Accuenergy Fixes Authentication Holes

Friday, October 31, 2014 @ 11:10 AM gHale


Accuenergy created a firmware upgrade that mitigates two authentication vulnerabilities within its AXM-NET Ethernet module’s web server. The AXM-NET Ethernet module is an accessory for the Acuvim II, according to a report on ICS-CERT.

Independent researcher Laisvis Lingvevicius, who discovered the remotely exploitable vulnerabilities, tested the firmware to validate that it resolves the vulnerabilities.

AXN-NET Ethernet module v.3.04 suffers from the issue.

RELATED STORIES
IOServer Fixes Resource Exhaustion Flaw
Fox-IT Fixes DataDiode Vulnerability
CareFusion Mitigates Vulnerabilities
Siemens Heartbleed Update, Again

The authentication bypass vulnerability allows access to the settings on the Ethernet module web server interface without authenticating. The password bypass vulnerability allows an attacker to display passwords using JavaScript. A malicious user could create a denial of service for the web server by changing the network settings.

Accuenergy is a Canada-based company that maintains offices in several countries around the world, including the United States and China, along with Canada.

The affected product, Acuvim II, is a multifunction power metering device. The AXM-NET Ethernet module creates a web page to display data produced by the Acuvim II. According to Accuenergy, Acuvim II deploys in the energy sector. Accuenergy estimates this product sees action primarily in North America and China.

By accessing a specific uniform resource locator (URL) on the web server, a malicious user is able to access settings without authenticating. Accessible settings end up limited, and include the network settings for the AXM-NET module web server, but not the Acuvim II device.

CVE-2014-2373 is the case number assigned to this vulnerability, which has a CVSS v2 base score of 7.5.

The Acuvim II uses JavaScript to validate passwords leaving it vulnerable to a JavaScript attack that displays passwords. Authenticated users could change the network settings of the AXM-NET module web server, but do not have access to the Acuvim II device.

CVE-2014-2374 is the case number assigned to this vulnerability, which has a CVSS v2 base score of 7.5.

No known public exploits specifically target these vulnerabilities. However, an attacker with a low skill would be able to exploit these vulnerabilities.

Click here to download Accuenergy’s patch.



Leave a Reply

You must be logged in to post a comment.