Earlier this week the DHS ICS-CERT folks published a follow-up advisory to an earlier alert about multiple vulnerabilities in the Sinapsi eSolar family of devices. The original uncoordinated disclosure was made by Roberto Paleari and Ivan Speziale.
Four vulnerabilities have been identified and confirmed by the vendor. They are:
• Hard-coded credentials – CVE-2012-5862;
• SQL injection - CVE-2012-5861;
• Operating system command injection – CVE-2012-5863; and
• Broken session enforcement – CVE-2012-5864
Note: the CVE links are not yet active as of 11-23-12 06:00 EST; they will be in the near future.
A relatively unskilled attacker could use the publicly available exploit code to remotely attack the affected systems. Depending on the vulnerability exploited arbitrary code could be executed or confidentiality could be compromised
Sinapsi has new firmware for the affected devices and it is available via the system menu in the devices Web interface, so these devices are specifically designed to face the internet contrary to the ICS-CERT recommendation made in this advisory (actually in all ICS-CERT publications).
The advisory also notes that: “Sinapsi released the new firmware on Monday, November 19, 2012 directly to the devices.” This implies (I’m being generous) that Sinapsi has designed these devices to specifically be remotely reconfigured by someone other than the owner without the owner’s consent or knowledge.
Device security certainly does not seem to be a matter of concern with this vendor. In fact, this vendor seems to have taken ‘insecure by design’ to a new level; designed to be insecure. Why bother with these patches?
It is only in the Mitigation section of this advisory that we learn that these vulnerabilities may affect devices from other vendors. The advisory would not be expected to list these vendors until they confirm that they have addressed the vulnerabilities. The original alert listed:
• Enerpoint eSolar Light;
• Schneider Electric Ezylog Photovoltaic Management Server;
• Gavazzi Eos-Box; and
• Astrid Green Power Guardian
Actually, the original exploit was developed for the Schneider device.