Photovoltaic System Holes Mitigated

Tuesday, November 27, 2012 @ 01:11 PM gHale


Sinapsi eSolar Light mitigated the four vulnerabilities in its Photovoltaic System Monitor, according to a report on ICS-CERT.

In addition, while eSolar Light also sells with different brands and names, the other companies also have the update that has the mitigation.

RELATED STORIES
ABB Patches Webserver Hole
Hole Exists; Wrong Vendor Selected
Patch Fixes C3-ilex Holes
Korenix Fixes Vulnerability

Successful exploitation of the remotely exploitable vulnerabilities would allow an attacker to gain unauthorized access, access private information, and execute remote code. The eSolar Light is a monitoring system used in solar power applications. However, Sinapsi also reports that other Sinapsi devices (eSolar, eSolar DUO, eSolar Light) are vulnerable to these same vulnerabilities. These devices see use in the energy sector.

Exploits that target these vulnerabilities, first discovered by independent researchers Roberto Paleari and Ivan Speziale, are publicly available.

The following Sinapsi devices with firmware prior to Version 2.0.2870_xxx_2.2.12 suffer from the issue:
• eSolar
• eSolar DUO
• eSolar Light

Malicious attackers could use the vulnerabilities to exploit the device by gaining unauthorized access in the system, leaking stored information, and remotely executing code on the device. This could allow a loss of availability, integrity, and confidentiality of the affected system. Sinapsi devices primarily see use for control and monitoring of energy systems. Some Sinapsi devices also see use in building automation.

Sinapsi is an Italian-based company that sells devices used for energy monitoring and management as well as building automation applications.

The affected products are Web-based SCADA monitoring and management systems. Sinapsi estimates the main usage is in Italy, but some vendors have marketed the products in the United States and other countries.

The Sinapsi devices store hard-coded passwords in the PHP file of the device. By using the hard-coded passwords in the device, attackers can log into the device with administrative privileges. This could allow the attacker to have unauthorized access. CVE-2012-5862 is the number assigned to this vulnerability, which has a CVSS v2 base score of 10.0.

The Sinapsi devices do not check the validity of the data before executing queries. By accessing the SQL table of certain pages that do not require authentication within the device, attackers can leak information from the device. This could allow the attacker to compromise confidentiality. CVE-2012-5861 is the number assigned to this vulnerability, which has a CVSS v2 base score of 7.8.

The Sinapsi devices do not check for special elements in commands sent to the system. By accessing certain pages with administrative privileges that do not require authentication within the device, attackers can execute arbitrary, unexpected, or dangerous commands directly onto the operating system. CVE-2012-5863 is the number assigned to this vulnerability, which has a CVSS v2 base score of 10.0.

The Sinapsi devices do not check if users that visit pages within the device have properly authenticated. By directly visiting the pages within the device, attackers can gain unauthorized access with administrative privileges. CVE-2012-5864 is the number assigned to this vulnerability, which has a CVSS v2 base score of 9.4.

Sinapsi developed a new firmware version 2.0.2870_2.2.12 that mitigates these vulnerabilities.

Sinapsi released the new firmware directly to the devices. Users will be able to manually download the firmware on their device by using the Firmware Update function in the System Menu in the device’s Web interface. Sinapsi has also posted a security newsletter to its public Web site.

Other affected vendors have been notified by Sinapsi and ICS-CERT, but the availability of new firmware upgrades are unknown by ICS-CERT at this time.



Leave a Reply

You must be logged in to post a comment.