Earlier this week the DHS ICS-CERT folks published a follow-up
advisory to an earlier
alert about multiple vulnerabilities in the Sinapsi eSolar family of
devices. The original uncoordinated
disclosure was made by Roberto Paleari and Ivan Speziale.
Multiple Vulnerabilities
Four vulnerabilities have been identified and confirmed by
the vendor. They are:
• Hard-coded credentials – CVE-2012-5862;
• SQL injection - CVE-2012-5861;
• Operating
system command injection – CVE-2012-5863;
and
• Broken
session enforcement – CVE-2012-5864
Note: the CVE links are not yet active as of 11-23-12 06:00
EST; they will be in the near future.
A relatively unskilled attacker could use the publicly
available exploit code to remotely attack the affected systems. Depending on
the vulnerability exploited arbitrary code could be executed or confidentiality
could be compromised
Mitigation
Sinapsi has new firmware for the affected devices and it is
available via the system menu in the devices Web interface, so these devices
are specifically designed to face the internet contrary to the ICS-CERT
recommendation made in this advisory (actually in all ICS-CERT publications).
The advisory also notes that: “Sinapsi released the new
firmware on Monday, November 19, 2012 directly to the devices.” This implies (I’m
being generous) that Sinapsi has designed these devices to specifically be
remotely reconfigured by someone other than the owner without the owner’s
consent or knowledge.
Device security certainly does not seem to be a matter of
concern with this vendor. In fact, this vendor seems to have taken ‘insecure by
design’ to a new level; designed to be insecure. Why bother with these patches?
Multiple Vendors
It is only in the Mitigation section of this advisory that
we learn that these vulnerabilities may affect devices from other vendors. The
advisory would not be expected to list these vendors until they confirm that
they have addressed the vulnerabilities. The original alert listed:
• Enerpoint eSolar Light;
• Schneider Electric Ezylog
Photovoltaic Management Server;
• Gavazzi Eos-Box; and
• Astrid Green Power Guardian
Actually, the original exploit was developed for the
Schneider device.
Posts
No comments:
Post a Comment