Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

ICS/OT

Meteocontrol Patches Flaws in Photovoltaic Data Logger

Meteocontrol, a Germany-based company that specializes in solar performance monitoring solutions, has released an update for one of its data logging products to address several remotely exploitable vulnerabilities.

Meteocontrol, a Germany-based company that specializes in solar performance monitoring solutions, has released an update for one of its data logging products to address several remotely exploitable vulnerabilities.

Security researcher Karn Ganeshen discovered that Meteocontrol’s WEB’log product, which allows organizations to centrally record data for their photovoltaic systems, is plagued by critical authentication and information exposure flaws. The issues were reported to the vendor through ICS-CERT in December 2015.

The vulnerable SCADA system is used in Europe and the United States (a small percentage) in the energy, water, critical manufacturing and commercial facilities sectors.

Ganeshen discovered that the WEB’log administration interface does not enforce access control and any webpage is directly accessible through its URL (CVE-2016-2296). The researcher also found a default login password, and that the administrator password is stored in clear text and it can be easily obtained (CVE-2016-2298).

Ganeshen also identified a command shell-like feature that allows anyone to execute system commands without authentication (CVE-2016-2297). While the vendor noted that the feature cannot be used to run critical system commands, the expert believes it introduces unnecessary risks.

In a blog post published on Saturday, the researcher revealed the existence of a cross-site request forgery (CSRF) flaw that can be exploited to perform actions on behalf of the user.

Meteocontrol WEBlog

“Successful exploitation of this vulnerability can allow silent execution of unauthorized actions on the device such as modifying plant data, modifying modbus/inverter/any other PLC devices, changing Administrator password, changing configuration parameters, saving modified configuration, & device reboot,” Ganeshen said.

This vulnerability was reported to ICS-CERT at a later time so it might not have been patched.

Advertisement. Scroll to continue reading.

According to an advisory published by ICS-CERT, the vulnerabilities affect all versions of WEB’log Basic 100, Light, Pro and Pro Unlimited. Meteocontrol has released a new version to address the issues.

The flaws can be exploited remotely even by an attacker with low skill. However, the vendor noted that its product should be installed behind a firewall and not directly connected to the Internet.

“There is no security. It is a free play, as you would have noticed,” Ganeshen said. “And the risk is high. Due to access control issues, above described vulnerabilities can be remotely exploited easily, at a mass scale, in an automated manner. At this point, it is easy to write a script that will POST (write) arbitrary configuration parameters to WEB’log applications, and reboot the devices, at a mass scale.”

Meteocontrol is not the only company whose ICS products have been analyzed by Ganeshen. In the past months, the researcher reported vulnerabilities to WAGO, Schneider Electric, Moxa, GE Industrial Solutions, XZERES, Nordex and eWON.

*Updated with additional information from Karn Ganeshen

Related Reading: PLC Worms Can Pose Serious Threat to Industrial Networks

Related Reading: Dam Hackers! The Rising Risks to ICS and SCADA Environments

Registration for 2016 ICS Cyber Security Conference Now Open

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

ICS/OT

The overall effect of current global geopolitical conditions is that nation states have a greater incentive to target the ICS/OT of critical industries, while...

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

ICS/OT

Municipal Water Authority of Aliquippa in Pennsylvania confirms that hackers took control of a booster station, but says no risk to drinking water or...

Cybercrime

Energy giants Schneider Electric and Siemens Energy confirm being targeted by the Cl0p ransomware group in the campaign exploiting a MOVEit zero-day.

ICS/OT

Mandiant's Chief analyst urges critical infrastructure defenders to work on finding and removing traces of Volt Typhoon, a Chinese government-backed hacking team caught in...

ICS/OT

Wago has patched critical vulnerabilities that can allow hackers to take complete control of its programmable logic controllers (PLCs).

ICS/OT

Otorio has released a free tool that organizations can use to detect and address issues related to DCOM authentication.