Janitza Fixes Multiple Vulnerabilities

Tuesday, October 27, 2015 @ 08:10 PM gHale


Janitza created new firmware and new documentation to mitigate vulnerabilities in its UMG power quality measuring products, according to a report on ICS-CERT.

These vulnerabilities, discovered by Mattijs van Ommeren of Applied Risk, are remotely exploitable.

RELATED STORIES
IniNet Fixes Cleartext Vulnerability
IniNet Solutions Fixes SCADA Holes
3S Fixes Null Pointer Exception
3S Fixes Null Pointer Dereference Hole

Janitza reports that the vulnerabilities affect the following products:
• UMG 508
• UMG 509
• UMG 511
• UMG 604
• UMG 605

An unauthenticated attacker can take full control of the device by leveraging the built-in script language. An attacker can adjust system parameters; manipulate measurement values and change the function of the device; and compromise availability, integrity, and confidentiality of the device and dependent systems.

Janitza is a company based in Germany that sells its products through worldwide partners.

The UMG line of devices are energy and power quality measurement products. UMG products see action in the energy sector. Janitza said these products see use primarily in Europe, the Americas, and Asia.

One of the vulnerabilities is weak password protection. By default the UMG device’s web interface remains unprotected. A password can end up configured but it only allows for a short PIN. No controls are in place to prevent PIN guessing, like locking after several invalid attempts.

CVE-2015-3972 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 9.8.

Another hole is weak session token generation. Session tokens end up derived from the 4-digit user PIN in combination with a server-generated challenge. An attacker may be able to crack the user PIN using a sample of session tokens.

CVE-2015-3973 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 5.3.

There is also a hard-coded password vulnerability. The device exposes an FTP interface protected by an undocumented default password. Once logged in, an attacker is able to upload and download arbitrary files.

CVE-2015-3968 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 9.8.

As for the privilege escalation vulnerability, there is a remote debug interface on TCP Port 1239. This allows an unauthenticated remote attacker to read and write files and execute JASIC program code.

CVE-2015-3971 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 9.1.

In the persistent cross site scripting vulnerability, the device does not properly filter user input. Several unauthenticated parts of the web interface are vulnerable to reflected cross-site-scripting (XSS). Some parameters are vulnerable to stored XSS after login.

CVE-2015-3970 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 7.3.

In the cross-site request forgery, the device’s web interface does not provide protection against web requests originating from other sources than the current user’s authenticated browser session. Therefore, it is possible for an attacker to execute actions on behalf of an authenticated user while connected to an attacker controlled web site during an active session.

CVE-2015-3967 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 7.3.

In the information disclosure vulnerability, a service running on Port 1234/UDP and Port 1235/UDP exposes netstat-like information, leaking current network connection information.

CVE-2015-3969 is the case number assigned to this vulnerability, which has a CVSS v2 base score of 5.3.

Exploits that target these vulnerabilities are publicly available. An attacker with low to moderate skills would be able to exploit these vulnerabilities.

Janitza has created new firmware to address these vulnerabilities. Users can click here to download the new firmware.

Users may also download a manual telling how to secure a TCP/IP connection for UMG 604, UMG 605, UMG 508, UMG 509, UMG 511 and UMG 512.



Leave a Reply

You must be logged in to post a comment.