Tollgrade Fixes SmartGrid System Holes
Wednesday, February 10, 2016 @ 09:02 AM gHale
Tollgrade Communications, Inc. created an update to mitigate vulnerabilities in its SmartGrid LightHouse Sensor Management System (SMS) Software EMS, according to a report with ICS-CERT.
Maxim Rupp, who found the issues, tested the update to validate it resolves the remotely exploitable vulnerabilities.
The following LightHouse SMS Software versions suffer from the issues:
• Version 4.1.0 Build 16, and
• Versions older than Version 5.1
Rupp uncovered four vulnerabilities:
1. Cross-site Scripting
2. Disclosure of Information
3. Cross-site Request Forgery (CSRF)
4. Insecure Credentials
A CSRF attack may allow the web browser to perform an unwanted action on a trusted site for which the user has authentication. The SMS Software web server application does not use CSRF tokens anywhere and, therefore, allows any application function to silently execute. This includes the ability to create new users or change passwords.
The SMS Software discloses to unauthenticated users access to sensitive files like reports and usernames (in the files).
An authenticated user with limited privileges can change the password of another user, and thus obtain access to his or her account.
Tollgrade Communications, Inc. is a United States-based company that maintains offices in the United Kingdom and Germany.
The affected product, LightHouse SMS Software, is a web-based distribution monitoring system. LightHouse SMS Software sees use in the energy Sector. Tollgrade Communications said the product sees action primarily in North America, Europe, and South America.
The affected versions of the LightHouse SMS Software are missing protections from CSRF, allowing a malicious party to execute commands on an authenticated active connection without the user being aware.
CVE-2016-0863b is the case number assigned to this vulnerability, which has a CVSS v3 base score of 8.8.
Unauthenticated parties may access the devices with affected software and obtain sensitive information including reports and usernames.
CVE-2016-0864 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 5.3.
An authenticated user with limited privileges can change the password of another user on affected software, and thus obtain access to his or her account.
CVE-2016-0865 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 8.8.
The affected software allows for manipulation of the dynamic URLs used by the web server, allowing a malicious party to control the web server to redirect web page to a malicious location, hijack the client-server session, engage in network reconnaissance, and/or plant backdoor programs.
CVE-2016-0866 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 6.1.
No known public exploits specifically target these vulnerabilities. Crafting a working exploit for these vulnerabilities would be moderately difficult. Social engineering would be mandatory to convince the user to click on or open their browser to a malicious URL.
Tollgrade Communications released updated software which resolves these vulnerabilities.
Click here for the software update.