Vulnerabilities with Prisma Web

Friday, August 14, 2015 @ 01:08 PM gHale

There is a cross-site request forgery (CSRF) vulnerability and insufficiently protected credentials vulnerability, both with proof-of-concept (PoC) exploit code, affecting Prisma web products, according to a report on ICS-CERT.

A request can end up used to update the configuration of the device, according to the report. This report released before coordination could complete with the vendor and ICS-CERT.

Schneider Modicon Vulnerability
KACO HMI Password Vulnerability
Schneider Fixes DTM Vulnerability
Schneider Fixes Password Storage Hole

ICS-CERT notified the affected vendor and has asked it to confirm the vulnerability and identify mitigations. ICS CERT issued the alert to provide early notice of the report and identify baseline mitigations for reducing risks to these and other attacks.

The report included vulnerability details and PoC exploit code for the following vulnerability:

The CSRF, which could change the configuration of the device, and the insufficiently protected password, which could lead to possible remote code execution, vulnerabilities are remotely exploitable.

Aditya K. Sood discovered the vulnerabilities and presented them at DefCon 2015 in Las Vegas. He reported the passwords for Prisma products are present on the web page available to remote users. He also reported a specific request could allow a remote unauthenticated attacker to update the configuration of the device.

He reported these vulnerabilities to ICS-CERT a few days before his presentation, and ICS-CERT was unable to notify the vendor of the issue with time to correct it. ICS-CERT will work with Prisma to address this issue and will notify users when a patch or other mitigating solution becomes available.