CVE-2018-12634
📋 TL;DR
CVE-2018-12634 is an information disclosure vulnerability in CirCarLife Scada systems where unauthenticated attackers can access sensitive system information via direct requests to specific URIs. This affects all CirCarLife Scada installations before version 4.3. The vulnerability allows attackers to gather reconnaissance data that could facilitate further attacks.
💻 Affected Systems
- CirCarLife Scada
📦 What is this software?
Circarlife Scada by Circontrol
⚠️ Risk & Real-World Impact
Worst Case
Attackers obtain complete system information including configuration details, service status, and potentially credentials, enabling full system compromise and industrial control system disruption.
Likely Case
Attackers gather system information to plan targeted attacks, potentially leading to unauthorized access, data theft, or disruption of SCADA operations.
If Mitigated
Information exposure limited to non-critical data with proper network segmentation and access controls preventing exploitation.
🎯 Exploit Status
Simple HTTP GET requests to vulnerable endpoints; multiple public exploit scripts available.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.3 and later
Vendor Advisory: Not publicly documented by vendor
Restart Required: Yes
Instructions:
1. Download CirCarLife Scada version 4.3 or later from official vendor sources. 2. Backup current configuration and data. 3. Install the updated version following vendor documentation. 4. Restart the SCADA system and verify functionality.
🔧 Temporary Workarounds
Web Server Access Control
allConfigure web server to block access to /html/log and /services/system/info.html endpoints
# Apache: Add to .htaccess or virtual host config
<Location "/html/log">
Order deny,allow
Deny from all
</Location>
<Location "/services/system/info.html">
Order deny,allow
Deny from all
</Location>
# Nginx: Add to server block
location ~ ^/(html/log|services/system/info\.html) {
deny all;
return 403;
}
Network Segmentation
allRestrict network access to SCADA system using firewalls
# Example iptables rules
sudo iptables -A INPUT -p tcp --dport 80 -s trusted_network -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 80 -j DROP
# Windows Firewall
New-NetFirewallRule -DisplayName "Block SCADA Web" -Direction Inbound -Protocol TCP -LocalPort 80 -Action Block
🧯 If You Can't Patch
- Implement strict network segmentation to isolate SCADA systems from untrusted networks
- Deploy web application firewall (WAF) with rules blocking access to vulnerable endpoints
🔍 How to Verify
Check if Vulnerable:
Use curl or browser to test: curl -v http://target/html/log and curl -v http://target/services/system/info.html - if either returns 200 OK with data, system is vulnerable.Check Version:
Check web interface or system documentation for version information; no standard command available.Verify Fix Applied:
Repeat vulnerability check commands; should return 404 or access denied. Verify system version is 4.3 or higher.📡 Detection & Monitoring
Log Indicators:
- HTTP 200 responses to /html/log or /services/system/info.html requests
- Unusual access patterns to system information endpoints
- Multiple failed authentication attempts following information disclosure
Network Indicators:
- Unusual HTTP GET requests to sensitive endpoints from unauthorized IPs
- Traffic spikes to SCADA web interface
- Reconnaissance patterns from external sources
SIEM Query:
source="web_logs" AND (uri_path="/html/log" OR uri_path="/services/system/info.html") AND response_code=200🔗 References
- https://github.com/SadFud/Exploits/tree/master/Real%20World/Suites/cir-pwn-life
- https://www.exploit-db.com/exploits/45384/
- https://www.seebug.org/vuldb/ssvid-97353
- https://github.com/SadFud/Exploits/tree/master/Real%20World/Suites/cir-pwn-life
- https://www.exploit-db.com/exploits/45384/
- https://www.seebug.org/vuldb/ssvid-97353
