This afternoon the DHS ICS-CERT published an advisory for multiple vulnerabilities in the Janitza UMG power quality measuring products. The vulnerabilities were reported by Mattijs van Ommeren of Applied Risk. Janitza has produced new firmware and documentation to mitigate these vulnerabilities, but there is no indication that van Ommeren has been provided an opportunity to verify the efficacy of the fixes.
The vulnerabilities include:
• Weak password protection, CVE-2015-3972;
• Weak session token generation, CVE-2015-3973;
• Hard coded password, CVE-2015-3968;
• Privilege escalation, CVE-2015-3971;
• Persistent cross site scripting, CVE-2015-3970;
• Cross site forgery, CVE-2015-3967; and
• Information disclosure, CVE-2015-3960.
ICS-CERT reports that a moderately skilled attacker could remotely use a publicly available exploit of these vulnerabilities to adjust system parameters; manipulate measurement values and change the function of the device; and compromise availability, integrity, and confidentiality of the device and dependent systems.
In addition to new firmware, ICS-CERT reports that Janitza has produced a new manual [.PDF download] on how to set up a secure TCP/IP connection on most of the affected devices. In addition to setting up that secure connection the manual also addresses:
• Changing passwords for FTP, homepage and display; and
• Setting internal firewall settings.
This advisory was originally released to the US-CERT Secure Portal on September 22nd. This is apparently the vulnerability that I reported being on the Secure Portal back on October 5th.