CVE-2018-11311 in myPRO
Summary
by MITRE
A hardcoded FTP username of myscada and password of Vikuk63 in 'myscadagate.exe' in mySCADA myPRO 7 allows remote attackers to access the FTP server on port 2121, and upload files or list directories, by entering these credentials.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 08/12/2024
The vulnerability identified as CVE-2018-11311 represents a critical security flaw in the mySCADA myPRO 7 industrial control system software. This vulnerability stems from the inclusion of hardcoded credentials within the executable file myscadagate.exe, which is part of the broader mySCADA ecosystem designed for industrial automation and monitoring. The presence of these hardcoded credentials creates a persistent security weakness that significantly undermines the overall security posture of industrial networks relying on this software. The vulnerability specifically affects the FTP server component that operates on port 2121, making it accessible to remote attackers who possess the knowledge of the hardcoded credentials.
The technical implementation of this vulnerability involves the embedding of a fixed username 'myscada' and password 'Vikuk63' directly within the binary code of the myscadagate.exe file. This approach violates fundamental security principles and represents a clear violation of the principle of least privilege as outlined in the CWE-798 weakness classification. The hardcoded credentials are not only present in the executable but are also accessible through reverse engineering techniques, making them easily discoverable by threat actors. This flaw creates an unauthenticated access point that allows remote exploitation without requiring any additional authentication factors or complex attack vectors.
From an operational impact perspective, this vulnerability exposes industrial control systems to significant risk of unauthorized access and potential compromise. Remote attackers who discover these hardcoded credentials can perform various malicious activities including uploading malicious files to the FTP server, listing directory contents, and potentially executing arbitrary code on the target system. The ability to upload files creates a persistent threat vector that could allow attackers to establish backdoors, deploy malware, or conduct further reconnaissance within the industrial network. This vulnerability directly impacts the confidentiality, integrity, and availability of industrial control systems, potentially leading to operational disruptions or even physical safety hazards in critical infrastructure environments.
The attack surface for this vulnerability extends beyond simple credential theft, as it provides attackers with a foothold that can be leveraged for lateral movement within industrial networks. According to ATT&CK framework concepts, this vulnerability enables initial access and persistence tactics, allowing adversaries to establish a presence within the industrial control environment. The impact is particularly concerning in industrial settings where operational technology (OT) networks often have limited security monitoring and may not be properly segmented from corporate networks. Organizations using mySCADA myPRO 7 systems are particularly vulnerable since these hardcoded credentials are typically not updated or changed by administrators, creating a persistent threat that remains active until the software is properly patched or replaced.
Mitigation strategies for this vulnerability require immediate action from affected organizations, including the implementation of network segmentation to isolate industrial control systems from general corporate networks, deployment of network monitoring tools to detect unusual FTP traffic on port 2121, and immediate software updates from the vendor to address the hardcoded credential issue. The recommended remediation approach involves replacing the vulnerable software with patched versions or implementing compensating controls such as firewall rules that restrict access to port 2121 from untrusted networks. Additionally, organizations should conduct comprehensive vulnerability assessments to identify other instances of hardcoded credentials within their industrial control systems and implement proper credential management practices that align with NIST SP 800-125 standards for secure software development and configuration management.