Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

ICS/OT

Flaws Found in Accuenergy, Ecava ICS Products

ICS-CERT has published advisories detailing several vulnerabilities in ICS products from Accuenergy, Ecava and Sierra Wireless, including issues that have been rated “high severity.”

ICS-CERT has published advisories detailing several vulnerabilities in ICS products from Accuenergy, Ecava and Sierra Wireless, including issues that have been rated “high severity.”

Security researcher Maxim Rupp has been credited for reporting two serious flaws in Accuenergy’s Acuvim power meters, which are primarily used in the energy sector in North America and China.

The expert discovered that Acuvim II and Acuvim IIR devices running version 3.08 of the firmware are affected by an authentication bypass issue (CVE-2016-2293) that allows an attacker to access the device’s settings simply by knowing a specific URL on the web server.

Another security issue found in these Accuenergy devices is related to the storage of mail server credentials in plain text in an unprotected file (CVE-2016-2294).

According to ICS-CERT, the vendor has not released firmware updates to patch these vulnerabilities, but it did publish a document describing steps that can be taken by customers to protect power meters from external access.

Rupp has also been credited for discovering a medium severity information disclosure vulnerability (CVE-2016-6479) in Sierra Wireless’ ACEmanager, a product that provides a graphical user interface for configuring the company’s AirLink gateways. The product is used in various sectors in North America and Europe.

The vulnerability affects Sierra Wireless AirLink LS300, GX400, GX440, GX450, ES440 and ES450 products running version 4.4.2 and earlier of the ALEOS platform. The flaw has been patched with the release of a new version.

Rupp told SecurityWeek that he informed Accuenergy of the vulnerabilities in early January, and Sierra Wireless in June 2015. The expert was previously credited for finding security holes in XZERES wind turbines, Tollgrade’s LightHouse SMS power distribution monitoring product, Honeywell’s Tuxedo Touch automation controllers and Midas gas detectorsChiyu Technology fingerprint access controllers, and an ICONICS web-based HMI.

Advertisement. Scroll to continue reading.

ICS-CERT has also published an advisory describing several vulnerabilities in Ecava IntegraXor, a web-based HMI/SCADA product used in various industries across the world.

Steven Seeley of Source Incite and independent researcher Marcus Richerson have been credited for responsibly disclosing the issues.

The most serious of the flaws, with a CVSS score of 9.8, is related to the fact that the IntegraXor web server transmits sensitive information without encrypting it (CVE-2016-2306). Another high severity issue is a SQL injection flaw (CVE-2016-2299) that can be exploited by a remote attacker to execute arbitrary SQL queries. The lack of HTTPOnly flags on session cookies (CVE-2016-2304), which could allow an attacker to steal cookies and use them to log in as an administrator, has also been classified as a high severity issue.

Several medium severity vulnerabilities have also been identified by Richerson and Seeley, including cross-site scripting (XSS), improper neutralization of special elements in HTTP headers, SQL injection, improper authorization on sensitive pages, and information disclosure flaws.

Ecava patched most of these vulnerabilities and made some security improvements with the release of IntegraXor version 5.0 build 4522. All previous versions are affected.

Related: Learn More at the ICS Cyber Security Conference

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

ICS/OT

The overall effect of current global geopolitical conditions is that nation states have a greater incentive to target the ICS/OT of critical industries, while...

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

ICS/OT

Wago has patched critical vulnerabilities that can allow hackers to take complete control of its programmable logic controllers (PLCs).

Cybercrime

Energy giants Schneider Electric and Siemens Energy confirm being targeted by the Cl0p ransomware group in the campaign exploiting a MOVEit zero-day.

ICS/OT

Otorio has released a free tool that organizations can use to detect and address issues related to DCOM authentication.

ICS/OT

Municipal Water Authority of Aliquippa in Pennsylvania confirms that hackers took control of a booster station, but says no risk to drinking water or...

ICS/OT

Mandiant's Chief analyst urges critical infrastructure defenders to work on finding and removing traces of Volt Typhoon, a Chinese government-backed hacking team caught in...