018 10:05:06 EDT