Today the DHS ICS-CERT published two control system security advisories for products from Ecava and BINOM3. They also updated a previously published advisory for products from Moxa; that advisory was originally published on October 13th, 2016.
This advisory describes an SQL injection vulnerability in the Ecava IntegraXor. The vulnerability was reported by Brian Gorenc and Juan Pablo Lopez via the Zero Day Initiative. Ecava has produced a software update to mitigate the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.
ICS-CERT reports that a relatively unskilled attacker could remotely exploit the vulnerability. That exploit could lead to arbitrary data leakage, data manipulation, and remote code execution.
This advisory describes multiple vulnerabilities in the BINOM3 Electric Power Quality Meter. The vulnerability was reported by Karn Ganeshen. ICS-CERT reports that BINOM3 has not provided any mitigation measures for these vulnerabilities.
The reported vulnerabilities are:
• Cross-site scripting - CVE-2017-5164;
• Improper access control - CVE-2017-5162;
• Cross-site request forgery - CVE-2017-5165;
• Information exposure - CVE-2017-516; and
• Hard-coded password - CVE-2017-5167.
ICS-CERT reports that a relatively unskilled attacker could remotely exploit these vulnerabilities. Such an exploit could cause the device to inaccurately report a range of electrical quality measurements.
Just a quick note that ICS-CERT has made another modification to their new advisory format. They have added a new section; Background. It provides information about the vulnerable device/application including affected sectors, where the device/application is used, and where the vendor is located.
This update provides new information, including:
• Notification that the vulnerabilities also affect the ioLogik E2200 series devices;
• Provides affected version information for the ioLogik E2200 series devices; and
• Links for downloads of the firmware updates for the ioLogik E2200 series devices.