An industrial energy management system made by Delta Electronics is affected by several vulnerabilities whose exploitation could have serious consequences in a real world environment, according to the researcher who discovered the flaws.
The existence of the vulnerabilities affecting Delta’s DIAEnergie product was disclosed last week by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the researcher who identified them, Michael Heinzl.
The security holes were reported to the vendor, through CISA, in April, but they have yet to be patched. CISA says patches are expected to become available on September 15. In the meantime, organizations using the affected product have been advised to implement mitigations to reduce the risk of exploitation.
Heinzl told SecurityWeek that the eight DIAEnergie vulnerabilities disclosed last week are just some of the issues he reported to the vendor. The remaining flaws will be disclosed at a later date.
Four of the eight vulnerabilities have been rated “critical” and described as blind SQL injection bugs that can be exploited by remote, unauthenticated attackers to execute arbitrary code.
“Critical” severity ratings have also been assigned to a vulnerability that can be exploited to add new admin users and gain access to the device, and a flaw that can be leveraged for unrestricted file uploads and possibly remote code execution.
The remaining two issues have been described as medium-severity flaws that can be exploited to obtain a password in clear text and to launch cross-site request forgery (CSRF) attacks.
The affected services are exposed to the network, which means the vulnerabilities can be exploited remotely, the researcher said. In some cases, exploitation from the internet might also be possible, depending on how the user’s network and infrastructure are configured.
“There are multiple ways how the vulnerabilities could be chained together,” Heinzl told SecurityWeek. “A malicious actor has multiple venues to achieve a complete compromise of both the DIAEnergie application itself, as well as the underlying system on which the application is deployed on.”
He added, “Examples include multiple SQL injections, which would allow an attacker to execute system commands or to retrieve credentials (stored as MD5 hashes, therefore trivial to crack) from the database, an arbitrary file upload vulnerability which also allows the execution of system commands, and others. Due to another issue related to authentication and authorization, it’s possible to exploit all of these and similar privileged actions without any prior authentication.”
DIAEnergie is an industrial energy management system (IEMS) designed to help companies visualize and improve electric and power systems, particularly high-consumption equipment. The product can be used for remote maintenance and it can be integrated with various industrial control systems (ICS) and data sinks, including power meters, programmable logic controllers (PLCs) and other Modbus devices.
Learn more about vulnerabilities in industrial systems at SecurityWeek’s ICS Cyber Security Conference and SecurityWeek’s Security Summits virtual event series
In its advisory, CISA says the product is used worldwide. Marketing materials provided by the vendor show that the product is used by various types of organizations, including a semiconductor factory, a bearing manufacturer, and a footwear company.
“The consequences of a malicious actor’s actions could be dire for affected customers — falsifying monitoring data, suppressing alarms, using the system as the initial foothold in the network infrastructure for further pivoting, or simply ‘ransomwaring’ the deployment as has become so prevalent over the last five years or so,” Heinzl explained.
SecurityWeek has reached out to the vendor for comment, but the company has yet to respond.
CISA last week also published a separate advisory describing a high-severity remote code execution vulnerability affecting Delta’s DOPSoft HMI design software. Exploitation of this flaw involves getting the targeted user to open a specially crafted file.
The vulnerability was reported to the vendor through Trend Micro’s Zero Day Initiative (ZDI) by an anonymous researcher. ZDI over the past few months has published several advisories with a “0Day” status for Delta vulnerabilities — a “0Day” status indicates that the bugs have not been patched.
Related: Analysis of ICS Exploits Can Help Defenders Prioritize Vulnerability Remediation
Related: Industrial Firms Warned of Risk Posed by Cloud-Based ICS Management Systems