• Subscriber/Sign In
  • Register
  • About Us
isssource.com
  • Home
  • Eguide: Overcoming the Industrial Cyber Security Skills Gap
  • Register
  • News
    • Careers
    • Government
    • Incidents
    • Industry Voices
    • Products and Services
    • Sending it Your Way
    • Technology Update
    • Views
  • Profile
  • Research
  • User Profile
  • Events
  • Login
  • Lost Password
  • Training & Certification
  • Transactions
  • White Papers
  • Membership Details
  • Subscribe Now
  • Membership Contents
  • Archives

Breaking News

  • Wind River, GE Update 6-year-old Holes
  • ARC: How to Prevent USB Attacks
  • Rockwell Working on PowerMonitor 1000 Fix
  • Horner Clears Cscape Vulnerability
  • Delta Fixes it Industrial Automation CNCSoft
  • Intel Has Fix for Data Center Manager SDK Holes
  • Thermal Fatigue Led to MS Gas Plant Blast …
  • … 3D Model of Failed Heat Exchanger
  • Fukushima Report: Robot Lifts Melted Fuel
  • TÜV, Nozomi Ink Partnership Pact
  • Pangea Patches Bypass Vulnerability
  • Fuji Fixes FRENIC Devices
  • ARC: Safety and Profitability Work Together
  • Public Needs to Know About Chem Releases: Judge
  • Robot Testing Radioactive Fuel at Fukushima
  • Siemens Fixes CP1604, CP1616 Holes
  • Read More

Chemical Safety Incidents

White Papers

  • A Year in Vulnerabilities
  • A Year in Threats
  • Year in Hunting and Responding
  • Finding the Competitive Edge
  • Going Digital
  • Visibility Leads to Knowledge
  • Tips to SCADA Security
  • Insurance Dilemma: Infrastructure Attacks
  • Monitoring a Growing Network
  • Integrated Approach to Protecting ICS
  • Analytics through Network Monitoring
  • Gaining Visibility on Malware Attacks
  • The Wireless Edge
  • Benefits of Virtualization
  • Wireless Reshaping IT/OT Network
  • Virtualizing Network: Benefits, Challenges
  • Read More

Sending It Your Way

  • aeSolutions Security Blog
  • exida Explains
  • Joel Langill: SCADAhacker
  • [In] Security Culture
  • Eric Byres: Practical SCADA Security
  • Department of Homeland Security
  • Jim Cahill
  • Dale Peterson
  • Industrial Defender
  • Wurldtech
  • Read More

Meteocontrol Clears Vulnerabilities

Thursday, May 12, 2016 @ 04:05 PM gHale

Meteocontrol created a new version to mitigate one authentication and two information exposure vulnerabilities in its WEB’log application, according to a report on ICS-CERT.

These vulnerabilities, discovered by Independent researcher Karn Ganeshen, are remotely exploitable.

RELATED STORIES
Panasonic Fixes FPWIN Pro Holes
Siemens Updates SIMATIC Vulnerability
Moxa NPort Device Vulnerabily Update
Sierra Wireless Mitigates Vulnerability

The following WEB’log products suffer from the vulnerabilities:
• Basic 100 all versions
• Light all versions
• Pro all versions
• Pro Unlimited all versions

Sensitive information can end up accessed, and admin login pages are accessible without being authenticated.

Successful exploitation of these vulnerabilities can allow silent execution of unauthorized actions on the device such as modifying plant data; modifying modbus/inverter/other devices; configuration parameters; and saving modified configuration and device reboot.

Meteocontrol is a Germany-based company that maintains offices in several countries around the world, including the U.S., China, Italy, Spain, France, Switzerland, and Israel.

The affected products, WEB’log, are web-based SCADA systems that provide functions to manage energy and power configurations in different connected (energy/industrial) devices. WEB’log sees action across several sectors including commercial facilities, critical manufacturing, energy, and water and wastewater systems. Meteocontrol said these products see use mainly in Europe with a small percentage in the United States.

All application functionality, and configuration pages, including those accessible after administrative login, can end up accessed without any authentication.

CVE-2016-2296 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 9.4.

In addition, the application has a hidden/obscured access command shell-like feature that allows anyone to run a restricted set of system commands. This shell can end up accessed directly without any authentication.

CVE-2016-2297 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 9.4.

There is no Cross-Site Request Forgery Token generated per page or per function.

CVE-2016-4504 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 9.4 .

Also, there is a sensitive information exposure where information ends up stored in clear-text.

CVE-2016-2298 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 9.8.

No known public exploits specifically target these vulnerabilities. However, an attacker with a low skill would be able to exploit these vulnerabilities.

Meteocontrol strongly recommends users install the WEB’log behind a firewall. It should not end up used with a direct connection to the Internet. Meteocontrol has produced a new version that fixes the vulnerabilities.



Leave a Reply

Click here to cancel reply.

You must be logged in to post a comment.

« Cyber Security Education RAMPS Up
Schneider Earns exida Security Certification »

  • Home
  • Eguide: Overcoming the Industrial Cyber Security Skills Gap
  • Register
  • View Spotlight Article
  • News
  • Profile
  • Research
  • User Profile
  • Events
  • Login
  • Lost Password
  • Training & Certification
  • Transactions
  • White Papers
  • Membership Details
  • Subscribe Now
  • About Us
  • Membership Contents
  • Archive
  • Sitemap
  • Careers
  • Government
  • Incidents
  • Industry Voices
  • Products and Services
  • Sending it Your Way
  • Technology Update
  • Views
Policies
Copyright © 2019 isssource.com