This afternoon the DHS ICS-CERT published an alert on an uncoordinated disclosure of multiple vulnerabilities in the Sinapsi eSolar Light Photovoltaic System Monitor. The disclosure was made by Roberto Paleari and Ivan Speziale, who described the vulnerable system as being the Schneider Electric Ezylog photovoltaic SCADA management server. ICS-CERT notes that the Italian company produces the system that is used by multiple vendors including Schneider Electric.
The multiple vulnerabilities reported were:
• Hard-coded Credentials
• SQL Injection
• Command Execution
• Broken Session Enforcement
Tomorrow’s ICS-CERT Alerts?
Joel Langill reports on his SCADAHacker Blog that Gleg has released SCADA+ Exploit Pack V 1.18 that includes 0-day exploits for three separate SCADA systems; Elipse E3, Carel PlantVisor, and QNX FTPD. Joel has a brief synopsis of the vulnerabilities. I would expect for ICS-CERT to address these vulnerabilities tomorrow. I suspect that these may be advisories instead of alerts; there were some TWEETS® sometime last month about Gleg related releases on the secure US CERT server.