Tollgrade Fixes SmartGrid System Holes

Wednesday, February 10, 2016 @ 09:02 AM gHale


Tollgrade Communications, Inc. created an update to mitigate vulnerabilities in its SmartGrid LightHouse Sensor Management System (SMS) Software EMS, according to a report with ICS-CERT.

Maxim Rupp, who found the issues, tested the update to validate it resolves the remotely exploitable vulnerabilities.

RELATED STORIES
Westermo Updates Switch Vulnerability
Rockwell Fixes PLC Buffer Overflow
MICROSYS Fixes Memory Corruption Hole
Hospira Buffer Overflow Vulnerability

The following LightHouse SMS Software versions suffer from the issues:
• Version 4.1.0 Build 16, and
• Versions older than Version 5.1

Rupp uncovered four vulnerabilities:
1. Cross-site Scripting
2. Disclosure of Information
3. Cross-site Request Forgery (CSRF)
4. Insecure Credentials

Cross-site Scripting presents one entry point for attackers to access and manipulate control systems networks. It takes advantage of web servers that return dynamically generated web pages. Cross-site scripting also allows users to post viewable content in order to execute arbitrary HTML and active content, such as JavaScript, ActiveX, and VBScript, on a remote machine browsing the site within the context of a client-server session. This potentially allows the attacker to redirect the web page to a malicious location, hijack the client-server session, engage in network reconnaissance, and plant backdoor programs.

A CSRF attack may allow the web browser to perform an unwanted action on a trusted site for which the user has authentication. The SMS Software web server application does not use CSRF tokens anywhere and, therefore, allows any application function to silently execute. This includes the ability to create new users or change passwords.

The SMS Software discloses to unauthenticated users access to sensitive files like reports and usernames (in the files).

An authenticated user with limited privileges can change the password of another user, and thus obtain access to his or her account.

Tollgrade Communications, Inc. is a United States-based company that maintains offices in the United Kingdom and Germany.

The affected product, LightHouse SMS Software, is a web-based distribution monitoring system. LightHouse SMS Software sees use in the energy Sector. Tollgrade Communications said the product sees action primarily in North America, Europe, and South America.

The affected versions of the  LightHouse SMS Software are missing protections from CSRF, allowing a malicious party to execute commands on an authenticated active connection without the user being aware.

CVE-2016-0863b is the case number assigned to this vulnerability, which has a CVSS v3 base score of 8.8.

Unauthenticated parties may access the devices with affected software and obtain sensitive information including reports and usernames.

CVE-2016-0864 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 5.3.

An authenticated user with limited privileges can change the password of another user on affected software, and thus obtain access to his or her account.

CVE-2016-0865 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 8.8.

The affected software allows for manipulation of the dynamic URLs used by the web server, allowing a malicious party to control the web server to redirect web page to a malicious location, hijack the client-server session, engage in network reconnaissance, and/or plant backdoor programs.

CVE-2016-0866 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 6.1.

No known public exploits specifically target these vulnerabilities. Crafting a working exploit for these vulnerabilities would be moderately difficult. Social engineering would be mandatory to convince the user to click on or open their browser to a malicious URL.

Tollgrade Communications released updated software which resolves these vulnerabilities.

Click here for the software update.



Leave a Reply

You must be logged in to post a comment.