Latest YouTube Video

Tuesday, May 17, 2016

[FD] [ICS] Meteocontrol WEB’log Multiple Vulnerabilities

[ICS] Meteocontrol WEB’log Multiple Vulnerabilities *About MeteoControl WEB’log* Meteocontrol is a Germany-based company that maintains offices in several countries around the world, including the US, China, Italy, Spain, France, Switzerland, and Israel. The affected products, WEB’log, are web-based SCADA systems that provide functions to manage energy and power configurations in different connected (energy/industrial) devices. According to Meteocontrol, WEB’log is deployed across several sectors including Commercial Facilities, Critical Manufacturing, Energy, and Water and Wastewater Systems. Meteocontrol estimates that these products are used primarily in Europe with a small percentage in the United States. *Product details here:* http://ift.tt/27vxr06 *Multiple versions of this application are offered:* WEB'log Basic 100 WEB'log Light WEB'log Pro WEB'log Pro Unlimited All Meteocontrol’s WEB’log versions / flavors have the same underlying design and are vulnerable. This product is deployed primarily in Power & Energy domain, and is used worldwide. It is rebranded in different countries, a few that I came across are as follows: - WEB’log Pro (branded by Siemens) - US - Powador-proLOG (branded by KACO new energy) - Germany - Aurora Easy Control / Aurora Easy Control Basic (both branded by power one) - Italy - Data Control Pro (branded by Mastervolt) - France +++++ *Weak Credential Management* Default Login password is ist02 -> gives easy administrative access to anyone Issue: Mandatory password change is not enforced by the application. *Access Control Flaws* CVE-2016-2296 All pages, functions, and data, can still be accessed without administrative log in. This can be achieved by directly accessing the URLs. This includes access to configuration pages, ability to change plant data, configured modbus/inverter devices, configuration parameters, and even rebooting the device. For example: Making the following direct request, dumps the source code of page that contains administrator password- http://IP/html/en/confAccessProt.html Modbus related configuration can be dumped by calling the following url: http://IP/html/en/confUnvModbus.html Access modbus devices http://IP/html/en/ajax/viewunvmodbus.xml Similarly, certain POST requests can be used to Modify Plant Configuration Data, without any authentication. Issue: Access control is not enforced correctly. *Sensitive information exposure* CVE-2016-2298 As noted above, Administrator password is stored in clear-text. So anyone can make a request to this page and get the clear-text Administrative password for the application, and gain privileged access. Issue: Password is stored in clear-text. *Hidden/Obscured CMD shell* CVE-2016-2297 Another interesting feature is presence of a CMD shell. Meteocontrol WEB'log management application offers a CMD shell which allows running a restricted set of commands that gives host, application and stats data. And as like other functions, it can be accessed directly without any authentication - http://IP/html/en/xprtCmd.html Assuming no one will be able to figure out a technique to exploit this feature, is not a great idea. *No CSRF protection - Vulnerable to CSRF attacks* There is no CSRF Token generated per page and / or per (sensitive) function. Successful exploitation of this vulnerability can allow silent execution of unauthorized actions on the device such as modifying plant data, modifying modbus/inverter/any other PLC devices, changing Administrator password, changing configuration parameters, saving modified configuration, & device reboot. +++++ ICS-CERT published Meteocontrol advisory at: http://ift.tt/27hn6EZ Note that it is not complete and accurate. I have already sent my comments to ICS-CERT team to correct their report. Hopefully they will update it soon. +++++ Cheers!

Source: Gmail -> IFTTT-> Blogger

No comments: