Most eWON Holes Mitigated

Monday, December 21, 2015 @ 12:12 PM gHale


eWON sa produced updated firmware to mitigate vulnerabilities in its industrial router, according to a report on ICS-CERT.

These vulnerabilities, discovered by independent researcher Karn Ganeshen, are remotely exploitable.

eWON firmware versions prior to 10.1s0 suffer from the issues.

RELATED STORIES
No Fixes for Adcon Telemetry A840 Holes
Open Automation Software Hole
Advantech EKI Vulnerabilities
No Patch from Pacom, but New Version Fixed

Vulnerabilities between the application server and client browsers can impact the integrity of what the server is presenting, allow for information leakage, and allow for unauthorized and unauthenticated use of the application server.

Sessions are an established communication between a web server or application and a user’s browser. Sessions can carry benefits like retaining information such as browsing history. They can also use keys to establish encryption of communications between the server and the browser. One of the vulnerabilities is in the eWON software function to log off. Despite pressing this button, the client browser keeps the session alive allowing a malicious party to use the same browser session to continue interacting with the device.

Cross-site scripting takes advantage of web servers that return dynamically generated web pages. Cross-site scripting also allows users to post viewable content in order to execute arbitrary HTML and active content, such as JavaScript, ActiveX, and VBScript, on a remote machine browsing the site within the context of a client-server session. This potentially allows the attacker to redirect the web page to a malicious location, hijack the client-server session, engage in network reconnaissance, and plant backdoor programs.

A cross-site request forgery (CSRF) attack may allow the web browser to perform an unwanted action on a trusted site for which the user has authentication. eWON web server application does not use CSRF Tokens anywhere and, therefore, allows any application function to silently execute.

The server allows direct entry and manipulation of the URL allowing an unauthenticated user to gather information and status of I/O servers through the use of a forged URL.

The server does not encrypt sensitive data like passwords. These end up passed in unencrypted (in plain) text allowing a malicious party to retrieve them from network traffic. The autocomplete setting of some eWON forms also allows these passwords to end up retrieved from the browser. Compromise of the credentials would allow unauthenticated access.

eWON firmware web server allows the use of the HTML command GET in place of POST. GET is less secure because sent data are part of the URL.

eWON sa is a Belguim-based company that maintains offices in several countries around the world, including the United States and Japan.

The affected products, eWON, is an industrial router. According to eWON sa, its routers see action across several sectors including commercial facilities, critical manufacturing, energy, and water and wastewater systems.

The software function to log off retains the session within the browser allowing a malicious party to use the same browser session to continue interacting with the device.

CVE-2015-7924 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 8.8.

Cross-site request forgery is an exploit that allows for potential malicious commands to pass from a user to the application server. eWON web application contains a global CSRF vulnerability. There is no anti-CSRF token in use, either per page or per (configuration) functions. An attacker can perform actions with the same permissions as the victim user, provided the victim has an active session and ends up induced to trigger the malicious request.

Successful exploitation may allow the execution of firmware upload, device reboot, or deletion of device configuration.

CVE-2015-7925 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 8.0.

In another vulnerability, the software allows an unauthenticated user to gather information and status of I/O servers through the use of a forged URL.

CVE-2015-7926 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 9.9.

Stored cross-site scripting refers to client-side code injection where an attacker can execute malicious script on a web server or application. This malicious script then ends up served to other users of the web server or application who become victims.

CVE-2015-7927 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 6.1.

In another vulnerability, passwords end up passed in plain text allowing a malicious party to retrieve them from network traffic. The autocomplete setting of some eWON forms also allows these passwords to end up retrieved from the browser. Compromise of the credentials would allow unauthenticated access.

CVE-2015-7928 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 9.3.

eWON firmware web server allows the use of the HTML command GET in place of POST. GET is less secure because data end up sent are part of the URL.

CVE-2015-7929 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 4.3.

No known public exploits specifically target these vulnerabilities. An attacker with a low skill would be able to exploit these vulnerabilities.

eWON sa mitigated some (weak session management, weak RBAC controls, and partially passwords not secured) of the vulnerabilities with its new updated firmware. In the case of vulnerabilities not mitigated by firmware updates, eWON sa recommends using the router in a secure environment.

Click here for more information on the eWON’s mitigation of these vulnerabilities.

Click here for the newest version of their firmware.



Leave a Reply

You must be logged in to post a comment.